Skip to main content

Student Medical Privacy Rules Tightened Up

The rape case at the University of Oregon spawns re-examination of FERPA rules, new Oregon privacy law
June 30, 2015

How assured can Oregon college students be about on-campus medical privacy when they return to school in the fall?

Perhaps a bit more than before, given legislation passed this June to tighten up student privacy records in cases of sexual abuse or assault.

House Bill 3476, which was signed into law June 10, ensures the privacy of conversations with a victim advocate, and empowers survivors to determine when their stories may become public. The new law also tasks the Oregon Department of Justice with developing training and certification requirements for advocates.

“There is an epidemic of sexual violence on our college campuses that must be addressed,” said Oregon Attorney General Ellen Rosenblum.

“Victims of sexual assault in Oregon should be guaranteed safe and confidential options for counseling and to begin the healing process.”

Student medical privacy has been a hot-button issue nationally since December 2014, when the University of Oregon Counseling Center turned over confidential therapy records for a female student. The woman alleged she had been raped by UO basketball players and had sued the university.

Sen. Ron Wyden, D-Ore., and Rep. Suzanne Bonamici, D-Ore.; got involved in March, requesting clarification from the U.S. Department of Education on privacy rules for students living on or off campus.

Wyden is concerned students will be reluctant to seek care at university health centers if they can’t be assured their records will be kept private.

An online conference organized by Wyden and Bonamici was held June 18 to discuss how medical privacy rules apply to college students.

Brenda Leong, senior counsel and director of operations for the Future of Privacy Forum, moderated the session, which featured Steven McDonald, Rhode Island School of Design; Kirk Nahra, partner with Wiley Rein LLP; and Sarah Van Orman, executive director, University Health Services, University of Wisconsin-Madison.

HIPAA (Health Insurance Portability and Accountability Act, 1996) applies to “protected health information,” essentially, individually identifiable information created by or held by a covered entity such as a doctor, hospital of health insurer. The definition excludes health and education records covered by FERPA.

FERPA (Family Education Right and Privacy Act) allows parents access to a college student’s educational records, but not medical and counseling records, unless the student consents. For more information, visit

In addition, the panel noted:

  • For most records, HIPAA and FERPA are mutually exclusive
  • Medical and mental health providers are bound to legal and ethical requirements of their profession. Their first duty is to the patient/client.
  • Campus health centers are uniquely situated within an educational rather than a healthcare organization
  • In college, institutional roles may be in conflict, such as when the university is sued by a student-patient
  • FERPA does not prohibit the release of treatment records to individuals not providing treatment, nor does it require such disclosure.

Students are advised to read medical paperwork they sign very carefully. If a student is unconvinced the stronger HIPAA rules apply, they may request an off-campus provider covered by the student’s insurance.

Kendra Hogue is a Portland-based freelance writer. She can be reached at [email protected].