Presentation to the Board of Education, Wadsworth City Schools;

regarding proposed policy 5512.01;

delivered at the Regular Stated Meeting, March 13, 2017

This document would argue there are a variety of issues with the proposed policy as written.
These issues are hereby presented as a courtesy to the students.

1.) Policy Conflict with Acton v. Veronia in regards to prescription medication/medical

marijuana

The proposed policy as written doesnt address what happens when a student has a
prescription for one of the tested drugs.

On September 8 Ohios Medical Marijuana program will become an active part of Ohio law. After
that date it is possible that there will be students covered by the proposed policy which will have
an Ohio medical marijuana card and therefore a legal right to consume marijuana.

As the board attempts to solve this problem, it will need to figure out if a student who is a
medical marijuana card holder/has a prescription for a listed drug has to disclose to the school
that they are one, or if the student declares to the MRO that they are a card/prescription holder.
The MRO would then suppress the positive drug result from the school.

The latter was floated by the court in Acton v. Veronia as a potential protocol should the school
district be testing for prescription drugs for which a student may have legitimate prescription,
without having to disclose the prescription to the school.

The school board could consider the merits of having both methods available: whereby a
student can either disclose the medical marijuana card/prescription to the district, which then
doesnt test for the drug/ignores a positive result, and/or disclose the medical marijuana card/
prescription to the MRO, who suppresses the result. That way the student can choose the one
they are most comfortable with.

Because of the novelty of medical marijuana in Ohio, the board is asked to note it explicitly in
the policy.

For completeness in the process of authorization/consent, the board should identify tested
drugs which may have a prescription available.

2.) FERPA compliant consent1

This document would argue that the language presented to students/parents in both the
proposed policy as well as the consent forms2 are not FERPA compliant.

1 As the reader will discover, this document argues that HIPAA compliance overrides FERPA for
the proposed program.
2Given that the policy appears to be a copy of Medinas policy, this document assumes that the
proposed consent forms are similar to Medinas.

Page 1 of 8
FERPA compliance would require telling the student/parent that FERPA applies to the
information being collected, which sections of FERPA/CFR apply, and that FERPA rights (which
are identified) are being waived in some way by signing the consent forms.

3.) FERPA compliance for students who are 18

After age 18, protections, rights and privileges under FERPA transfer from the parents to the
student. Therefore in order to maintain consent compliance with the proposed policy the student
would have to presented at age 18 with a new consent form in which they are the autonomous
agent.

4.) HIPAA vs FERPA

Under normal circumstances school districts need not worry about HIPAA: any medical records
generated by a school or a vendor selected by the school are educational records under the
older FERPA act.

This document will argue that:

1.) The structure of the contractural relationship and the consent thereof established by Acton v.
Veronia suggests that health care services are being acquired by the student and not
necessarily on behalf of the school

2.) The drug testing records are not maintained by the school. The laboratory, vendor and MRO
create and maintain the bulk of the health care records (and undoubtedly share them via
electronic means, a key HIPAA trigger), which are then filtered by a combination of those
entities and only positive results are returned back to the school. This 5512 protocol therefore
has a health care provision chain which creates HIPAA protected health information (PHI)
which the school doesnt collect.

3.) At its most severe, the data record is a series of scientifically accurate lab reports, held by
that lab, collected over a period of five years of a minors life, with a diagnostic array of a dozen
different tests held as long as for ten years after the date of the test.

4.) This scientific test is so accurate and precise that it is only available from 30 labs in North
America, two of which are in Canada (including the closest to Ohio) and two of which are federal
installations which are not open to samples from the general public.

3.) That while there may be gray area regarding HIPAA vs. FERPA, the district should, as an
obligation to its students in regards to data protection, model the 5512 protocol so that it is
HIPAA compliant, because only HIPAA compliance carries the security protections necessary for
this complicated of a health care provision chain in an era of increasing attacks against health
care systems.

5.) Health care services provided under 5512 are optional and non-compulsory, therefore
not covered by FERPA

Page 2 of 8
The court in Acton v. Veronia setup a requirement whereby the student/parent have to consent
to this health care service, and that they further consent to the disclosure of information
resulting from the service to the school.

In consequence, the protocol has been structured so that it is the vendor giving a service to the
student: the vendor chooses the students for the service via lotto, the student interacts with and
sign a vendor form, the vendor handles the collection, the vendor processes the sample/sends
the sample to a vendor chosen laboratory, the vendor (through an MRO) responds back to the
parent and the district.

Because this consent structure differs from a normal in-school health provision, the argument is
much stronger that the service is being provided for the student and not the school.

The fact that it happens randomly, on school grounds, and under school district contract do not
change the fact that this is an opt-in service which is not occurring on behalf of the school as an
educational institution, who has no ability to compel students to enter into this service on a
purely academic basis.3

6.) HIPAA triggers and compliance

However, if any part of the health care provision chain triggers HIPAA, then it is the
understanding of this document that there are circumstances under which the entire health care
provision chain must be HIPAA compliant. 4

The main potential trigger comes in the form of electronic communication: if any part of the
health care provision chain transmits protected health information in electronic form5, then a
HIPAA transaction has occurred and the provision chain must be compliant.

This document would argue that the point at which this would most likely occur would be
between the laboratory and the school vendor. While the school vendor may specialize in the
provision of drug testing services to schools, and not provide those services in a way that would
trigger HIPAA compliance, the laboratory is almost certainly operating as a normal health care
laboratory, that is to say that it is providing other type of health care services to its clients.
Laboratory personnel would be testing student biological samples in one area, and in another
area, samples from patients in a hospital. For convenience and compliance purposes, the
laboratory would likely operate as a normal health care provider which would include electronic

3 For example, the records created by a public health nurse who provides immunization or
other health services to students on school grounds or otherwise in connection with school
activities but who is not acting on behalf of the school would not be education records under
FERPA. Joint Guidance on the Application of the Family Educational Rights and Privacy Act
(FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To
Student Health Records. US Department of Health and Human Services, US Department of
Education, accessed from https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-
guidance.pdf
4 HIPAA compliance may also be triggered by electronic billing between the vendor and the
laboratory or the vendor or the laboratory storing information/lab results.
5 This also includes billing information which is a key trigger.

Page 3 of 8
store and transmission of health data, standardized billing codes and HIPAA compliant
protocols.

Therefore the entire drug testing chain is covered under HIPAA and providers under the chain
must be HIPAA compliant. This includes the school district, its employees and the protocols for
this program.

This makes sense, the health care provision chain is extending quite some distance from the
school and mingling itself with the greater American health care system.

7.) Distance of health care provision chain for the proposed policy

To illustrate the distance, the closest SAMHSA accredited lab is in London, Ontario (4 hours, 45
minutes driving time, 303 miles.) The closest in the United States is in Philadelphia.
(Approximately 6 hours, 15 minutes driving time, 414 miles.) The fact that student biological
samples and their medical data may be traveling across an international border (and
certainly will be crossing state borders) reinforces the importance and legal obligation of full
HIPAA compliance.6

8.) Proposed rules and HIPAA

It may be possible to create a drug testing program which evades HIPAA. The board could write
the rules to require that vendors operate in such a way so that HIPAA is not triggered. However
it is likely difficult to find a laboratory which would not trigger HIPAA but was certified as an
accredited laboratory under SAMHSA and HHS regulations.

9.) HIPAA compliance urged for data security/cybersecurity/data protection

However the district is urged to write the proposed rules and protocols to be HIPAA compliant.

6 Should the vendor be using the London, Ontario lab, it is possible that students/parents will
have rights under the Ontario Personal Health Information Protection Act of 2004 (Ontario
Regulation 329/04) (PHIPA) because they may be data subjects under that law. Such rights
would naturally exist as long as the lab in Canada maintained the lab results. Given some
likelihood that this lab may be used, the board is strongly encouraged to include PHIPA
information in the policy where necessary in order to ensure truly informed consent is made.
Trans-border medical security/privacy/data protection issues may also be answered in HIPAA
rules.

Canada is a signatory to the Convention on the Rights of the Child, from which may come
further student/parent rights (at least the treaty would inform PHIPA interpretation.) The United
States has signed but not ratified this treaty, creating a curious grey area in regards to this type
of health care transaction.

If indeed Canadian law strengthens student/parent data rights, an argument could be made that
the board is obligated to stipulate the use of the Ontario lab. If they didnt, the consent forms/
policy would reasonably have to indicate why the board decided to forego the stronger
protections afforded by Canadian law/using the Ontario lab.

Page 4 of 8
The FERPA act dates from 1974 and has a simplistic vision of data security (data protection.) In
1974 schools (and institutions generally) may have had computers holding private information
but they were not connected to any other computers in an internet like network. Therefore
FERPAs data protection is basic and is little more than data must be held confidentially.

HIPAA statues date from 1996, and its regulations from 2002. They were codified in the internet
era, when computers were networked with each other and Congress/federal officials knew that
sensitive data would be passed between health care providers electronically. HIPAA establishes
security/data protection rules which reflect the modern reality. This compliance is complicated
and involved but it is the correct response to complexities of passing sensitive data between
different health care providers.

Given that the health care provision chain extends away from the school districts, HIPAA
compliance is both legally required as well as desirable: student health data demands the
maximum data protections offered by the modern HIPAA compliance standards. Failure to do so
may subject the district, its personnel and vendors to civil and criminal sanctions. 7

10.) Healthcare records are targeted by cyber-hackers

Cyberattacks will cost hospitals more than $305 billion over the next five years and one in 13
patients will have their data compromised by a hackAnd a study by the Brookings Institution
predicts that one in four data breaches this year will hit the healthcare industry.

The recent study by Brookings showed that, since late 2009, the medical information of more
than 155 million Americans has been exposed without their permission through about 1,500
breaches.

The Brookings research demonstrates that the healthcare sector is uniquely vulnerable to
privacy breaches8 9

11.) Policy language related specifically to cybersecurity breaches

A cybersecurity breach should be planned for in the policy so that students/parents can expect
what to occur should a cybersecurity breach happen.

7The lowest sanction tier (unknowing violation) is $100/violation. The next tier (reasonable
cause) is $1000/violation.

HIPAA complaints may be made by any member of the community who knows of a violation, a
public interest litigation like feature.
8Hackers are coming for your healthcare records -- heres why, Computerworld, June 30,
2016, accessed from http://www.computerworld.com/article/3090566/healthcare-it/hackers-are-
coming-for-your-healthcare-records-heres-why.html
9A recommended primer on this subject is the Institute for Critical Infrastructure Technologys
report Hacking Healthcare IT in 2016 which is available from http://icitech.org/wp-content/
uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-20161.pdf

Page 5 of 8
The board is recommended to include the following in the policy in order to ensure it is security-
by-design:

*that the vendor is required to inform the school district within a certain time frame that a
cybersecurity failure has occurred
*when students/parents/the community will be similarly informed by the breach
*what the vendors responsibilities are in case of such a breach
*whether the vendor will be providing credit monitoring and for how long (one year? until the
minor reaches adulthood?)
*vendor/district/laboratory liability for damages.

12.) Consent under HIPAA rules

HIPAA codifies a more modern and complicated vision of health care consent than the 1970s
era FERPA Act or the Supreme Court did under Acton v. Veronia, which dates to 1995 based on
circumstances from 1991. 10

For example, under FERPA it is the parents who have autonomy for student educational records
until the student is 18.

This is not necessarily the case with HIPAA, which recognizes agency of the minor in certain
circumstances:

A minor is considered "the individual" who can exercise rights under the rule in one of
three circumstances. The first situationand the one that is likely to occur most often
is when the minor has the right to consent to health care and has consented, such as
when a minor has consented to treatment of an STD under a state minor consent law.
The second situation is when the minor may legally receive the care without parental
consent, and the minor or another individual or a court has consented to the care, such
as when a minor has requested and received court approval to have an abortion without
parental consent or notification. The third situation is when a parent has assented to an
agreement of confidentiality between the health care provider and the minor, which
occurs most often when an adolescent is seen by a physician who knows the family. In
each of these circumstances, the parent is not the personal representative of the minor
and does not automatically have the right of access to health information specific to the
situation, unless the minor requests that the parent act as the personal representative
and have access. 11

HIPAA consent is always retractable by a minor, a feature not found in the draft language.

This document is unable to determine if it is possible to create a consent form and protocol
which simultaneously meets the standard established by Acton v. Veronia and is also HIPAA

10 The second case of note, Pottawatomie v. Earls also predates HIPAA rule enactment.
11The HIPAA Privacy Rule and Adolescents: Legal Questions and Clinical Challenges from
Perspective on Sexual and Reproductive Health, volume 36, issue 2, March-April 2004, pages
80-86, accessed at https://www.guttmacher.org/journals/psrh/2004/hipaa-privacy-rule-and-
adolescents-legal-questions-and-clinical-challenges

Page 6 of 8
compliant due to HIPAAs differing concept of consent. The district will have to consult with
HIPAA compliance specialists to develop a compliant protocol.

This document suggests that the primary form not be called a consent form but instead
Authorization to receive health care services.

13.) Issues with waiver of liability language

This document argues that the waiver of liability language at the end of the (Medina) consent
form is illegal and unconscionable. The court in Acton v. Veronia did not waive district or vendor
liability for the drug testing program. For the district to include waiver language which is not legal
and misleads lay people and minors invalidates the consent form by misinforming students/
parents in what they are consenting to. The consent form and its protocols therefore do not
inform students/parents sufficiently and would not achieve a reasonable standard of informed
consent.

The board is encouraged to disclose limits of liability and who is liable (district/vendor/
laboratory) as part of the protocol. HIPAA compliance helps determine these issues.

14.) Purpose language does not note success or lack thereof of school drug testing
programs

In order to obtain reasonable consent/authorization from the community as well as those directly
affected by the proposed policy, the policy should include citations to the variety of studies
available on effectiveness of school-drug testing and the results.12

A lack of citable research is notable.13

15.) Policy should include alternatives for data protection objectors

As used here a data protection objector is a student/parent who declines to participate for
reasons of data protectionsecurity, cybersecurity, privacy, dignity etc.

Alternatives to participating in the covered activities do exist. For instance, a student interested
in acting may be encouraged to participate in a community theater as opposed to the school
drama program. A student interested in cheerleading may participate in a off-school
cheerleading squad.

As part of the issues of completeness of the policy, the board is encouraged to add a list of
alternatives for data protection/cybersecurity objectors.

12The only largeand professionally defensiblestudy conducted to date on the efficacy of

drug testing concluded that these programs have no statistical effect on student drug use.
Valparaiso Law Review, When the Cure is Worse than the Disease: Student
Random Drug Testing & Its Empirical Failure Volume 44, Number 4, pages 1055-1082,
accessed from http://scholar.valpo.edu/cgi/viewcontent.cgi?article=1071&context=vulr
13 This document chooses not to evaluate the wisdom or lack thereof of the proposal.

Page 7 of 8
This way, students and parents can fairly evaluate the trade-offs of participation in the program
and the students are truly assenting to the program in an informed way.

16.) Educational benefits of a well-devised policy

Critical reading and accepting complicated contracts is a modern part of life. The reality is that
minors are regularly asked to read and accept sophisticated legal contracts (such as for the
drivers license, or for social media platforms.)

The board has the opportunity to present students with a model contract as a teaching moment.

Students should be naturally suspicious of contracts which are presented to them. It is an

essential life-skill and should be welcomed as a part of the curriculum.

17.) Sophistication of audience in regards to authorization forms

As mentioned above, lay persons and children as young as twelve will be giving assent to the
program based on the language found in the policy and its forms. That creates a substantial
obligation on the part of those who will be preparing the language, particularly if they have
licensure requirements for legal and ethical conduct in regards to their positions/offices they
hold.

Language which is complete, fair, unbiased, thorough and accessible is expected. The forms
should be handed out attached to the policy. Return of the assent forms should happen no
earlier than 72 hours after the policy/form packet was distributed. A system to ensure that
consent was freely given and not coerced should be established (one idea: require that the
student appear in front of a notary.)

The policy as written is inadequate.

18.) The obligation to establish a pattern of drug use

The US Supreme Court in Acton v. Veronia approved the suspicion-less drug testing program
based on a severe, intractable drug use problem among its student population which the school
district documented in order to establish a powerful, compelling interest to justify overriding of
key amendments of the US Constitution.

The proposal as written establishes only a prophylactic motive for the policy.

As a sign of respect to the children of the community, the board is requested to establish a
pattern of problems, if any, justifying the policy more than a proactive approach. If none exist,
that should be clearly documented as it is irregular to Acton v. Veronia which is cited as a
precedence.

Page 8 of 8