College Students Aren't Always Given Medical Privacy

What you say in therapy can get passed to parents, college administrators, and even job prospects.
Woman sitting in a therapy session
Garo/Phanie/Getty Images

Imagine yourself in this situation: Your anxiety and depression have gotten worse this semester, and classes are only getting harder. When your phone alarm goes off in the morning, you’re just as likely to stay in bed as you are to get up. It’s hard to admit, but you’ve even found yourself drawn to self-medicating with the benzos in your medicine cabinet.

One day, you notice an ad in the campus paper all about how the school cares about your mental health. On a whim, you book an appointment with an on-campus therapist. It’s anonymous, and better yet, it’s free. You finally feel like you’re on the first stone of a good path. After a few more sessions, however, you get a panicked a call from your parents, asking if you’re okay, and preparing to come pick you up. You feel blindsided. The only person you told was the campus therapist—and that conversation was supposed to be private. Wasn’t it?


Can on-campus therapists share what I tell them during a session?

Campus therapists indeed can and do share. But let's back up: Seventy-five percent of all mental health conditions start by a person's 24th birthday. Odds are high that a person will enter college with a pre-existing condition or develop one while they’re a student, and those who seek help won’t enjoy the privacy they’d expect off-campus. The fine print says not to count on records having iron-clad privacy from parents, faculty, and even school-hired lawyers if counseling ticks any of the boxes that’d give the school the right to share them.

Colleges are often excluded from the federal privacy law people encounter in nearly all other aspects of life: the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The reason your employer doesn’t know about, say, your chronic stomach problems or your prescription for herpes antivirals is, in short, HIPAA. Nearly all mental health and non-cosmetic medical interactions that involve transmitting patient information electronically for health insurance reimbursement have to adhere to the HIPAA Privacy Rule and Security Rule. But if a college provides free on-campus therapy to students and doesn’t file electronic health insurance claims, HIPAA goes out the window.

Weren’t my records supposed to be mine alone?! you might think. You’ve been to the doctor tons of times, and you remember signing the paperwork the first time you turned 18. If the letters “HIPAA” don’t ring a bell, the clauses about privacy do. But your on-campus visits weren’t covered by HIPAA. They fall under a different set of rules most young people have never heard of. Part of the confusion is that HIPAA overlaps with an older federal privacy law called 42 CFR Part 2 (we promise we’ll only mention that once) when substance abuse is involved, and both of those can collide with a third law that applies exclusively to public schools and colleges that receive federal funding: the Family Education Rights and Privacy Act (FERPA). That’s the one we’re going to focus on.


What’s the difference between FERPA and HIPAA?

In HIPAA-covered situations, even disclosing the fact that a person went to a clinic is off-limits, and merely publicizing a bill for payment of services would alert people that the patient sought help. But under FERPA, college students’ mental health records are classified legally as less-private. For a student who goes to a FERPA-covered on-campus clinic or therapy session, the fact that they attended falls under FERPA's “education records” and not its more restrictive “treatment records." That means the school can disclose to parents, potential employers, graduate programs, and others schools (if the student is applying to transfer) that the student attended the clinic without having to ask for the student's permission or notifying them.

While FERPA defines a student over 18, or who attends a school beyond the high school level, as a patient in primary control of his or her medical records' privacy, it also gives an educational institution the discretion to alert state and local law enforcement or parents if a therapist, psychiatrist, or psychologist believes the person is a danger to others, says Michael Arrigo, a HIPAA expert witness and managing partner with No World Borders.

This is true with HIPAA too—but unlike with HIPAA, FERPA stipulates that if parents declare an over-18 student as a tax dependent, they can request and receive mental health records from the college without needing the student's permission, and in situations that aren't deemed immediately life-threatening. Some students fear their parents will pull them out of school or prevent them from seeking any further help if they find out they've been seeing an on-campus therapist (and sometimes those fears are well-founded).


When exactly does HIPAA apply instead of FERPA?

If universities were clearer about these differences, it’s plausible that some students might pick an off-campus therapist instead. But would that guarantee your privacy? The distinction of when HIPAA applies and when FERPA applies is razor-thin. If a student seeks therapy at the Yale-University-associated Yale New Haven Hospital, for instance, which files health insurance claims electronically, it's covered under HIPAA and not FERPA, Arrigo says. But if the student seeks free therapy on-campus at another federally funded university that doesn’t file insurance claims electronically, it's covered by FERPA and not HIPAA.

More from Tonic:

Colleges, lawyers, and mental health organizations create thousands of pages in policy handbooks attempting to clarify how FERPA works because the official explanation is pretty unclear: It states that student records can't be shared without the student's written permission. But it also states in the fine print, contradictorily, that they can be shared without the student’s permission in certain emergencies where the student poses an imminent threat. Colleges have the discretion to decide what amounts to an “imminent threat.”

Because of the Virginia Tech shooting in 2007, FERPA's mental health privacy wording was changed to broaden that discretion, or at least make it clearer to the counselors who had to make that judgment call. Lawmakers were concerned that students' right to privacy limited university therapists' ability to take preemptive action when they believed a patient was dangerous. Seung Hui Cho's mental instability was well-known and documented to the college administration before he murdered 32 students and faculty.


But the August 2007 report to Tim Kaine, governor of Virginia at the time, said there was a breakdown in communication of Cho's mental state among the administration. It found the college misunderstood FERPA's exception, based on Virginia state law, for intervening when there was credible belief that a patient posed a threat, and that Virginia Tech missed a chance to prevent or lessen the severity of the shooting.

Prior to the shooting, Cho had seen a counselor over threats he’d made, but the counselor denied that he had serious intent, Arrigo says. “Therefore, if true, Virginia Tech should have acted immediately,” he says, “but could have argued that it did not have a duty to warn because, in a follow-up meeting with Cho, they didn’t believe he had the intent or ability and that the threat was not imminent.” It wasn’t that FERPA’s existing policies were at fault. Rather, Virginia Tech interpreted them in a way where they chose not to alert law enforcement, although they could have done so legally.

What recent changes have been made to FERPA?

On January 8, 2009, several amendments to FERPA took effect. Many believed FERPA's privacy protections had been an impediment at Virginia Tech, so the changes made gave colleges greater leeway to disclose mental health information when there was a “rational basis” on which to assume that an emergency existed, rather than previous language that required more strict proof that a threat was imminent. Along with that comes less clarity about what might be considered an “imminent threat”—and the subsequent release of students' private information.


There’s no measure of how much information has been released under FERPA guidelines, before or after the 2009 amendments. It’s often so secretive and determined on a case-by-case basis that students themselves aren’t even aware, and schools don’t want it publicized.

“Improperly, you can start to operate under this assumption that just because someone has a mental health condition, we should consider them a danger to society, and of course that's not true,” Arrigo says. “I think people are going to be more likely to (seek treatment) if they know their privacy rights aren't being compromised.”

Secretary of Education Betsy DeVos' Federal Commission on School Safety wrapped up its final session on August 28, 2018, during which it heard testimony to further relax FERPA's privacy rules. Attorney General Jeff Sessions, for example, had implied in a July 11 session that too much privacy surrounding school mental health records encourages school shootings, and argued that schools should be able to talk about students' specific mental issues “pretty openly" among resource officers, counselors, principals, and teachers.

Did the therapist think that I was a danger?, you might wonder. What did I say that could have made them think that? You’ll probably never know. These decisions are made behind closed doors. Colleges aren’t always forthcoming when it comes to sharing their decision-making with students. There’s a lack of research on how transparency affects whether students seek help and whether schools are able to recognize and prevent mental-health-induced violence.

In other words, most people involved in this debate are speaking from the gut. Reputable experts have put forth compelling arguments, but it’s still speculation, for the most part. One side argues that privacy is holding back colleges from stopping mass shootings, even though FERPA hardly describes privacy in concrete terms at all. Rather than define it better, some people want to loosen it again instead.

“The risk that you run is that if everything is always shared, [are] some students who are law-abiding and are never going to hurt anyone going to lose their privacy rights in the process?” Arrigo asks, echoing the debate that surrounds the federal commission's upcoming decision. “It's a question that needs to be asked as we go through this process.”

Sign up here to get advice and true stories about mental health in your inbox every week.