Reviewed January 2022
School districts and accredited nonpublic schools must ensure any health information or district use of an electronic health record system is in compliance with the Family Education Rights and Privacy Act (FERPA) and other relevant state and federal laws. All records created by a school nurse working under the auspices of the school are considered education records and are protected under FERPA. Questions school districts or school administration should ask when approached by vendors marketing electronic health record systems or when using electronic educational record systems includes, “have we met the legal requirement for access to the data, security, confidentiality, and privacy?” and “have we addressed the ethical use of school health and educational record data?”
Many of these questions can be answered by reviewing the “Terms and Conditions” in an agreement between the school and the vendor of the electronic health record system before signing the agreement to use software or cloud-based programs. Schools are encouraged to consult their legal counsel prior to executing these contracts to ensure they are not violating federal and state laws. For example, many schools use the Iowa Department of Public Health’s (IDPH) Immunization Registry Information System (IRIS) to access student immunization records to meet some of the legal requirements for students to enroll in school. IDPH has explicit laws and policies regarding the confidentiality and safety of its database and disclosure of IRIS data to a third party.
Questions to answer when reviewing the “terms and conditions” of any electronic health record system vendor agreement:
- Have you reviewed the contract with your district or school legal counsel?
- Who owns the data?
- Does the use of an electronic health record system violate preexisting contracts or agreements to access other state databases?
- Whose responsibility is it to obtain parent authorization to share student education records to meet FERPA compliance?
- Is the data secure?
- Is there a statement prohibiting a vendor from mining or exploiting data for direct advertising to parents or students or for using the data for improper or illegal purposes?
- Is there a statement prohibiting a vendor from sharing information with a subcontractor without the authorization of “the user” (meaning the school or district)?
- How much control does your district have over the data once it is released to the vendor?
- Is the system claiming to be FERPA compliant/HIPAA compliant and if so, please explain how?
School nurses should work directly with their legal counsel, school administration and technology team if approached by vendors to use electronic health record systems or if interested in upgrading current methods of documenting student health records. It is critical to review ethical and legal considerations when choosing an electronic health record system to protect the student, family, and school.
Other considerations for the use of electronic health records:
- Does the school or district have a policy addressing information security?
- Does the program have overwrite protection?
- Does the program use firewalls, antivirus software and intrusion detection software?
- Does the program have role dependent secure access (if there is more than one employee entering into the student health record)?
- Does the program have encryption, usernames and secure passwords?
- Does the program have a password protected, lock-out screen saver (if the school personnel entering into the student’s educational record is pulled away for an emergency)?
- Is there a method to back up the electronic record system?
- Does the policy address data destruction?