By Page Forrest
“Attached is a list of students who have been diagnosed with the flu.” Grayson Ruhl (C’17) moved the email into his junk folder before he realized his name was on the list, despite the fact that he had had the flu months ago.
On March 21, the entire student body received a list of 41 students who were diagnosed with the flu. Immediately, discussions of privacy violations filled the campus. “Why did they do this?” “Was it a mistake?” “Did Sewanee violate HIPAA?” “Will the guy I hooked up with last night be mad at me for not telling him?”
The second semi-rhetorical question was answered shortly after the first email went out. Assistant to the Dean of Students Kay Brown sent out an apology, noting that the original email was sent in error, and asked students to delete the email immediately out of respect for students’ privacy. (This reporter would like to note that she held onto the email for journalistic purposes and plans to delete it immediately after she is finished writing this article.)
However, many students still wondered whether or not Sewanee had violated the privacy rule at the heart of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). According to the Department of Health and Human Services (HHS), the rule states that any information about an individual’s current or past medical status cannot be disclosed except under strict circumstances. As one can imagine, one of those circumstances is not sending an email to the entirety of the “cstudent” group.
Vice President and General Counsel to the University Donna Pierce does not believe the university violated any HIPAA by-laws. “The HIPAA Privacy Rule establishes standards to protect individuals’ medical records and other personal information and applies to health plans, health care clearinghouses, and providers that conduct certain health care transactions electronically. Students diagnosed with the flu provided permission to the Wellness Center to release that information to the Dean of Student’s office so that the dean’s office could communicate with faculty in an effort to assist students. While the University certainly regrets the dean’s office’s release of this information to students rather than faculty and respects students’ privacy rights beyond and including those contained in HIPAA and FERPA (the Family Educational Rights and Privacy Act), since the email sent to all students was not made by a health plan, health care clearing house, or health care provider, HIPAA likely was not violated by that email.”
While a few students included on the list discussed potential legal action against the school, they may have realized they might not have a case against Sewanee. Pierce noted the school has not received any legal threats from students.
Ruhl believes student outrage on campus was largely overblown, as were any legal threats. “Personally, this was in no way embarrassing to me, and it was a great segue for talking about something I care deeply about—health information privacy… I did not share this sentiment [of outrage], based on my experience working last summer with the Vanderbilt Health Information Privacy Laboratory, which specializes in health information security issues. HIPAA violations are usually data breaches carried out by adversaries or people who wish to compromise sensitive information to resell to data brokers, leak data to undermine an organization’s security reputation, or for direct marketing. However, I fail to see how Sewanee’s administration is acting as any such “adversary”; it seems as though they are simply making efforts to minimize the spread of the flu. Although it was clearly a mistake—albeit an honest mistake—to share such data with all students, if this was indeed a HIPAA violation, it is one of the least volatile ones imaginable. If more people knew about the lengths of data mining that is conducted on them daily through social media, shopping habits, and Google search queries, this mishap would be the least of their concerns.”
Ruhl’s comments on examining the issue in light of the bigger picture are important, but that does not answer how Sewanee can address this problem going forward, and prevent it from happening again. Karen Tharp of University Health Services said that no paper agreement is signed when students consent to have their name distributed to the Dean of Students’ office and professors. Generally, only cases of mono have a paper agreement form. A clear paper trail of consent to disclosure would make it easier for Health Services to keep track of who consented to their diagnosis being distributed and when, to prevent students like Ruhl from being included on such a list months after having the flu.
Professor Hatcher of the Politics department expressed her frustration in the system and Health Services’ refusal to provide students with excuse notes in most cases after the email went out. “It’s difficult for me to know when a student genuinely cannot take an exam because of their illness, and then I have to weigh that against how fair it is to the rest of the students to move the exam. Being given paper excuses to deliver to professors would benefit students and professors, protect privacy, and secure the honor code.”
Sewanee does plan on taking steps to change the system of notifying professors regarding student illness. Pierce explains that “this practice was set to be discontinued before this inadvertent release of information and will no longer be followed.”
It seems unlikely that Sewanee violated sections of HIPAA with the email. However, the school did, albeit accidentally, violate student privacy on a widespread level. Going forward, changes to the procedure, such as the one referenced by Pierce, make this mistake unlikely to happen again. Despite this, students must think about why they may have been upset upon receiving the email. It is understandable to be distraught at one’s personal information being sent to the entire student body. However, if one’s primary source of distress was the person he or she hooked up with last night finding out he or she had the flu, the student may want to reconsider the ethical ramifications of not disclosing the diagnosis before hooking up in the first place.
As the Dean of Students’ office was acting inside the law, there is no legal fault to be found.