For decades, the Judge Rotenberg Center, a school for children with developmental and behavior disorders in Canton, Mass., employed brutal methods to discipline students, including electric shock therapy. My colleague, Heather Vogell, and I anticipated that government data on student complaints would shed light on the school’s practices, but realized that student privacy laws protected those records from disclosure. By requesting the records with certain personally identifiable information removed, we were able to abide by the law and still document incidents of harsh punishment at the school.
Most journalists who cover health or education struggle to obtain government records and data that are vital to our stories and have compelling public interest. While some agencies are reasonably accommodating, others exploit every loophole or gray area in the law to deny public records requests—or delay in the hope that the journalist will move on to another story and stop bothering them. Health and education records are especially elusive because of federal laws that protect the privacy of patients and students.
ProPublica has often negotiated with or contested rulings by government institutions to pry data out of them. Our persistence has led to groundbreaking findings, such as our analysis of birth complications for our “Lost Mothers” series. Over the years, I have amassed a variety of tips and tricks on how to overcome or circumvent these restrictions. I shared the following strategies last week with more than 1,200 reporters at the National Institute for Computer-Assisted Reporting (NICAR) conference.
The federal Freedom of Information Act (FOIA) allows records officers to deny your request under nine restrictions, or exemptions. They protect records related to national security, internal agency rules, trade secrets, internal agency memos, personal privacy (also known as (b)(6) or exemption 6), law enforcement, banks, oil and gas wells, and any records that are exempt under other laws. States also have open records laws, and their exemptions frequently echo federal restrictions.
Two key federal laws protect the private information of patients and students: the Health Insurance Portability and Accountability Act (HIPAA), and the Family Educational Rights and Privacy Act (FERPA). Along with exemption 6, these laws are commonly cited in denials of health and education data requests.
HIPAA, a 1996 law, aims to make it easier for health care organizations and companies to use electronic records so that medical data can quickly be transferred. It applies to health care offices and institutions (for example: doctors, clinics, nursing homes, pharmacies, universities, insurance companies and more), as well as any organization that electronically transmits health care data, including schools, prisons, and detention facilities.
HIPAA’s privacy protections last 50 years after a patient dies. After death, an executor or surviving family member may decide whether to disclose personal health information.
Enacted in 1974, FERPA protects the privacy of student’s “education records” and limits disclosure. Federal funds may be withheld if schools violate FERPA. Because nearly all public K-12 schools, colleges and universities receive public funds, nearly every educational institution in the country is covered by FERPA. The protected data includes information such as student or parent names, addresses, Social Security numbers, fingerprints, place and date of birth, as well as educational records.
If a data set has been “de-identified,” HIPAA’s privacy rules do not apply. There are two methods for de-identification: “safe harbor,” which suppresses fields that reveal personally identifiable information, and “expert determination,” which relies on experts to verify that there is a limited risk of identifying patients.
Organizations covered by HIPAA are allowed to create data sets containing protected health information that may be disclosed for research purposes, with the understanding that the researcher signs a data use agreement. Some agencies give journalists access to limited- or restricted-use data sets, as long as they abide by the same rules as researchers.
Depending on the school or school system, you may still receive “directory information,” which describes aspects of a student’s educational record that would not “be considered harmful or an invasion of privacy if disclosed.” It typically includes: name, address, phone numbers, emails, photo, participation in activities or sports, dates of attendance, major field of study, grade level, enrollment status, weight and height of athletes, degrees, honors or awards and most recent educational institution attended. Under the law, parents may request to remove their child’s information from a directory.
To sidestep FERPA restrictions, you may be able to request aggregated data or for the personally identifiable fields to be redacted or removed. Sometimes, as with HIPAA, an entity will require a journalist to sign a data use agreement. Many of the same tips related to HIPAA apply.
Have any additional questions? Feel free to email Annie at [email protected].
