HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

DoE Considers HIPAA Privacy Standards for FERPA to Close Rape Disclosure Loophole

On March 8, 2014, three players from the University of Oregon Ducks basketball team are alleged to have repeatedly gang raped a freshman student at the University. In December last year, the University director’s assistant was ordered to hand over the entire case file of the student to the university’s legal office.

The file contained confidential health information protected under the Family Educational Rights and Privacy Act (FERPA) which included counseling records for the student. Many privacy advocates and student bodies consider this to be a massive invasion of privacy, as no consent was obtained from the student prior to the disclosure of the records.

Record Disclosure Sparks Fierce Debate


The incident has sparked considerable debate. The disclosure has been investigated by both the Oregon State Bar and the Oregon Board of Psychologist Examiners, but under FERPA Rules, the disclosure of data – under the circumstances – was permissible.

The nature of the information disclosed is what is particularly worrying. It is hard enough to get victims of rape to come forward to report crimes and seek help. The fear of highly confidential information discussed in counseling sessions being disclosed to other parties without authorization is certain to result in many rapes going unreported.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The matter is so serious that the Chronicle of Higher Education published an article urging students not to visit University therapy centers. Katie Rose Guest Pryal said “Don’t go to your college counseling center to seek therapy. Go to an off-site counseling center. If, God forbid, you’ve been sexually assaulted, try to find a rape-crisis center. “

The reason is HIPAA and FERPA protections are not the same. University facilities are not regulated by the Health Insurance Portability and Accountability Act (HIPAA); they are regulated by FERPA. Both Acts have similarities, but HIPAA regulations are far stricter. In this case, HIPAA would prevent such information from being disclosed.

DoE Considering Issuing Guidance to Improve Privacy Protections


While many calls have been made for FERPA Rules to be tightened to improve privacy protections, the Department for Education has not formally spoken out about the matter. However, recently the DoE’s Chief Privacy Officer, Kathleen Styles, responded to a letter sent by Sen. Ron Wyden, D-Ore., requesting closure of the loophole in FERPA allowing alleged rape victims’ records to be disclosed without authorization.

The reply confirms that the matter has not escaped the DoE’s attention and is under consideration. The letter from Styles states that the matter is under discussion and the DoE believes student privacy is of paramount concern. Styles says that the DoE is considering issuing guidance to covered entities to better protect the privacy of students.

Styles Confirms FERPA Privacy Loopholes


She said, “We are concerned about the possibility that FERPA may offer fewer confidentiality protections than the HIPAA Privacy Rule in the limited instances where institutions choose to share treatment records with their attorneys in conjunction with litigation between the student and the institution.”

She points out, “FERPA’s exception to consent for disclosure to school officials more broadly permits an educational institution to disclose, without a court order, treatment records to in-house counsel in the context of litigation with the student provided the institution has determined that counsel has a legitimate educational interest in the records.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.