To limit your school’s liability risk, you must protect students from a variety of safety threats. It’s important to not only be prepared for the obvious threats, but also for the emerging threats that could catch you off-guard. One of these more recent threats relates to the collection and management of student health information. To dig a little deeper into this topic, Magnus would like to provide answers to some of the most frequently asked questions regarding school liability and data security.

Q: What types of student health information are schools managing today?
Schools have to manage all medical information required for healthcare and treatment of students, concussions, enrollment, or attendance purposes. Immunization records, sports physicals, consent to dispense prescription or over the counter medication, consent to treat, action plans, and health history are just a few of the many types of health information that schools may be managing. Nearly all of this data is a part of  Personal Health Information (PHI), and as such, it presents a liability for a school if it is handled incorrectly.

Q: What is an example of how mismanagement of student health information has exposed a school to negative consequences?
Two real-live scenarios come to mind… In one case, a school took a folder of athlete health records to an “away” baseball game. When the game was over and the team was on the bus en route back to campus, they realized all of the personal student information in the folder had been left on the dugout bench… It was entirely by accident, but now that information was available to anyone who happened upon it, resulting in a data security breach.

Similarly, another school was very conscious of “going green” and were very active in recycling. Unfortunately, the nurse recycled health record forms, which were then used by some students to make paper airplanes… One of the airplanes hit an administrator and that’s when they realized the proper PHI security processes weren’t in place. In both cases, the schools encountered a data breach simply by making honest mistakes.

Q: What kind of liability risk is associated with the handling of student health information?
Magnus talks with schools about risks in four primary areas: regulatory compliance, data accuracy, data security, and emergency preparedness. Mishandling or improperly storing student health information can expose schools to legal penalties. And, in situations where students fall ill or get injured, mismanagement of student health data can be a barrier to providing adequate student care. When minutes matter, it is vital that schools have access to this information right at their fingertips without having to shuffle through piles of paper forms. Finally, privacy and security regulations (including GDPR) have become much more stringent requiring schools to manage Personal Health Information (PHI) securely.

Q: Let’s talk about regulatory compliance. What regulations do schools need to know about?
The two important ones to consider are FERPA, which regulates student education records, and HIPAA, the health care information privacy law. Most schools are aware of both regulations, but don’t always know how or if they apply to their school. These federal regulations aim to protect student information from unauthorized viewing or dissemination. In addition to federal regulations, there are state and district regulations on the management of student data as well. Failure to comply with these regulations opens schools up to significant penalties under the law.

Q: As more and more schools migrate from paper files to electronic databases, data privacy and accuracy become important concerns. What issues do school leaders need to address in these areas?
Various laws and regulations require parents to provide certain kinds of health information to schools, but sometimes parents submit incomplete or incorrect data. For example, the parent is required to show proof of three doses of a vaccine, but they only submit proof of two. Now, staff needs to confirm that the submitted information is accurate and complete, but you should not do this via insecure channels such as email. Also, federal regulations closely define who can access student data and for what purposes it can be used. School leaders need to know how to properly secure this data, provide access to only the people authorized to see it, and destroy it safely. Data privacy goes a step beyond that… Privacy includes logging every interaction with students’ the health information – so even those individuals who are authorized to view the records should be tracked, and an audit log should be created so that the information is protected beyond simple access.

Q: What emergency preparedness steps do schools need to take to mitigate their liability risk?
Vital health information absolutely must be accessible to people who need to provide emergency care to a student. A healthcare provider should not have to start from square one in order to treat a student – they should have immediate access to health records so they know what medications the child is taking or what allergies they may have.

Schools should define health record access policies in accordance with regulations, and ensure that the proper people have access to information and that the data can be shared with authorized personnel. And, test out the policies, know what works, what needs to be tweaked, and how the overall response can be improved. In addition, you need to be ready to deal with natural disasters that could wipe out a health center entirely, and other events that could cause technology disruptions. If data is properly backed up, these situations do not pose a threat to the integrity of the records, and parents can update information as needed.

Q: How difficult is it for schools to defend against these risks, and what can schools do to protect themselves?
The biggest thing here for schools is taking the step to ask the hard questions. Once schools are investigating where their vulnerabilities lie, they can get the appropriate processes in place. While creating new processes and testing them out can be time-consuming, once the hard work is done there, the rest can become relatively simple. A comprehensive system will address all four risks in one, so it’s not a matter of finding four answers to four problems – it’s a matter of finding one solution that can do everything.