Student Health Plan Vendor Breach Raises Regulatory IssuesWhen Does a Breach Involving Student Health Data Fall Under HIPAA or FERPA?
A phishing campaign targeting a company that administers student health plans demonstrates the regulatory issues that arise when the personal information of students is compromised. That's because it's unclear whether HIPAA or the Family Educational Rights and Privacy Act may apply.
Grapevine, Texas-based Academic HealthPlans says a recently completed investigation determined that unauthorized access to two employees' email accounts as a result of phishing occurred Aug. 6-20, 2020, and again on Oct. 2, 2020. The health plan administrator says that its investigation could not rule out the possibility that email messages and attachments were accessed, although no evidence of such access was found.
The unauthorized account access was limited to Academic HealthPlans' cloud-based Microsoft Office 365 email system, and the intruders did not access the firm's enrollment waiver platform or any other systems, the company says.
"AHP undertook a comprehensive and time-consuming programmatic and manual review of all of the data that could have been in scope. This extensive review process was undertaken to identify the type of information involved and to whom the information related," AHP says.
AHP then correlated the results of this data review with its files to identify the health plans and self-insured universities associated with the information that may have been exposed in the two email accounts that were accessed, the statement notes.
"Based on this review, AHP determined that emails or attachments in the employees' email accounts contained information about student members, including names, dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information."
AHP says it provided written notification to the health plans and self-insured universities whose members' information may have been exposed and offered to provide notice to those members and applicable regulatory agencies on their behalf.
AHP did not immediately respond to an Information Security Media Group request for additional details about the incident, including the total number of clients and individuals affected by the breach.
As of Tuesday, the AHP incident was not posted on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing major health data breaches affecting 500 or more individuals.
HIPAA vs. FERPA
Privacy attorney Kirk Nahra of the law firm WilmerHale notes that breaches involving student health information raise complex regulatory issues about whether HIPAA or the Family Educational Rights and Privacy Act may apply.
"I would flag this area as one where there are unnecessary complications because of the fact that we have so many laws that cover the same kinds of information, depending on who has it and what they are doing with it," he says.
"It’s a really challenging area. It's not even clear to me that all of the data is HIPAA data, and generally if it is HIPAA data it is not FERPA data - those two laws tend to be mutually exclusive," he notes.
FERPA is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
A joint guidance document by the Department of Education and HHS notes that in some circumstances, FERPA and HIPAA may intersect.
"When a school provides healthcare to students in the normal course of business, such as through its health clinic, it is also a 'healthcare provider' as defined by HIPAA. If a school also conducts any covered transactions electronically in connection with that healthcare, it is then a covered entity under HIPAA," the guidance notes.
"However, many schools, even those that are HIPAA covered entities, are not required to comply with the HIPAA Privacy Rule because the only health records maintained by the school are 'education records' or 'treatment records' of eligible students under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule," the guidance notes.
Nahra says FERPA generally is less prescriptive that HIPAA.
Student Travel Plan Incident
The data breach reported by AHP comes on the heels of a security incident involving Guard.me International Insurance, a Canada-based insurer that provides comprehensive health coverage to students studying abroad (see: International Student Health Insurer Breached).
That incident involved "unusual activity" detected on Guard.me's website on May 12. The incident reportedly involved a vulnerability that allowed an intruder to access students' information, including dates of birth, genders and encrypted passwords.