The trend for kids online is sharing more, not less. Today’s kids consciously and unconsciously share so many aspects of their life using Facebook, Skype or even newer tech tools like Snapchat. But, as educators, we hold ourselves to a much higher legal and professional standard for protecting the information of these very same students. We’ve all heard about the laws—FERPA, HIPAA, COPPA— that set the standards for privacy of student records and personally identifiable information, but what do the laws mean in the context of delivering speech-language therapy online?
HIPAA: Protecting Individually Identifiable Health Information
Created by the Department of Health and Human Services in 1996, The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects patient medical records. HIPAA specifically protects “individually identifiable health information,” which includes:
- the individual’s name, address, birth date and Social Security number.
- the individual’s past, present or future physical or mental health or condition.
- the provision of health care to the individual.
- the past, present or future payment for the provision of health care to the individual.
HIPAA gives patients a variety of rights regarding individually identifiable health information. With consent, HIPAA permits the disclosure of health information needed for patient care, such as speech therapy.
FERPA: Protecting Education Records
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects student education records. FERPA gives parents certain rights with respect to their children’s education records until they turn 18 or transfer to a school higher than the high school level, thus making them “eligible students.” The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA, parents or eligible students have the right to:
- Inspect and review the student’s education records.
- Request a school to correct records they believe to be inaccurate or misleading.
- Prevent a school from releasing information from the student’s education record without written permission (with some exceptions).
COPPA: Protecting Children’s Personal Information
The Federal Trade Commission instituted COPPA (Children’s Online Privacy Protection Act) in April, 2000 to protect children’s personal information on websites and applications that target children under the age of 13. Under the legislation, websites and apps that collect this information must notify parents directly and get their approval prior to the collection, use or disclosure of a child’s personal information. The FTC describes personal information as:
- A child’s name, contact information (address, phone number or email address.
- A child’s physical whereabouts.
- Photos, videos and audio recordings of the child.
- A child’s “persistent identifiers,” like IP addresses, that can be used to track a child’s activities over time and across different websites and online services.
Recommendations for Online Therapy
Clinicians and educators often focus on the capabilities of individual pieces of technology, and, indeed, a secure therapy platform is highly recommended both to ensure the privacy of sessions as well as student data. However, it is the information, and the sharing of that information by the adults responsible for the care of each child, that these laws focus on. So educators need to focus on a systems approach that considers the end-to-end process of handling and securing student data.
While clinicians are trained in student identity protection, non-disclosure methods and the maintenance of student record confidentiality, it is ultimately the school’s responsibility to ensure agreements they have in place with online therapy service providers support them in protecting student privacy. So what are the practical considerations in this end-to-end approach to protecting the privacy of students receiving online therapy?
- Ask what type of security is in place. Solutions with bank-level security offer the strongest protection of data. This includes 256-bit encryption using TLS 1.0, restricted physical access to the servers on which data is stored, and 24/7 on-site security personnel.
- Use a secure platform for therapy. Secure platforms use an invite-only, encrypted, secure connection. In this model, only the online clinician and the student assigned to that particular appointment time are permitted to enter the password-protected “therapy room.” Parents may also view a session with a prior written request.
- Use a secure server to store data. Make sure all student files containing individually identifiable health information and education records are stored on a secure server using industry-leading security.
- Restrict access. Only online clinicians, authorized school administrators and parents should have access to this password-protected information, thus further protecting student privacy.
This “big picture” thinking will let educators take advantage of new online delivery models for therapy services AND stay compliant with privacy laws. And leave Snapchat to the students.
Melissa Jakubowitz, MA, CCC-SLP, is the vice president of speech-language pathology clinical services at PresenceLearning. She is a Board Recognized Specialist in Child Language with more than with more than 20 years of clinical and managerial experience. She is the past-president of the California Speech-Language-Hearing Association and is active in ASHA, serving as a Legislative Counselor for 12 years.