The University will not release information on the location of individual COVID-19 cases due to privacy laws, a University spokesperson said. But experts say the laws wouldn’t prevent UT from doing so.
Spokesperson J.B. Bird cited federal privacy laws such as the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act as reasons to not disclose information about COVID-19 cases and where the infected individuals are, either on or off campus.
FERPA is a federal law that protects the privacy of education records such as individual college transcripts and academic integrity files, and HIPAA protects individual health information, journalism associate professor Amy Sanders said.
LeRoy Rooker, former director of the United States Department of Education’s Family Policy Compliance Office, said a school can identify the number of COVID-19 cases in a certain residence hall without violating FERPA because it would not identify any students.
“(FERPA) protects student records,” Rooker said. “(The University) couldn’t disclose it in a way that would identify a student. If it is generic and can’t be linked back to a student … it’s not going to be subject to FERPA.”
Within the UT system, UT-Dallas is the only school that reports the number and locations of COVID-19 cases on campus on its website.
Frank LoMonte, director of the Brechner Center for Freedom of Information at the University of Florida, said colleges would not be penalized under FERPA for reporting statistical information that has no names attached to it.
“The courts have been all over the map in interpreting it, so there is a lot of legitimate confusion about what it covers,” LoMonte said. “Colleges are famous for opportunistically defining it either very broadly or very narrowly, depending on what suits their purpose.”
Susan Hochman, University Health Services associate director for assessment, communications and health information technology, said the University performs COVID-19 tests and is therefore a healthcare provider subject to HIPAA. Hochman said the University follows the Centers for Disease Control and Prevention guidelines, which does not require the University to inform an entire residence hall about cases.
“UT works with Austin Public Health to determine what is the appropriate level of detail to release that meets the minimum necessary with respect to the goal of preventing transmission of a communicable disease,” Hochman said.
HIPPA only prevents healthcare providers from releasing medical records that identify an individual, Sanders said.
Bird said the University is also following the guidance of the Clery Act and the U.S. Department of Education, which directs universities to make notifications of immediate threats to the health or safety of campus.
“UT believes it is complying with those directives, and we are not aware of any Clery guidance that mandates sharing location information of individuals,” Bird said. “Sharing such information runs the risk of violating medical and federal privacy law.”
Rooker said any information that does not lead to the identity of any individuals, such as location information, does not violate FERPA.
Guidance from the Department of Education regarding the Clery Act says public higher education institutions are not required to “give regular, on-going updates on COVID-19 or to proactively identify positive COVID-19 cases within the campus community.”
LoMonte said the Clery Act mainly applies to violent crime or immediate threats to public safety, which could apply to a pandemic but is not a very precise statute.
“When you have a judgment call to make, and the judgment call is, ‘Do we err on the side of protecting people's health, or do we err on the side of a privacy law?’ It does not feel like that should be a difficult judgment call,” LoMonte said.
