Okay, everyone. We'll be respectful of everyone's time and we'll go ahead and get started. Thank you all so much for joining us today. We're incredibly excited about this webinar and this topic. I'd like to take a moment just to briefly introduce Jessica Midland and Ruth Vaughn from the Victim Rights Law Center, who will be providing our presentation today on medical record, treatment record, or education record, oh my, and why, emphasis on the oh my. Ruth, if you'll advance to that next slide, please. Thank you. Upon attending this webinar in its entirety and completing the evaluation, you will receive a certificate that documents your continuing nursing education contact hours if you are a nurse. The International Association of Forensic Nurses is accredited as a provider of nursing continuing professional development by the American Nurses Credentialing Center Commission on Accreditation. With that, I'm going to turn it over to Ruth and Jesse. Thank you both. So our objectives today are to summarize HIPAA, FERPA, and to identify their differences, to explain the FERPA and HIPAA patient privacy implications, and to identify best practices for protecting student survivor privacy. This is a really complicated area of the law, and I think I'm, I think Jesse probably feels comfortable with me speaking on her behalf and saying that we are, we are still working this out and this is. Ruth, you just went quiet. Yes. We lost you there for a minute. Can you, can you hear me? Yes, now we can again. I'm sorry. Sorry about that. Technical issues are always right as you don't need them. Sorry. If that happens again, yeah, just waive or something. I think Sarah said before we started this webinar that this is like peeling an onion, and so we're here just working this out together. So to begin, we would love to kind of get people's brains going this afternoon or this morning, depending on where you are, and we would love to hear some thoughts about what laws you know of or come to mind that protect or implicate student survivor privacy. We have, we're here to talk about HIPAA and FERPA, so those are two for sure, but any thoughts about others that, that might, might implicate student survivor privacy? We're just working our brains, getting it like warmed up for the day. That's all right. Does anyone feel, you can use the chat, you can unmute if you feel comfortable. Title IX, yes, Title IX, my favorite. HIPAA, FERPA, yep, Title IX, again, for sure. Any others that come to mind? Yes, jurisdiction, jurisdiction-specific laws, absolutely. That, that's great. That's a really good point. Clery, also a favorite. Yes, I say that having, you know, I'm a, I'm an education, higher education attorney, and that, yes, Clery, Title IX, very, very important. Yeah, thank you all for, for participating. So, you actually hit on, and of course, here we go, oops, for HIPAA, FERPA, which we're here to talk about today, we identified the Clery Act, Title IX, VAWA also implicate student survivor privacy, VOCA, and then jurisdiction-specific privilege laws, and those are things like, you know, patient, physician-patient privilege, attorney-client privilege, victim-advocate-survivor privilege, and things of that nature. So, this is just to say, we're not going to get into all of these today, but these all, you know, they do matter with, you know, there's student survivor privacy that matters with respect to all of these different laws, and we are just going to start teasing out HIPAA and FERPA a little bit today. So, thank you for bearing with us. So, jumping right in, HIPAA, the Health Information Portability and Accountability Act, which was enacted in 1996, it was designed to modernize protections for personally identifying information maintained by health providers and insurance industries. It contains a privacy rule that requires the protection of protected health information, or PHI, which is specifically defined by HIPAA, and usually health care providers are really familiar with HIPAA regulations. For those of you that do sexual assault forensic exams, you're probably also really familiar with the exceptions for law enforcement where there are exigent circumstances and in circumstances involving minors. One thing that we will talk more in depth today about is how HIPAA, by definition, excludes a FERPA treatment record and a FERPA education record. Those are not going, one record cannot be protected by HIPAA and FERPA. And again, we'll tease this out as we go, but that's just sort of at the outset, kind of be thinking about that. So, the Family Educational Rights and Privacy Act, or FERPA, was enacted in 1974. It is a law designed to protect student privacy. It applies to an educational agency or institution that receives federal money, and it distinguishes very explicitly between an education record and a treatment record, and limits access to who can access a student's education record. While most health care providers don't get training on FERPA, and correct us if we're wrong, you might have had extensive training on it, which would be great. There are some important areas of overlap that might be really helpful for you in your context. So, those of you that are familiar with HIPAA and FERPA might think, oh, this is really vague, and some might think this is really clear. We're going to draw on all of those different perspectives and hopefully get to some good conversation today. So, before we start kind of getting into the weeds a little bit, we wanted to raise two relevant definitions to be thinking about throughout. The first is that under FERPA, student has a very specific definition, which is anyone enrolled in and attending an educational institution online or in person. This doesn't include someone who's just auditing, and it doesn't include anyone who has been accepted to an institution but is not yet attending that institution. And then under HIPAA, a covered entity means a person or organization that transmits health information electronically. For this presentation, for those of you who are sexual assault nurse examiners, you are probably very familiar with and understand that if you're for a covered entity, even if you are not necessarily the person who is transmitting that health information electronically yourself. So, with that, I'm going to turn it over to Jessie. Thanks, Ruth. I think we're going to spend, I think it's fair to say, more time on the FERPA side of this because, well, I mean, let's start with the fact that you all spend way more time interacting with HIPAA than we do as lawyers who are advocating for and representing survivors, but we just wanted to pick out a few highlights here, particularly because as we get deeper into this conversation today, we're going to be talking more about the intersections between FERPA and HIPAA and, most importantly, what does that mean for survivors and for the providers like yourselves who are serving them. So, one thing I think I want to say about HIPAA, just to start with, because it's helpful to sort of hold on to this conceptually, which is that where laws like FERPA, the Federal Education Rights Privacy Act or state privilege laws, you know, physician, patient, nurse, patient, et cetera, those are all conceptually really designed to protect the privacy and to kind of place limits or restrictions or parameters around the flow of information. It's helpful just to sort of remind ourselves that in part the inception of HIPAA was to ensure, in fact, the flow of information and information sharing between and among providers to ensure patient and quality care. And so, kind of just almost right out of the gate, yes, while HIPAA does impose all of these privacy requirements, et cetera, it's important just to hold on to this concept that we have HIPAA in part because one of the underlying foundations is to promote the flow of information. You know, it's sort of stating the obvious, right? The person that protected health information may not be disclosed unless it's authorized in writing by the patient or the patient's guardian, although as Ruth just referenced, there actually are some exceptions to that. The covered business entity piece of it, I want to dwell on for just a moment for two reasons. And one is that every once in a while, we do run into healthcare providers who have what would be protected health information, except that they're not a covered business entity. And most often when we see that is because it's somebody who is not engaging in any kind of electronic billing. I do remember that there was a medical forensic examiner in one state a number of years back, I don't know if this is still the case, but who very intentionally and deliberately did not engage in any electronic billing because they did not want to be a covered business entity under HIPAA. The other example, I think sort of just worth referencing in the context of the work that you and we all do, is that there are some rape crisis programs around the country who have SANE programs and who are operating essentially a facility where the SANE can come and meet a survivor at that facility and then conduct the medical forensic exam. And they may also by virtue of that, and if they're doing electronic billing, et cetera, become essentially a covered business entity, which is something I think that we may not necessarily think about when we're thinking, well, who are these HIPAA compliant organizations or organizations that require to be HIPAA compliant? And then of course, one of the other things about the HIPAA privacy rule, it tells patients, right, how our information may be used when we're in the role of the patient, how it may not be used, and what rights we have. If you go ahead to the next slide, please. So, well, what is that protected health information? First of all, it's what is individually identifiable. It's always interesting to me to think about the sort of robust information that we have under the Violence Against Women Act, under VAWA confidentiality, when it talks about what is personally identifiable information. It is not as explicitly listed out under HIPAA, but I think the VAWA guidance is actually sort of super helpful here, which is it's information that like by on its own or in combination may make a patient identifiable. So obviously it's things like a name, a social security number. I'm always surprised that almost like before they want my name, when I call the doctor's office, they want my date of birth, which kind of surprises me because I think there's got to be lots of people with my date of birth. But in a small town, in a rural community, it might be neither someone's name or their social security number, but it could be their age in combination with their relationship status or whether they have children and their faith. So we want to think about it as information that makes somebody individually identifiable. There was some kind of, for me, a little bit terrifying information a few years back when there was the Human Genome Project, and they talked about how easy it was for them with very, very basic information in my mind to identify who the individuals were that had participated in that. Information is also protected health information if it's not just the past of care that might have been provided or the present, but also regarding future physical, and it could be physical care, it also could be mental care, mental health care, sorry. And then last but not least is around the payment for health care if it identifies an individual. I'm just going to put a pinpoint right here in the payment piece of it because it's something that we'll come back to, I think, when we talk a little bit about FERPA and the difference between a treatment record and an education record, because the payment records are actually education records under FERPA and not treatment records. And then, of course, why does it matter? Why do we even sort of talking to you about all of this? And first of all, because if it's not that personal health information, then it's not protected by HIPAA in the same way as PHI is, in fact, protected. And that a lot of what we're talking about here is, well, what laws exist to protect patient information, and how do they apply, and when do those laws change, and what are the implications for survivors? Because, of course, that is at the center of why we're even having these conversations. And then we want to make sure that kind of we all have this shared understanding that we can promote to the extent possible so that we're supporting survivors in making informed decisions, and both about the expectations of privacy and also when they are, for example, requesting their records. Does that make a difference? Does that change the protections that might be afforded to those records? You know, it's been really interesting to me. I've just had some back stuff going on at the personal level, and I was really shocked that, like, these different health care providers, I had to see various neurosurgeons in two different states, and, like, without my, you know, written consent, they could just request these records. I could say, oh, well, I had an MRI here and a CT scan here and x-rays on such and such a date, and they'd be like, oh, well, we'll request them. And I'm like, don't you need a release of information for me? And they didn't, and that was really, I mean, it was sobering, but it was also just super helpful in thinking about, well, you know, if I were a survivor and had all of these records in there, it's pretty valuable for me to know that they could be being shared for treatment purposes among these different providers without my express written consent. So, next slide, please. And then, of course, we want to distinguish between when we have sort of when a health care provider or covered business entity may disclose that PHI without a patient's written authorization, and then we're going to talk in just a moment about when they must disclose it. And then, of course, there's this very significant sort of third category that I think we all care about a lot, which is when may they not disclose it without the patient's written authorization. And first of all, I want to, we emphasize the may here, because depending upon what the law is in your jurisdiction, it's permissive, or in fact, it may actually be restricted or not, but this doesn't mean that the health care provider necessarily has to, but rather that they are allowed to under a set of expressly identified conditions. And the first is when may they, when it's required by law, and that's, of course, going to be a must. And I think probably the examples that come to mind for most of us with those are mandatory reporting statutes, right? So, if it's a child abuse or elder abuse or abuse of a person with a disability, those are all going to be subject to mandatory reporting laws. The other, which is specific to the work that all of you do, is that you may have laws in your jurisdiction that require the disclosure of certain kinds of injuries. So, for example, here in Oregon, nurses, doctors, a number of other health care providers are required to report certain non-accidental injuries. So, that's a mandatory reporting statute, specifically the health care providers. I do always like to put a little asterisk there because, at least in the realm, in here, you know, what I'm most familiar with is the Oregon law because that's where I'm residing, is that the reporting requirements for non-accidental injuries are actually much more complex and detailed than they appear at first blush. So, for example, it's a non-accidental injury that's caused by a deadly weapon, and there actually are definitions under the statute of what's considered a deadly weapon and also what's considered a serious physical injury, and it has to be protracted, impairment, etc. And so, I always like to kind of go into a little bit more detail than it might seem warranted on that because if you just read the statute at first pass, you think, oh, I have to report every kind of injury that might have been caused by a knife or might have been caused by a firearm, or by some other kind of quote-unquote weapon that had been used. But, in fact, there is a fair amount of guidance in our statutes about that. For reporting abuse or neglect or domestic violence, it might also be sexual assault, for example. I know we have folks on the call from Massachusetts. Massachusetts has a mandatory reporting statute on sexual assault, although there are some really wonderful protections that are built into that statute regarding protecting the privacy of the patient. And, in fact, you're not allowed to provide their name to law enforcement, etc. When else may the covered entity, you know, public health authority for public health reporting is required? We're certainly seeing a lot of that right now during COVID. The other example that, I mean, I always feel like, okay, what examples do I have to share, but that I often give is that a number of years ago now, it turned out that I got Lyme disease when I was traveling in Europe, and we actually don't have Lyme disease in Oregon, and it is a trackable disease. It's reportable. Healthcare providers have to report it. So, you know, three months after I get this bite, and I didn't know what it was, I go in, and I do a blood test, and it comes back positive for Lyme disease. So, you have to remember, right, I do privacy work for a living. So, the next day, I'm at the office, and I get a call from someone that says, hi, this is Multnomah County Health Department. Is this Jessica Minlin? And I say, yes, this is she, and I start laughing, and I said, wow, I didn't know Lyme disease was a reportable disease, because immediately, like, I've gone to, you know, to, like, why are they calling me? And so, I said, oh, I didn't know that Lyme was a reportable disease, and she says, well, I just need to verify, you know, who you're, who you are, and asks me for my date of birth, and I, of course, I'm like, well, I need to verify who you are, and so I say, can I have your number, and I'm going to call you back. She gave me the phone number. I recognized it as being from the county. And then the next question, which is part of why I share this story, the next, after we'd verified my name and my date of birth, the next question that she asked me was, were you born in the United States? And this was fairly early in 2017. And I was like, why are you asking me that? That is not an appropriate question to be asking. It has nothing to do with where and how I might've gotten Lyme disease. And we had a little bit of an exchange and she also said, well, can someone listen in? And I said, well, I don't know what you're going to ask me. So I don't really feel like I can give informed consent to somebody listening in. And I know that I probably made her day very difficult. And she was ruing the fact that she had ever had to call me about any of this, but I share all of that sort of as kind of, I had no idea. And I said to my husband, like, I had no idea that when I tested positive for this, that it was going to be shared with Multnomah County health department. Nobody ever said, this is a reportable disease. You should be expecting a phone call. And it really came out of the blue. And like I said, I was sort of shocked that the second question was whether I was born in the United States. And it so happens that I wasn't, and I felt like it was none of their business and nobody gave me any context. And then she said, we don't have to answer that question. And I said, well, you didn't tell me that either. So, and I said, you know, most people are not going to be as assertive as I am. And I was polite. I may not sound as polite as I was when I'm recounting it here, but it was very interesting as a patient perspective, how much information they wanted and how unprepared I was. Okay. For judicial or administrative proceedings. Although again, you know, I mentioned at the very beginning, I think I wasn't sure if people were on or not that I spent a while last night getting my kicks going onto the HHS website, reading a bunch of consent decrees that are, and also finds that HHS had issued to various healthcare providers for well, for a variety of different reasons. One of them is for not releasing patients records when requested in a timely way. But the other was that they had received a subpoena. They didn't inform the patient. It was not actually a court order. So again, I just sort of want to asterisk. And I see that Joan made a comment just for clarification that Massachusetts, the mandatory reporting is only for minors and persons with disabilities and elders, not for all patients. So I just wanted to shout, yeah, every jurisdiction is going to have different mandatory reporting laws, whether it's sexual assault, domestic violence, child abuse, elder abuse, et cetera. And so what's important of course, is to know the law of the jurisdiction where you are and also where you're practicing in case those are two different jurisdictions. There are specific and they're very detailed exceptions for law enforcement purposes when a covered business entity may release that PHI. And that will also to advert if there's like a serious health or safety threat. And there's really wonderful guidance from HHS. I have to say, there's a document that we can share with all of you if it would be helpful. But if anybody wants to sort of just dig deep on this, there's a lot of information. And I guess we'll be talking a little bit more about minors. So there's the may and then where is, excuse me. And when is the must? And the first is that if the patient or their personal representative asks for the information for their own patient health records, the healthcare provider is required to disclose this. It seems like a super straightforward point, but a couple of things here too. First of all, there were a number of sanctions when I was looking at that HHS website last night for healthcare providers that had not released those records in a timely way. Probably the most egregious I saw was somebody who ended up waiting probably like a year and a half. And that physician ended up as a cardiologist ended up being fined $100,000. Now, I think probably that is in part because they also didn't respond to HHS's requests for information. But that some of those requests when they made the patient wait three or four months, they were also sanctioned for making them wait for that long. And I remember a number of years ago, gosh, it must be going back. I don't know. I think it was to 2009. Maybe it was a bit later than that. Kim Day and I facilitated a round table conversation at the IAFN conference with the SANEs. And we had a really interesting and engaging and robust discussion about the release of the medical records as they pertain to the medical forensic exam and what different institutions practices were. And there were a number of institutions at that time that participated in that conversation that said, oh yeah, where I work, we don't ever give them to the patient. We only give them to law enforcement or the patient has to have a court order. They have to subpoena them. And I was really surprised to learn about that. But it's very clear. And in fact, like I said, there are a number of these sanction letters when a patient has asked for their medical records and they've not been provided. And then, of course, there's this exception around HHS doing their own investigations. And I also want to underscore here that when the patient requests it, their request does not actually have to be in writing. If they request it verbally, that is a sufficient request. So I think that's what I want to say about that. Next slide, please. Okay. We have this slide in here just because the question has come up a number of times, which is when you have records that, right, they were a healthcare provider's records and then they are provided to someone who is not a healthcare provider, they're not a covered business entity, do those HIPAA privacy protections sort of accompany the record? Do they stay in place? So, for example, an example that we have here is if the records are provided, for example, to law enforcement, are they still protected by HIPAA? The answer is no. They're not going to be protected by HIPAA. Now, there may be other protections that might apply under the laws of your jurisdiction. So, for example, certain documents that attorneys acquire in the context of their representation might be covered by the attorney-client confidence secret, attorney-client privilege, work product, et cetera. But that's not the same as being covered by the HIPAA. And then the other sort of side of this or other twist to this as well, okay, if those records are provided to law enforcement, could the patient use HIPAA to try and get a copy of whatever information law enforcement has regarding their records from the law enforcement agency, the crime lab, the storage facility, et cetera, under that, well, I have a right to it because HIPAA gives me a right to my patient records. And the answer is no. And why not? Because law enforcement is not going to be covered. They're not a covered business entity under HIPAA and therefore it will not apply to them. I'm just going to pause for one moment just to look at the and say if you do have questions in the chat box, feel free to go ahead and write it there. I am paying attention to it and I know Ruth's monitoring it as well. So, I mentioned a couple of times here and Ruth did as well in her part of the presentation that in addition to write these federal laws, whether it's HIPAA or it's FERPA, that each jurisdiction may establish privacy laws and additional privacy protections for patients under the law of their jurisdiction that will apply in that jurisdiction. And I use the word jurisdiction rather than state because we have states, we have the District of Columbia, we have the populated U.S. territories, you know, Guam, the Northern Mariana Islands, et cetera. And then, of course, we also have tribes, Indian tribes, who are sovereign nations and as sovereign nations get to establish their own laws. And so, while HIPAA may provide for certain privacy protections, number one, keep in mind that the states or tribes or territories may provide or establish additional rights and additional protections. But the other is that there are a number of places where the HIPAA federal law and the law of the jurisdiction are also going to intersect, just like HIPAA and FERPA intersect. They're places where state law will inform what the patient's rights are, even per HIPAA. Perhaps maybe just an easy example of that is with minors or with somebody who has a personal representative, like a guardian has been appointed for them. But just an example with minors, well, I'll take Oregon as an example because it's always the law that's at my fingertips. So, in Oregon, a minor may consent to their own health care. They can make their own health care decisions at the age of 15. And they can make their own mental health care and consent to mental health care services at the age of 14. And so, let's say you have a patient who is 15 and the parent comes in and says, well, I want access to my kid's medical records. Well, if the law of the jurisdiction is that that minor has an absolute right at the age of 15 to make all of their own medical decisions, then it's the minor who would be the person who would be consenting to the release of their medical records, and it would not be the parent or the guardian. Now, the state law may make for some exceptions to that, but essentially, the general rule to follow would be that it would be the minor. Do you see the question in the chat? Yeah. Can you speak to the release of advocacy records to a client or a former client? When you're saying advocacy records, are you not, Cynthia, I'm just going to ask you to elaborate a little bit. Are you not talking, is there something other than medical records? So, if you want to clarify that, and then just, as time allows, I will get back to you. And if time doesn't allow, then we can try and follow up afterwards. There's another question. How does this apply to the college-level population and parent insurance information regarding SANEs and STI treatments, et cetera? We're going to get to FERPA, so I'm going to hold that question. I think we'll get to it when we discuss FERPA in greater detail. But I will, if we don't, just, again, sort of remind us, pop that question right back in there. Although I want to distinguish between college-level population, i.e., young adults, generally, versus college students who may be getting healthcare treatment either from their educational institution or outside of their educational institution. And we're going to delve into a lot more detail, whether it's FERPA that is going to govern that college student's privacy rights, or whether it's HIPAA that's going to govern that college student's privacy rights. And again, as I mentioned earlier, that you're going to have these jurisdiction-specific laws that might require mandatory reporting. And then HIPAA actually explicitly talks about not only whether there's a law of the state or the specific jurisdiction laws, but it also does reference the professionals or the healthcare providers' ethical obligations. And sometimes, for certain decisions, healthcare providers are both expected and allowed to rely on their professional judgment. And again, that most often is going to come in in determining whether or not someone is in imminent danger or danger to themselves or danger to others. I will just put a plug here that the Victim Rights Law Center has a fair amount of jurisdiction-specific information that we have conducted under our privacy project around the duty to report. Because again, that's going to vary state by state. I'm talking here, for example, just shorthand. I think most of you are going to be familiar with the Tarasoft case. So some states, certain providers are mandated to disclose when someone might be a danger to themselves or a danger to others or have a duty to report. And in others, it's permissive. But I'm going to stay away from that rabbit hole because that's a whole other presentation. Okay, Ruth, I'm going to turn it back over to you. Yes, and I just want to say that I think everybody has probably recognized now and what we all say at the Victim Rights Law Center is that Jessie is the resident expert on all things privacy. So if you have questions, yeah, she's here. And I also, I know, Jessica, you put the question in the chat about student, I mean, college-level populations. And I just want to echo what Jessie said after we kind of delve into FERPA a little bit. If your question, if you feel like it hasn't been answered, let's tease it out a little bit more and make sure we get to it. Because I think there are some follow-ups we can do on that. We're going to shift a little bit to privacy and FERPA and dig into the distinction between education and treatment records. Did I lose control? There we go. So what is an education record under FERPA? So under FERPA, any and all records related to the student that are maintained by an educational institution or a party acting on behalf of the institution are part of the education record. So here we're talking about things like grades and transcripts, class schedule, student financial information, which is what Jessie alluded to earlier, student disciplinary files. Those are part of the education record. It does not, by definition, include treatment records. And I'm going to delve into treatment records in more depth in about two slides. But just note that this is a specific carve out in FERPA. There are exceptions to FERPA. So under FERPA, students and parents generally have a right to inspect and review educational records maintained by the school. FERPA protects the records and the personally identifying information maintained in them, which are things like an identification number, name, date of birth, other information that can be used to identify an individual. Medical records can be either education records or treatment records under FERPA. Just because there is a record that is medical in nature does not necessarily mean that it's a treatment record. So just note that there's, you know, we'll figure out obviously there can be medical records that are protected by HIPAA, and then there can be medical records that fall under FERPA, and they're going to be either treatment records or education records. And we'll kind of tease that out a little bit. So any post-secondary student, regardless of age, is in charge of their own educational record. The exception to this is when a student is a dependent, as defined by the Internal Revenue Code. And this means that if either parent has claimed the student as a dependent on that parent's most recent income tax statement, the school may non-consensually disclose the education records to both parents. There is some flexibility around this. So if the school policy provides notice that they are doing things differently, then that is acceptable. But generally speaking, a dependent is going to be, would open that up to access by the parents. I wanted to note here that spouses do not have rights under FERPA. It really just limits, it kind of addresses students and parents, and obviously there's a lot of, there's a lot of, there are cases kind of teasing out what parents mean. And so it can't, there's some flexibility there, but spouses do not have any rights under FERPA. It also doesn't require the school to provide copies of the record, only access. So the students and parents can access the record. They can also request changes to information they feel is inaccurate. So those are some things that they can do, they can request of the institution. Just going to, okay, we don't have this, just checking my chat here. So treatment record, under FERPA, a medical record is considered a treatment record if it meets these criteria. So it has to be medical or mental health in nature, created at a post-secondary institution. So created at the campus, the school, containing the medical or psychological treatment information of a student who is 18 or older, or who is attending that institution. Made, maintained, and used only for treatment, and disclosed only to treatment providers for a treatment purpose. Only to treatment providers for a treatment purpose. Those are the criteria to have this sort of carve out under FERPA. So if any of those criteria are not met, or are no longer true, the information becomes part of the education record. It will no longer fall under this treatment record exception. And as an education record, it can be disclosed under any of FERPA's exceptions to consent. So to maintain the information, to make sure that that treatment record stays a treatment record, the student should try to limit the disclosure just to other treatment providers and for treatment purposes, so that it does not become part of their education record. It is important to note here that the institution does not generally have discretion to share treatment records on their own, apart from the student sort of requesting that and becoming part of their education record. And some treatment records may also be covered by privilege laws, and FERPA exceptions would not preempt those privilege laws. So you have sort of overlapping things to consider here. But if the student does request those treatment records, then the institution can share that information under its enumerated exceptions to requiring consent, because then it would have been transformed into an education record. So, again, just to remember that just because records are medical in nature does not make them treatment records. Even if the records are held by an institution's health care provider, they are going to either be treatment records or education records, and it depends on who has accessed that information. So does this really matter if a record is a treatment record or an education record? And I would say with respect to the student's privacy, absolutely. A treatment record cannot be disclosed to anyone other than treatment providers or for any other purpose than for treatment without it being transformed. At that point, more entities, more people can access it. So once a treatment record has been transformed into an education record, you cannot go back to being a treatment record. The cat is out of the bag. So let's take an example. Let's say here that a student is being treated for depression by the school's counseling center. The student is also going through a disciplinary process to address allegations of the student code of conduct. And during that process, there's an option as there typically is to provide counseling records to the investigator to aid in the investigation. While the student may understand that accessing the treatment record will mean that that information goes, let's say to the other party in the course of that conduct case, they may not understand that the decision to access that treatment record means that it becomes part of their education record. So if the student is a post-secondary student who is dependent on their parents' income tax statement, their parents could access that record without consent. It could also be provided to an institution to which the student ultimately wants to transfer. Again, because it has become part of the education record. So we are going to pause for a second and do a quick poll. So if a SAFE is completed at an on-campus clinic, and the patient obtains a copy of their record to provide to the law enforcement, is that record still considered a FERPA treatment record? Yes, no, or maybe? So take a minute, think through that. We have on-campus clinic, patient obtains a copy that they want to provide to law enforcement. Is it still a treatment record? And I just want to say, Ruth, that I tried to vote, but it wouldn't let me. I don't let me either. Yeah, I just thought it would be fun. Are people able to vote? I don't see that coming up. Is everyone able to? Yeah, they should be able to vote. I think when I end it, you'll be able to see. Okay, I'm going to say, let's go ahead and in the poll and see the... Yeah, see the results. So is it still a FERPA treatment record? About 24% said yes, 53% said no, 24% said maybe, which means like, maybe this is a little bit confusing. So the answer is no, it is now an education record. And that is because the patient has accessed it, and law enforcement, they're giving it to someone else who's not a treatment provider, and it's not for a treatment purpose. So it is no longer for, it does not have that treatment record protection. It has become part of the education record. And I think we have some questions in the chat. Let me just come up here. So if a student has a medical forensic exam at a hospital off campus and submits the report as evidence to an investigation on campus, it becomes part of the education record, correct? Yes, this is why. So first of all, the forensic exam at the hospital off campus is not, that's not a FERPA, that typically won't be a FERPA covered medical record. That would likely have HIPAA protections. And so if they request it, that's utilizing HIPAA. If it becomes part of that case, then yes, it's part of that student, that education record. So there's a big, there's obviously lots of privacy implications to participating, to sharing this information in the course of campus processes that are disciplinary in nature. And another question, which is a great question, Jessica, thank you. What do you mean by limiting disclosure? By limiting disclosure, I really mean making sure that the student does not request that treatment record for the purposes of using it themselves or for providing it to others who are not treatment providers. So they can maybe say, yes, I want my, this counselor to share that information with a counselor that I'm gonna see another counselor, but that does not go through the student. It goes directly to treatment providers to maintain that protection. And then one more question. So is the act of giving, so is it the act of giving it to the student that makes it not a treatment record or once it's actually with law enforcement? What is, what if student never gave it to law enforcement? So we're going back to this, to this particular hypothetical. The safe is completed at an on-campus clinic. Patient obtains a copy of their record. That in and of itself makes it not a treatment record anymore. So I think law enforcement is sort of a secondary, another reason that it would not be a treatment record, but the act of requesting a copy and obtaining it, I think that's the language here. A patient obtains it, it transforms it into part of that education record. If the student requested that it go from the clinic to law enforcement, it would have the same effect, but because law enforcement is not a treatment provider. So I hope that helps to kind of make sense. Yeah, I was just gonna clarify. I think I'm just gonna repeat that, Ruth, because I think it's such a point and it's like so weird that this happens, right? It's only under FERPA. It's basically, if you take this treatment record and send it to someone for other than treatment purposes, such as giving it to the student who's not a healthcare provider or giving it to law enforcement, that converts it from a treatment record to an education record. So it's just such an important, both important point that you're making and one that's a little bit like, really? Like when do other records like, well, I guess they do, right? Well, you can release a record and you can waive the privilege, but anyway, okay. Yeah, and we have a question about copies related to discharge information. Does that trigger an education record entry? So I think if discharge information contains information related to the treatment that's for treatment purposes, then I think copies of that, if you are utilizing that, the patient is obtaining a copy or if you are asking them to share it with someone who is not a treatment provider, then it would transform that into an education record. I'm not as familiar with what discharge summaries typically include. I think it would probably depend on the type of treatment that you are, that they are receiving or they received at that particular provider. Yes, it's- Anything there? Yeah, I think the discharge summary is sort of like, we removed an anonymous tumor or whatever and you should do X, Y, and Z and take it easy because you had medication for the first 24 hours and don't drive vehicles or operate heavy machinery or execute a will, like those kinds of things, like that's not going to convert anything from your treatment record to your education record because those are really instructions. Those are not your actual treatment records. Yeah. Lots of questions coming in. Yeah, good, good. Could you consider the purpose behind the exchange of information contribute to its classification? I'm not sure. I'd want a little bit more clarification there. Yeah, Jessie looks like- I think the answer, if I'm reading this correctly, the purpose matters only in one specific lane and that is, is the purpose that the record is, the treatment record is being released to another healthcare provider for treatment purposes. So if the answer to that is yes, then it will remain a treatment record at the educational institution. But if it's for any other purpose, then it does matter because it will convert it from a treatment record to an education record. If I understood that question. And Ann says yes. She said yes. Yay! We also have a question. What about a note from the hospital regarding academic accommodations or excuse from school? And I think what I understand this to be asking is when someone seeks some treatment at a hospital and needs a note sort of to help them secure accommodations at their institution. So again, if you have a hospital off campus that would not be FERPA, you would be thinking about HIPAA and accessing. So I'm gonna take that first piece first. If you receive a note from a hospital saying, for the purposes of, we saw this person, we think that they could use some assistance from the institution, you'd be providing that to the school. And if it's directly related to the student, it's part of the education record. So yes, it's not necessarily a treatment record that's going to then open up all of these other doors. It's a letter that you're sending to the institution and that does become part of your education record. And I think a letter from a treatment provider is not going to be for treatment purposes, right? That would be saying, we are assisting this person. They could use some accommodations. And I don't think you would be opening that treatment record up to an education record. But that letter itself, yes, it does become part of your education record. And that's why counseling students about, how much information do you really wanna share with the institution, that's really important. That's what we do in the course of our direct services work quite frequently. I think students are very eager to say, yes, I wanna like, can I go to the hospital and get all of the information and just like give it to the Title IX coordinator? And we are usually like, let's slow it down and think through this. It is part of, it could be part of your education record, even if it's not part of the disciplinary case, for instance. So it might not go to another party, another student at the school, but it would be part of the education record. Jesse, do you wanna add anything? It's also, I think an opportunity to sort of pause and think, is there a more privacy protective way of accomplishing the outcome that the patient student desires? And we encounter this, for example, under a certain statute, under many jurisdiction statutes, if they have a lease break law, you have the right to terminate your lease without penalty with two weeks or three weeks notice. And the landlord either may require or must be provided with documentation that the individual is a survivor of domestic and sexual or sexual violence. And when I'm doing training, I'll always say like, the statute doesn't necessarily require you to distinguish between those two kinds of victimizations. And you might just say under X, Y, and Z statute, this individual is a survivor of domestic or sexual violence and has the right to terminate their lease. You don't have to say this client was raped and is there for once to move. Or even more broadly, you might be in a position to say, this patient was a victim of a crime or this patient was the victim of a violent crime and is in need of the, and I'm documenting X, Y, and Z or is requesting and I support the following accommodations. So it is kind of worth thinking about like, well, how much do you have to disclose? And of course, having that conversation with your survivor patient. Yeah, absolutely. Thank you for that. So we're gonna move on. This is a simple chart to help you determine whether HIPAA or FERPA applies to the records in your possession. Just to reiterate, again, FERPA and HIPAA are mutually exclusive. Only one of them is gonna apply to a record. And if there are multiple copies of a record, each copy is protected by the law that applies to whomever maintains the record. So for example, when a patient requests that a hospital send a copy of their record to their college health center, the copy in the college health center or the student health center is protected by FERPA while the original hospital record maintains its HIPAA protection. So hopefully this is somewhat helpful in kind of deciphering what we have tried to explain so far. Now you know why lawyers have jobs. Yeah, exactly. And Jesse, I'm gonna pass it over to you. We do have another poll. So get ready to- Yeah, we have a few more coming up. Okay, here's the question. College student Sammy Survivor had a sexual assault forensic exam that was conducted at the emergency room of the local university hospital. The hospital is located off campus, but it is affiliated with Sammy's university. Which privacy law will apply to Sammy's medical records? Will it be HIPAA, FERPA, both FERPA and HIPAA or you're not sure? And I can't see the voting in this. So if y'all can at IFN and I will leave it to you to decide when to close it. And if you go ahead and either Sarah or Amy publish the results. Okay, so 85% of you said HIPAA, 8% said both, 8% said I'm not sure and 0% said FERPA. So yay, I just wanna say, I always love the I'm not sure because I think that y'all are very brave when you do that. So I'm just gonna give applause to the I'm not sure. So the correct answer there under these facts as we've given them to you is going to be HIPAA. Why is it HIPAA even though it's like the university hospital, it's off campus, it's affiliated with the university, but it's providing treatment, not just to students, but to many other individuals in the community as typically hospitals do. And under the HIPAA guidelines, it is going to be a HIPAA covered entity. And again, because it's not like exclusively on campus set up for the purpose of exclusively of providing treatment and care to students, et cetera. So it's HIPAA and HIPAA only. And the fact that Sammy survivor is a college student is really just sort of a red herring in this case. Okay, so next slide, please. And I think we have another poll. Okay. Once a student survivor patient has attained a copy of their HIPAA protected sexual assault forensic exam medical record and the photos, does HIPAA still protect the records that are in the patient's possession? So they're in the patient's possession. Does, are they protected by HIPAA? Give you a moment to answer that. There's some versions of Zoom that allow you, I think it's either Zoom or Adobe platform that allow you to see the numbers as people vote, which I always love because I find it like weirdly gratifying to see. Okay, go ahead and publish the results. And again, a little bit over 81, 80% of you said no, they will not. And again, yay for a shout out for the maybes or sort of the not sure. And the answer is in terms of the records that are in the patient's possession, they're not going to be protected by HIPAA because remember that the patient is not the business covered entity. There are going to be other privacy protections that will apply to those records. They, for example, very well may be covered under federal or state or tribal or territorial law around any kind of privilege that might apply depending upon what the patient might do with those records. And even once they've been released by the healthcare provider, the privilege can still apply, again, depending upon all of the particulars of that. But the patient's version is not going to be HIPAA protected. Now, are they still HIPAA protected at the medical institution? Yes, because unlike FERPA, there is none of this sort of conversion from one kind of record to another kind of record under HIPAA. The other thing I just want to remind you is that in addition to HIPAA, there are these other privacy laws, right? There may be the healthcare provider patient privilege. Okay, so that's that. And then we have two more scenarios. Here's the question. Well, let me give you the facts first. So we're back with our student survivors, SAMI survivor. So SAMI signs a release for their health clinic on campus to send a copy of SAMI's FERPA protected records now it went away, so I have to read it from here. FERPA protected treatment records to SAMI's family physician. So those are your facts. Student survivor, SAMI signs a release of information. The campus health clinic is authorized to send a copy of SAMI's FERPA protected treatment records to SAMI's family physician. When the family physician receives those medical records, are they covered by FERPA or are they covered by HIPAA? So we're talking here about the family physician and the records that there are FERPA protected records that are provided to them by the school-based healthcare institution or healthcare provider. And I don't know how this works because I see it coming up as two questions on the same poll. So I guess maybe you answer them at the same time. I'm going to ask the second question. Once the copy of the records have been sent to SAMI's physician, then are those campus health clinic records, are they covered by FERPA? Are they covered by HIPAA? Are they neither? Or are they both? And I realized that there's a little bit funky in how we framed that question. Okay, so when the family physician receives those medical records, 77% of you, correct, you got it right. They're going to be protected by HIPAA. Why? Because that family physician who presumably is in private practice or anyway, not affiliated with the institution, they are the, assuming that they're a covered business entity, the privacy of their medical records in their possession are going to be covered by HIPAA. And HIPAA doesn't go away when you transfer medical records from one healthcare institution to the other. It allows for it, but it doesn't go away. And they're not covered by HIPAA with respect to the records that are in the possession of the family physician because that family physician is not a FERPA school-based healthcare provider, et cetera. So in terms of the second question, which it seems like it was a little bit trickier, though I realized as I read it out loud, we didn't really, we could have worded it, I think, a little bit more exactly. You've got about 62% of you who said that's going to be covered by FERPA. 23% say that it's covered by HIPAA. Nobody said that it was covered by neither. And you got about 15% who said that it was covered by both. I'm going to go ahead and close that. So this is sort of an interesting question and why I've made the reference to how we worded it is that they were sent, assuming that they were sent from that student health clinic over to Sammy's family physician for treatment purposes. So let's kind of make that assumption that the campus clinic health records will remain protected by FERPA and they're actually going to remain as treatment records. And that we didn't put in here anything about treatment versus education records. So assuming that that's the purpose that they're sent for, they're going to be HIPAA covered with the family physician, they're going to be FERPA covered at the educational institution. And assuming that they're sent again for treatment related purposes, they're going to remain as FERPA covered treatment records. I'm gonna pause there for just a moment before we go on to see if there are any questions about that. And while I'm pausing, I'm gonna just kind of underscore that the reason we're spending all of the time on this is that it's not that what kind of records they are somehow eliminates any privacy protections, but it does mean that they have different privacy protections, particularly with respect to access by how law enforcement can access them and when law enforcement may access them, when a parent may be able to access them. As Ruth mentioned earlier, when records become educational records, let's say the student is applying to transfer or is applying to graduate school and their educational records are being sent to that next institution, then if they're education records, the education records go. So these are just some of the ways in which it becomes important and why we wanna make sure that all of you have this information. Okay, next slide, please. What kind of record and why does it matter? I guess I got a little bit ahead of myself in talking about why it matters. And again, this is really what we have kind of been saying to all of you, that if you disclose the treatment records for any purpose other than treatment, and that includes to the student, then they are no longer excluded from that definition of education record and rather they become an education record and then they're subject to all of the other FERPA requirements. And I just sort of want to emphasize that including to the student piece because we often will have conversations with students who might say, well, I wanna get a copy of my records. And it's not that we're gonna say, or it's not that you should be saying, no, you may not have a copy of your records because of X, Y, and Z, but just helping the student to the extent you can understand what the implications are of them requesting that record. And so, for example, let's just go back for a moment to the SAMI student survivor who wants a copy of their record to go to their family physician. In that case, if they want it to maintain as a treatment record, then have that student, the institution healthcare clinic send it directly to the physician because that will allow it to remain a treatment record. If the institution gives it to SAMI the survivor, well, SAMI can kind of do anything that they want with it. And even if one of the things that they do with it is ultimately provided to their family physician, at that point, it has lost the protection of being a treatment record because when it made sort of that pit stop with the student, it became an education record. So, next slide, please. And again, really, this is sort of just what we've been saying that different privacy protections will apply and protected by HIPAA or by FERPA, by FERPA treatment or by FERPA education, we wanna make sure that student survivors who have already experienced such a breach of their bodily integrity, of their right to self-determination, to agency, to autonomy, that to the extent that we can empower them and make sure that they're making informed decisions, then we are really providing the best survivor-centered, survivor-directed services possible. So, if you're just gonna reflect for a moment and use the chat box, oh, I guess we made this a poll. Okay, another poll. We went a little poll happy here. If you think about the survivors that you work with and their patient records, whether they're FERPA or HIPAA or whatever, like who might want access to those records for a variety of different purposes, depending on the context? Would it be the survivor patient, law enforcement, school officials, could be parent or parents. It could be the survivor, the victim, survivor themselves. It could be, if there's a defendant or a respondent in a school disciplinary hearing or in a civil protection order hearing or any other kind of a court matter. Great, well, everybody got 100%. So, I'm gonna go ahead and close that, yay for you, because it may be certainly sort of all of the above. And in fact, we could probably add it to this list, right? It might be other health and other healthcare providers. It might be that could include physicians, nurses, mental health therapists, psychotherapists, et cetera. There are many, many different people who might want access to those records. There are many, many different people who might want access to those records. So, then we'll sort of, as we reflect on that, let's kind of turn to the next slide, please, and talk a little bit about the ways in which you all may be most involved in this. And let's just think about, have as an example, the campus hearing. So, let's just say that you have a student survivor who is asking for a saint to interpret the medical record or to otherwise be a witness in a campus proceeding. And Sarah, I just want to acknowledge, I saw your note in the chat that we have 15 minutes left, and I'd actually had just picked up my phone to look at the time. And so, we often get these questions of like, wow, should we do that? Is that a good idea or is that a bad idea? And what are the implications of us doing that? And are we waiving privilege? And these are all just wonderful questions, and they're exactly the right questions for all of you to be asking. And I'm going to go through this just fairly quickly, but also invite Ruth, you have so much experience with campus hearings, invite you to jump in as well. And the first thing is that we, even though there are unfortunately some ways in which these campus disciplinary proceedings feel like criminal proceedings, particularly for the survivor, they're not the same. They're very different. And one of the ways in which those differences become most significant have to do with the laws that apply and that might protect the information that is disclosed at those hearings. So first of all, they're not the same as a criminal proceeding in the extent to which, for example, there's not a Fifth Amendment right not to self-incriminate. There's not a basis for that. I mean, there may be other bases for choosing not to give testimony, but you can't say I'm invoking my Fifth Amendment right against self-incrimination. You don't have like in a criminal case information that it's within the possession of the prosecutor. They have a duty to turn that information over to the other side under the Brady laws. And so there's not going to be a Brady obligation of disclosing certain information. The standard of proof in a criminal case is beyond a reasonable doubt. That is not the standard of proof in school disciplinary hearings. But it's also really important that you don't have the same privilege or other privacy protections that you might be able to assert. You can't automatically or necessarily assume that they're going to apply to any information that is exchanged either between the parties or between one of the parties and the educational institution. This had come up earlier and Ruth already spoke to this, that if you have treatment records under FERPA and they are released for purposes of a campus hearing that they then lose that FERPA treatment record protection. Again, because they're not being shared, they're not being released for treatment purposes to another healthcare provider. They're going to be converted into education records. One question that we get asked a lot too is saying, saying, well, like, do I have to testify? You know, if the other side is calling me or the educational institution. And again, you wanna be consulting. We can't give you legal advice. We're not your lawyers. We don't even know what jurisdictions you're in. And I've no doubt that we're not licensed to practice law in those jurisdictions. But there isn't some law that says if you provided healthcare to this individual that you must testify if someone else asks you to testify. And there isn't the subpoena power, for example, at these hearings. So I can see that there's a question in the, oh no, that was Sarah saying we have 15 minutes left. Okay. But these are the kinds of questions that come up. And of course, if the student survivor is asking you to do it, I mean, again, from a survivor-centered services perspective, we would say, well, absolutely you should. But, and with a sort of a big but, you wanna be sure that the survivor is really making an informed decision, that they understand what are the implications of you giving this testimony? What will you be asked if you're asked certain questions that you didn't expect? Are you allowed to withhold the answers to that, et cetera? And I'm gonna turn it over to Ruth who has so much more expertise than I do because she operates fully in that campus arena. So I'm gonna turn it over to you, Ruth. Thanks, Jessie. And I think we could, I mean, I could certainly talk for another hour and a half about campus proceedings and especially Title IX and how, you know, I'm not sure if any of you have been asked to participate recently in a campus hearing, but those requests are likely going to be more frequent given the shift in our federal law around Title IX and the regulations that came out in 2020 that now require post-secondary institutions, if they're, obviously, if they're a recipient of federal money to have a live hearing component. And so I, you know, I raise this, I think will in the interest of time kind of give you an overview, but just note that we could spend a lot more time kind of sifting through some of these considerations and the uniqueness of the campus process and some considerations that you might want to keep in mind if you're asked, if you're requested to attend one of these hearings. So I was going to ask for sort of a free think around what are the benefits to a survivor of participating in a campus hearing. I'm just gonna go over them. If, you know, again, we're really wanna respect your time and how long we have talked to you. So some of the benefits, it may validate a survivor's account. It may give a survivor a sense of, yes, I have these pieces of credibility I can point to. I, you know, I went directly to the hospital or the health clinic and I got a sexual assault nurse exam. I did all of that. It was a closeness in time and it might really bolster their, not only their confidence, but also how the decision maker credits their or assesses their credibility. Allows for testimony by an expert neutral witness. That is not something that is typical in campus processes. I think we'll see more of that as time goes on, but that can be really useful. Medical findings obviously have an objectivity to them that I think decision makers find really persuasive and for good reasons. You know, the contrast to making sure that the testimony validates the survivor's account, it can also explain a lack of evidence. It can sort of fill in holes that the decision maker might have questions about. You know, why did the victim respond in this way? It could kind of help fill out and explain the context of sexual assault, the context of, you know, the medical findings. And then it can also assist the decision maker in giving the medical record more weight and thus sort of assisting the survivor in that hearing. So there are some real tangible benefits to participating in a campus hearing. There are also risks that we encourage you all to think about, and I'm sure this list does not cover, it doesn't exhaust the risks, but as a start, it may result in a waiver of privilege. And does the survivor understand that once that privilege is waived, it can't be, you can't go back to that protection and who that opens up the information to? And this, not only that, you know, that first layer of, we're gonna share this information with those involved in the campus hearing, but also this part, this becomes part of your education record. Are there other layers that this is opening you up to? This, you know, you're relinquishing privacy to a pretty significant extent. The testimony may cover broad information and that can be something that can be helpful. It can also be a risk if there's not a lot of specifics. And I think this is a huge one. The rules of evidence do not apply in campus proceedings. For those of you familiar with courtroom, kind of the typical way that a legal proceeding is conducted, there are very strict rules of evidence. And what is relevant is also balanced against very specific things that are not allowed, like things that are excluded from being considered. The campus process is not that rigid. Generally speaking, relevant stuff comes in. There are a couple of ways that we can advocate to keep specific lines of questioning and information out, but generally there are doors that are open and the advisors, the people who are sort of at the door have pretty wide latitude in seeking information. And again, this goes hand in hand with the loss of privilege and with the rules of evidence. You do lose control of information once you decide to put that out there. And you, as in conjunction with the survivor who is ultimately making an informed decision, there is a loss of information, a loss of control of the information. So again, the cat is sort of out of the bag. You can't put the cat back in the bag. And it's really important to think through with the survivor how they're balancing these benefits and risks in requesting that you as a sexual assault nurse examiner are going to participate in the hearing. Jesse, I saw you on mute. Would you like to chime in? So we were gonna move to this hypothetical. I'm just actually gonna go over it and kind of talk through some considerations. Jane the SANE works at the University Health Clinic. Jane gets an email from a campus investigator asking her to send him, the investigator, the victim patient's medical file, including all records, photographs, forms, test results, diagrams, documents, or any other information. What should Jane do if attached to the email was a signed release from the patient? So we have lots of questions, right? We don't know if the patient is a student, that would matter. We don't know if the University Health Clinic is only provide services to students, if that sort of student health center, or if it's an affiliation, but it provides broader, broader services to the community, to employees. So these are things that would help us figure out, okay, is this HIPAA, is this FERPA? And if it's FERPA, obviously you're asking for a treatment record and you wanna make sure that the student understands, or the patient understands what they are requesting and what the implications of that are. So I would also say here, you'd want to say, is this release really signed by the patient? And was it signed with informed consent? So those are some things to kind of think about. Then we shift over to, Ruth, you cut out there. I'm sorry, what's the last thing you heard? You shift over to, and then you got quiet. I'm sorry, sorry about that. Thank you for telling me. We shift over to if our answer becomes any different if Jane is a school employee. And if Jane is a school employee, that puts us solidly under FERPA and not HIPAA, unless of course the victim patient is not a student. So these are just considerations to think through when you are faced with some of these scenarios in your own work. Sometimes it's a matter of saying, I need to know more information about this. I need to know more information about this in order to talk to the patient about what they're making the decision about. Like, what are those implications? How can I inform them so that they can be empowered to make a decision that feels right for them? And in summary, we talked a lot. HIPAA and FERPA protect victims' privacy in general. Ruth, you're cutting out. You wanna take over? Sure, I'll just jump in. Okay, sorry, I don't know what's going on. No, it's okay. I know you're talking, but basically like we said, I mean, we've touched on this point, right? They have different privacy protections. Something that we just imply, but I think we didn't expressly say, which is that if you have a student, excuse me, a campus-based health clinic that provides services both to students and to employees, then for the students, of course, those are FERPA, but to the employees, FERPA will not apply because they're not students, so they're not gonna have education records. And I'm not gonna go into more detail other than that. And then just, of course, I'd be able to identify the risks and the benefits and to discuss them. And we are, I think, right at the top of the hour or the half hour. So if you wanna just go to the next slide, we did not save time for questions, but I know we got to a lot of them throughout the webinar in today's presentation. And then, of course, we just wanna thank you for all of the work that you all do. We really truly mean it when we say that, we stand in such admiration and gratitude, and we know about the amazing support you provide for survivors, and we're so grateful. Yes, absolutely. I don't know if you can hear me, but thank you very much for having us, for chiming in with your questions. And I'm sorry we don't have a lot of time now, but that is our contact information. So if you have further questions, feel free to reach out to us, and we'll be happy to think more about this, because there's- Back over to you, Sarah. Thank you. Thank you both so much. Thank you all for joining today. If you do have further questions for Ruth or for Jessie, please don't hesitate to reach out. You can also reach out to me, and we can coordinate that connection.

Health Information Portability and Accountability Act

HIPAA

Family Educational Rights and Privacy Act

FERPA

patient privacy

student privacy

protected health information

education records

disclosure requirements

privacy rights

safeguarding privacy

treatment records

campus hearings

webinar

Jessica Midland

Ruth Vaughn

student survivor privacy

disclosing medical records

SANE nurse

informed decision-making

Victim Rights Law Center webinar

privacy implications

disclosure

medical records

survivor-centered care