To be successful, Early Hearing Detection and Intervention (EHDI) programs require individually identifiable information about children to be shared among people who are responsible for screening, diagnosis, early intervention, family support, and medical home services. Pediatricians and other stakeholders in the EHDI process often point to federal laws that were passed to ensure privacy and confidentiality in health care and educational programs as major obstacles to achieving efficient and effective EHDI programs. In this article we summarize the provisions of 3 federal laws (the Health Insurance Portability and Accountability Act [HIPAA], the Family Education Rights and Privacy Act [FERPA], and Part C privacy regulations of the Individuals With Disabilities Education Act [IDEA]) that most directly affect information-sharing in EHDI programs. We suggest strategies for sharing the information needed to operate successful EHDI programs while remaining in compliance with these laws, including obtaining signed parental consent to share information between providers, including an option on the individual family services plan for parents to permit sharing of the plan with pediatricians and other providers, and giving copies of all relevant test results to parents to share with providers as they wish.
More than 95% of newborns are now being screened for hearing loss.1 However, progress in diagnosing children who are deaf or hard-of-hearing (DHH) before 3 months of age and enrolling them in appropriate intervention services before 6 months of age has been more problematic. According to the Centers for Disease Control and Prevention,2 only 57% of infants who did not pass a newborn hearing-screening test in 2007 could be documented as completing a diagnostic evaluation, and only 58% of those who were diagnosed as DHH could be documented as being enrolled in an early-intervention program. These percentages have changed little since the beginning of the decade.3
Although every state has now established an Early Hearing Detection and Intervention (EHDI) program, it is clear that efficient communication among the various stakeholders (eg, screeners in the birthing hospital, pediatricians, audiologists, early-intervention providers, parents, and others) is perceived to be a major obstacle to achieving the goals referred to above.3,–,6 For example, in 2007 the National Center for Hearing Assessment and Management conducted a survey of state EHDI program coordinators to determine the extent to which they thought that the Health Insurance Portability and Accountability Act (HIPAA)7 and the Family Education Rights and Privacy Act (FERPA)8 interfered with their ability to create and operate an effective EHDI system. EHDI program coordinators in the 50 states and territories responded,9 and 51% of them said that HIPAA created problems in completing audiological diagnoses of infants who failed the hearing screening, whereas 62% said that the HIPAA interfered with enrolling children who are DHH in early-intervention programs. With respect to the FERPA, 32% of the respondents said that it caused problems in communicating important information to early-intervention providers, and 70% said it caused problems in getting information back from early-intervention providers. Similar findings were reported after a nationwide evaluation of EHDI programs funded by the Maternal and Child Health Bureau, which is reported elsewhere in this supplemental issue.10
Some of the problems noted by state EHDI coordinators are based on misunderstandings of what these laws require. As pointed out by Mark Rothstein, JD, chair of the National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality, “misunderstanding of the HIPAA requirements, and concern about sanctions, [are] leading to defensive practices by those in possession of protected health information. Among these practices was a reported decline in public health reporting… [that is] permissible under HIPAA.”11
The purpose of this article is to summarize the requirements of the federal laws that most directly affect sharing of information among pediatricians and other stakeholders in EHDI programs and suggest ways in which such programs can be efficiently operated and still be in compliance with these laws. Particular emphasis will be placed on issues that affect pediatricians and other health care providers.
DEFINING PRIVACY LAWS AND REGULATIONS RELATED TO EHDI PROGRAMS
Federal laws that most directly affect how EHDI stakeholders are able to share information include the HIPAA,7 the FERPA,8 and Part C privacy regulations of the Individuals With Disabilities Education Act (IDEA).12 It should be noted that a state law cannot take away any of the rights or protections that are guaranteed by these federal laws. This was noted with respect to the HIPAA (but is equally applicable to the other laws) by Joy Pritts, JD, of Georgetown University in her testimony before the National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality:
“In general, the HIPAA Privacy Rule preempts contrary provisions of state law, ie, those where a covered entity would find it impossible to comply with both the state and Federal law or where the provision of state law stands as an obstacle to the accomplishment and execution of the goals of the Privacy Rule. However, contrary state laws that are ‘more stringent’ than the HIPAA Privacy Rule are not preempted… the Federal rule defines the term ‘more stringent’ generally as meaning that the state provision provides a person with greater rights of access to his own health information.”13
The relevant aspects of the HIPAA, the FERPA, and Part C privacy regulations as they apply to EHDI programs are summarized in Table 1 and are discussed below.
Passed in 1996, the HIPAA was designed to ensure health insurance coverage for workers and their families if they change or lose jobs. Title II of the HIPAA includes the “privacy rule,” which was designed to protect the privacy of individually identifiable health information, which is referred to in the law as “protected health information.” The HIPAA establishes conditions for protected health information use and disclosure by those who are required to abide by the HIPAA provisions (known as “covered entities”). According to HIPAA regulations, a health care provider who conducts any medical business electronically, including billing, is covered by the law and required to abide by its requirements.14 In practice, this means that practicing pediatricians as well as anyone who is paid to provide screening, diagnosis, or any type of early-intervention services for children with hearing loss would be considered “covered entities.”
According to the HIPAA privacy rule:
“Signed consent” must be obtained to use personal information for marketing or research.
Signed consent is not required for
health care providers to exchange information with other health care providers for health care or medical service delivery purposes; or
sharing personal information for public health purposes (such as surveillance of newborn hearing screening and follow-up intervention).
Patients must be informed of the intention of the health care provider to share personal information with other health care providers, and providers must keep a record of any personal information that is shared.
The FERPA of 1974 is a federal law that protects the privacy of students' education records. Any educational program that receives funds from the US Department of Education must abide by the provisions of this law. School nurse or other health information records on children served under the IDEA are also considered educational records and are covered by the FERPA.
According to the FERPA:
Except as noted below, signed consent is needed for education program staff to share any personally identifiable information from a child's educational records, including student identification number, race, ethnicity, gender, and nationality.
Signed consent is not needed
to share general contact information about a child (ie, name, address, enrollment status, dates of attendance at school, honors and awards, etc) if the educational agency informs parents at least annually of their intent to share such information and gives individual parents the opportunity to object to such information being shared;
when personal information is shared directly with the student or other school officials within the same institution when there is a legitimate educational interest (eg, enrollment or transfer matters or financial aid issues); or
when it is necessary to protect the health or safety of the student or other person, such as in circumstances of abuse or neglect.
IDEA Part C Privacy Regulations
Under Part C of the IDEA, the US Department of Education provides funds to each state to assist in establishing a comprehensive system of early-intervention services for children with disabilities who are 0 to 3 years old.12
Once a child is referred to the Part C program, a “participating agency” (which includes the lead agency, early-intervention service providers, and any other individual agency or institution that “collects, maintains, or uses personally identifiable information” as part of the Part C service system) must obtain previous written parental consent before disclosing personal information about the child or his or her family to any person or entity outside the Part C system. Because Part C programs receive money from the US Department of Education, they must comply with the FERPA, but the Part C privacy regulations go beyond what is required by the FERPA. Part C privacy regulations have the following stipulations related to sharing personal information.
Previous written parental consent is needed for anyone in a Part C participating agency to share personal information with any individuals or entities that are not a part of the Part C system. The FERPA provision that allows agencies to share general contact information about students if annual notice is given is not allowed under Part C.
The Part C confidentiality provisions do not apply until a child is referred to Part C; thus, signed consent provisions do not apply when an EHDI program refers a child to the Part C program. Part C regulations expressly provide that anyone who suspects that a child under the age of 3 has or is at risk of having a disability is obligated to refer the child to Part C. If the referral source is an educational agency that is subject to the FERPA, Part C expressly permits the disclosure of information under the FERPA for purposes of “child find.”
When obtaining parental consent, the early-intervention service provider must ensure that the consent (a) describes the activity for which consent is sought, (b) specifically identifies the information that will be released, and (c) identifies to whom information will be disclosed.
Signed consent is not needed for Part C agencies to share a child's information if
information is being shared with a “participating agency” within the Part C system (to be considered a “participating agency,” the entity must have a significant role in multiple components of the Part C system [eg, child find, multidisciplinary evaluation, public awareness, comprehensive system of personnel development, etc]); or
disclosure of personally identifiable information is necessary to protect the health or safety of a child or other individual.
HOW DO THE HIPAA, THE FERPA, AND PART C PRIVACY REGULATIONS AFFECT PARTICIPANTS IN THE EHDI SYSTEM?
EHDI programs must comply with all of the privacy regulations described above. However, many of the perceptions that state EHDI coordinators have about restrictions and problems caused by these privacy laws are simply not correct. For example, because the HIPAA expressly allows for sharing of information among health care providers to facilitate health care services and for reporting personally identifiable information requested by public health programs, there is nothing in the HIPAA that prevents screening-program personnel from reporting screening results to other hospitals, state EHDI programs, pediatricians, or Part C early-intervention programs. All of this can be done without obtaining informed consent from the patients. However, because well-informed patients are better patients15,16 and because it is important for patients or clients to know what is being done with their data, it makes sense to inform parents before their data are shared with anyone. Although it is not legally required under the HIPAA, one of the best ways to ensure that patients are informed is to have a signed consent form.
The Part C privacy regulations (which incorporate but go beyond the requirements of the FERPA) are much more restrictive than those of the HIPAA. It is important to remember, however, that Part C privacy regulations are not in force until the child has been referred to or received services from an agency that is receiving Part C funds. Thus, in most cases, the screening and diagnosis of hearing loss and the referral to an early-intervention program will be completed before Part C privacy regulations become a concern. Once a child has been referred to Part C, though, information about that individual child, including whether he or she is participating in the Part C program, cannot be given by the Part C program staff to the screening program, the audiologist who performed the diagnostic evaluation, or a pediatrician unless the parent provides informed consent.
In most cases, both the HIPAA and Part C regulations would prohibit giving information about the child (including name, contact information, or status in the program) to a family support group unless permission to do so is obtained from the family. The exception would be if the family support group is considered a participating provider in the state's Part C early-intervention system.
IMPROVING INFORMATION-SHARING IN EHDI PROGRAMS AND COMPLYING WITH FEDERAL PRIVACY REGULATIONS
Although a significant number of state EHDI program coordinators see federal privacy laws as a major stumbling block when ensuring access to and coordination of services in EHDI programs,9 many of these concerns are based on misinformation. For example, the HIPAA does not restrict sharing of information among health providers for purposes of providing health care, even when parents have not given informed consent. Thus, virtually all information-sharing among health care providers related to screening, diagnosis, and referral to the early-intervention system is not restricted by the HIPAA. Although Part C privacy regulations require signed consent to share information with nonparticipating providers, the following strategies can be implemented to ensure that appropriate information gets to those who need it. Examples of the forms and documents that can be and are being used by state EHDI programs to support many of these strategies are available at www.infanthearing.org/privacy.
Obtaining signed parental consent to exchange any personally identifiable information is an important method for ensuring that families are full partners and participants in screening, diagnosis, and intervention activities.
Coordinated consent forms that comply with the requirements of the HIPAA and Part C privacy regulations can be used to streamline the referral process and relieve parents of the burden of completing similar forms for essentially the same purpose.
Memoranda of agreements that designate EHDI programs as participating agencies of the Part C system can be useful for those cases in which EHDI is serving functions beyond being a primary referral source for child-find activities (eg, diagnostic procedures as part of the multidisciplinary evaluations, public awareness, provision of direct services, etc). This is particularly appropriate for those cases in which the EHDI and Part C programs are housed in the same state agency.
Parents should always be given copies of diagnostic evaluation results, treatment plans, individualized family service plans (IFSPs), and signed consent forms, which enables the parent to provide information at will and provide back-up documentation for services the child is receiving.
Although not required under the HIPAA, the FERPA, or Part C privacy regulations, state laws that mandate the reporting of screening, diagnostic, and early-intervention service information to EHDI programs and to the child's pediatrician are a useful tool to use to encourage sharing of appropriate information. Standard reporting forms and procedures and periodic training help reporting to be more efficient.
The IFSP should include an option for parents to give permission for the document to be shared with EHDI staff, the child's pediatrician, and other health care providers, which enables EHDI program staff to better monitor and improve services and the pediatrician to serve a supporting role in the child's intervention care. Including a place for parents to give permission on the IFSP also reminds parents on a regular basis of how information about their child is being shared and gives them a chance to adjust the plan so that it is consistent with their desires.
The procedures and forms outlined above cannot be effectively implemented without a concerted effort to develop strong interagency and interpersonal relationships among key stakeholders including EHDI programs, Part C early-intervention programs, the child's pediatrician, and family support groups. Consistent training is needed at the community level to ensure that all stakeholders understand the importance of consistently and accurately sharing information and helping families to be full participants in that process. In addition, families, pediatricians, and other providers should provide regular feedback to EHDI programs to guide quality improvement in ensuring that all children are receiving timely and effective hearing screening, diagnostic evaluations, and interventions.
The work reported in this article was funded in part by the US Department of Health and Human Services, Health Resources and Services Administration, Maternal and Child Health Bureau, under cooperative agreement U52MC04391 with the National Center for Hearing Assessment and Management at Utah State University.
- Accepted May 19, 2010.
- Address correspondence to K. Todd Houston, PhD, CCC-SLP, LSLS, Cert. AVT, Department of Communicative Disorders and Deaf Education, Utah State University, 1000 Old Main Hill, Logan, UT 84322-1000. E-mail:
The opinions expressed in this article are those of the authors and do not necessarily reflect those of the US Department of Health and Human Services or its components.
FINANCIAL DISCLOSURE: The authors have indicated they have no financial relationships relevant to this article to disclose.
- DHH =
- deaf/hard-of-hearing •
- EHDI =
- Early Hearing Detection and Intervention •
- HIPAA =
- Health Insurance Portability and Accountability Act •
- FERPA =
- Family Education Rights and Privacy Act •
- IDEA =
- Individuals With Disabilities Education Act •
- IFSP =
- individualized family service plan
- 1.↵National Center for Hearing Assessment and Management. State summary statistics: universal newborn hearing screening. Available at: www.infanthearing.org/states/index.html. Accessed June 10, 2009
- 2.↵Centers for Disease Control and Prevention. Annual EHDI data. Available at: www.cdc.gov/ncbddd/EHDI/data.htm. Accessed June 2, 2009
- White KR
- Liu CL,
- Farrell J,
- MacNeil JR,
- Stone S,
- Barfield W
- Boswell S
- 6.↵American Academy of Pediatrics, Joint Committee on Infant Hearing. Year 2007 position statement: principles and guidelines for Early Hearing Detection and Intervention programs. Pediatrics. 2007;120(4):898–921
- 7.↵Office of Civil Rights. OCR guidance explaining significant aspects of the privacy rule. Available at: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidance.html. Accessed September 9, 2009
- 8.↵Family Policy Compliance Office. Family Educational Rights and Privacy Act (FERPA). Available at: www.ed.gov/policy/gen/guid/fpco/ferpa/index.html. Accessed September 9, 2009
- 9.↵National Center for Hearing Assessment and Management. Addressing privacy regulations. Available at: www.infanthearing.org/privacy/index.html. Accessed September 9, 2009
- Shulman S,
- Besculides M,
- Saltzman A,
- Ireys H,
- White KR,
- Forsman I
- 11.↵National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality. Proceedings of the National Committee on Vital and Health Statistics. Available at: http://ncvhs.hhs.gov/031119tr.htm. Accessed September 9, 2009
- 12.↵Building the Legacy: IDEA 2004. Sec. 639 procedural safeguards. Available at: http://idea.ed.gov/explore/view/p/%2Croot%2Cstatute%2CI%2CC%2C639%2C. Accessed September 9, 2009
- Pritts JL
- Detmer DE,
- Singleton PD,
- MacLeod A,
- Wait S,
- Taylor M,
- Ridgwell J
- Copyright © 2010 by the American Academy of Pediatrics