www.roanoke.com

The Virginia Tech shootings brought new scrutiny to the complex and little-understood laws that govern information privacy.

It was those laws, which some say university and health officials interpreted too timidly, that prevented anyone from getting a full picture of Seung-Hui Cho -- of his years of behavioral and mental health problems before he killed 32 teachers and fellow students, then shot himself -- according to a state review panel that issued its report in August.

But so far, the horrific events of April 16 have brought neither clarity nor change to privacy laws.

"The farther we get from the events of this year, the less attention seems to be paid to it," U.S. Rep. Bob Goodlatte, R-Roanoke County, said recently, adding that he remains hopeful that next year Congress will address concerns raised by the state review panel.

Virginia legislators preparing for next month's General Assembly session say that they, too, would like to act on some of the review panel's privacy recommendations. But they note that the major laws the panel cited are federal, and there's little the state can do to change them.

And not everyone agrees that privacy laws need to be overhauled.

"The procedures were in place to prevent this," Del. William Fralin, R-Roanoke, said of the Tech shootings. "We've got to clear up interpretation."

Legislating privacy has never been simple.

It was a Parade magazine article published amid the swirl of Watergate that arguably kicked off the modern era of privacy law.

Titled "How Secret School Records Can Hurt Your Child," the article decried the "easy flow of information -- from school to police to social agency." It was a description, coincidentally, that mirrored the transfer the state review panel suggested might have helped in Cho's case.

Despite this free flow of information, the article said, parents often could not see the files that schools kept about their children -- and what they didn't see might be harmful. The article listed such examples as a second-grader who was labeled as having "exhibitionist tendencies" because he'd come back from the restroom with his fly unzipped. The records of a 9-year-old described him as having homosexual leanings because he'd hugged a classmate.

The March 1974 article was spotted by a staffer for New York Sen. James Buckley, the Conservative Party member who earlier that month had called for President Nixon to resign.

The senator, who is the older brother of commentator William Buckley, swiftly attached an amendment to an education funding bill to give parents the right to inspect and contest records at any school, preschool through college, that received federal money. It also barred the release of most records without parental consent.

Without such protection, "Children may become permanent victims of their teachers' prejudices and misconceptions," Buckley told senators.

The Senate was preparing to impeach Nixon and held no hearings on the Buckley Amendment.

In May 1974, after what one historian described as less than an hour of discussion, the Senate approved Buckley's proposal. The House of Representatives passed a similar measure, and it was signed into law that August.

It would become known as the Family Educational Rights and Privacy Act, or FERPA -- one of Congress' first major pieces of privacy legislation and the first of the laws spotlighted by the Tech shooting review panel. It was a too-strict interpretation of FERPA and other privacy laws, the panel found, that kept information about Cho's conflicts with students and teachers and his mental health problems from being shared by various groups inside and outside the university.

Contacted recently at his home in Sharon, Conn., Buckley, now 84, recalled that the law he had described on the Senate floor as a "Freedom of Information Act for parents and children" sparked immediate complaints from schools. Administrators questioned how they could issue student directories or run an admissions process if recommendation letters were read by students.

Buckley said the uproar seemed overblown. He said he still suspects many initial questions about FERPA were "simply by way of protest."

He and Sen. Claiborne Pell, the namesake of the Pell grants many students use to help pay for college, crafted amendments to iron out what they took to be the major concerns. Over the decades, FERPA would go through a series of subsequent adjustments, such as the USA Patriot Act's requirement that schools provide records relating to federal investigations of terrorism.

Buckley said he saw his legislation as a needed support for parents. But he said he now regrets proposing it because it brought the federal government further into realms best left to states.

"I basically ended up launching a new regulatory regime," Buckley lamented.

It was never his intention that schools not share information about potentially criminal behavior, he said.

"It was a minor undertaking at the time," Buckley said of his amendment. "But it had major consequences."

'Protections ... just didn't exist anymore'

Fast-forward 20 years, past the passage of other landmark federal bills such as the U.S. Privacy Act, which attempted to define how federal agencies maintain and share records, and the Fair Credit Reporting Act, which regulated what information could be divulged in credit reports.

By the early 1990s, the focus of many information privacy efforts had shifted to medical records. Numerous media accounts warned how some hospital sites on the newly created World Wide Web made thousands of patient files easily accessible to anyone with a computer.

"There was this general feeling in the air the protections that used to be in place between you and your doctor just didn't exist anymore," remembered Paul Lombardo, who taught in both the medical and law schools at the University of Virginia.

Lombardo, who directed UVa's Center for Mental Health Law Training and Research, was particularly alarmed by stories about the use of psychiatric records in divorce cases and other legal battles. Lawyers were advising clients not to seek mental health treatment because they worried the records would be misused, Lombardo said.

Working under the auspices of the Virginia Bar Association, Lombardo helped form a committee of lawyers to seek consensus in three areas: clarifying patients' privacy rights, uniting privacy provisions scattered through the Virginia code and helping doctors understand their responsibilities.

"Just put some clear boundaries around what was private and what was not," Lombardo explained.

Lombardo drafted a proposal in 1995, then a second version a year later. In 1997, the General Assembly adopted it as the Virginia Health Privacy Act.

"A couple things happened," Lombardo recalled. "For one thing, people were really confused."

The bill's main point was that medical records usually could be released only with a patient's permission or when needed for treatment. Over time and with an education effort by the state, the health care providers and insurance companies to which the law applied seemed to figure it out, Lombardo said.

The Tech shootings review panel pointed to the Virginia legislation as a reason Cho's mental health history wasn't fully known by university officials or by mental health workers who evaluated him more than a year before the shootings. But Lombardo, now a law professor at Georgia State University, questioned whether having those records would have let anyone predict that Cho would become a killer.

"The pendulum always swings very, very far in one direction," Lombardo said of legislative response to tragedy. "And we always forget why we have protective records on the books. ...

"I think the idea that having a database of everyone's secret thoughts and everyone's childhood foibles will make us safer is false."

'Build a new system'

At the same time that Lombardo and the bar association committee were working on a Virginia medical privacy law, an effort was under way to craft federal rules.

In 1996, President Clinton signed into law the Health Insurance Portability and Accountability Act, or HIPAA. It regulated the electronic filing of medical bills, the transfer of medical records when people changed doctors or jobs and more -- including the privacy of medical records.

But the act included few details of how it would be applied. Years of rulemaking ensued, involving tens of thousands of public comments and consultations with industry groups.

The actual writing of privacy regulations was overseen by Peter Swire, who in 1999 and 2000 advised the president as the country's first chief counselor for privacy.

Now a law professor at Ohio State University, a senior fellow at the Center for American Progress and a legal consultant, Swire said the HIPAA privacy rules that eventually took effect in 2003 were a needed response to the medical industry's shift from paper to electronic records.

"The best time to build a new system is at the start," Swire said.

HIPAA's approach was similar to the Virginia Health Records Privacy Act in that most transfers of medical records were allowed only in the course of treatment or with a patient's consent.

But the myriad details of applying the law bewildered many health care providers. Stories of seemingly odd HIPAA interpretations abound -- from nursing homes' declining to allow birthday parties because it would reveal a patient's date of birth to hospitals' refusing to tell families if a relative had been brought there by ambulance.

Swire said he wished the Bush administration had not canceled an outreach effort to explain HIPAA. Regardless, confusion always accompanies rapid change, Swire said.

"Medical providers, especially mental health providers, were often cautious about sharing sensitive treatment information long before HIPAA," Swire wrote in an e-mail. "HIPAA is clear that information can be shared for treatment purposes. HIPAA did not, however, make any new requirements that data be shared."

For him, the most important part of the long effort with HIPAA was to make patients feel safe.

"Patients need to have confidence they can tell doctors the truth," Swire said.

'Not crossing that line'

If patients or parents or students felt safer under the overlapping privacy rules, institutions definitely did not.

While FERPA, the Virginia Health Records Privacy Act and HIPAA all have fairly straightforward goals, complications abound when it comes to actually applying the laws. Privacy regulations are filled with complex, often vague and frequently overlapping provisions.

The result, said the review panel and other observers, is that institutions interpret the regulations differently and many shy away from sharing any information -- even when the law allows it.

For example, FERPA, which covers not just grades but any document a school maintains that pertains directly to a student, states that parents' rights to inspect these records transfers to students once they attend college or turn 18. But it also says that parents who claim students as dependents on their taxes still may see records.

Yet many universities deny such parental access unless students sign a waiver, tying the requirement to FERPA's language that universities "may" -- rather than "shall" -- give parents records, Tech registrar Wanda Dean said. At Tech, students are told during freshman orientation that they can sign a waiver to allow parents or others see their records.

Buckley called such waivers one of the surprises that had cropped up in the decades since he proposed FERPA. He said he intended to give parents greater access to records and was disappointed that universities would continue to restrict it.

Similarly, there is little agreement on the threshold for invoking clauses in privacy laws that permit the greater sharing of records if individual or public safety is threatened. University officials and police told the Tech shooting review panel that privacy laws impeded sharing information about possibly dangerous behavior by students.

In contrast, a Florida panel commissioned after the Tech shootings to look at university practices in that state came to a different conclusion. "Those most closely involved in the fields of mental health law and higher education law held that the disclosure of a student's records without his or her consent is not prohibited" in connection with a health or safety emergency, the Florida panel reported.

While HIPAA covers most health records, those of university clinics remain under FERPA, which has slightly different rules for disclosing them.

And HIPAA and the Virginia Health Records Privacy Act bar an agency that receives medical records from disclosing them to anyone else, potentially inhibiting communications among schools, families, courts, police and health providers in cases such as Cho's, the review panel said.

For all the regulation, however, federal officials say penalties have never been imposed for violating FERPA or HIPAA. No institution has lost federal funding, the ultimate punishment under FERPA, and the steep civil penalties allowed by HIPAA have never been brought to bear. Instead, enforcement has taken the route of working with institutions to change problem policies.

Violating the Virginia Health Records Privacy Act could be prosecuted as a misdemeanor, but the Virginia Attorney General's Office could not say if it had ever been done because it would be local prosecutors who would pursue a case.

But it is not the lack of history of punishment that drives policy at institutions such as Virginia Tech, which depend on hundreds of millions of federal research dollars, said Del. Dave Nutter, R-Christiansburg, who has been a Tech administrator for decades. It is the potential to lose funding because of a FERPA violation.

"Like most big, bureaucratic institutions, they always err on the side of not crossing that line," Nutter said.

Tech officials have recently trumpeted improved communication within the university about problem students, but when it comes to FERPA, university spokesman Mark Owczarski said this month, "I don't think we've changed any of our policies."

'This "just say no" strategy'

Despite calls to simplify information privacy laws, little concrete legislative response has so far followed the Tech shootings.

U.S. Reps. Goodlatte and Rick Boucher, D-Abingdon, are backing a FERPA amendment proposed by Pennsylvania Republican Rep. Tim Murphy. Murphy's bill would let schools share certain information about students with their parents if a mental health professional said it would protect the student or others.

Murphy said the proposal was a response to both the Tech shootings -- Cho's family said they would have removed him from school if they'd known about his actions in the years before the shootings -- and to the suicide of a student from Murphy's district. In that case, which mirrored others around the country, parents were not notified when their child made repeated threats to kill himself.

"My concern is what is the barrier between colleges and parents. And many times the barrier is the fear of lawsuits," Murphy said.

Critics of Murphy's proposal, such as the American Association of Collegiate Registrars and Admissions Officers, say universities could invoke the safety provisions already in FERPA in cases where dangerous behavior seems likely without having to go the extra step of involving a mental health professional.

The House passed Murphy's proposal last summer but it has languished in the Senate.

Last week, Murphy, who is a child psychologist, said he plans to introduce a second amendment next year that would drop the requirement for having a mental health professional sign off on notifications to parents.

Murphy said his new proposal will require the education department to issue clearer guidance for when schools can contact parents and add a safe harbor provision to FERPA that will protect schools from liability if they disclose such information in good faith.

The safe harbor provision echoes recommendations from both the Virginia panel that looked into the Tech shooting and the federal reviews, Murphy said.

Another response to the Virginia review panel's recommendations is coming from the Virginia Attorney General's Office, which is creating a training program to help university lawyers interpret FERPA and HIPAA, said Tucker Martin, spokesman for the attorney general.

The state-appointed Commission on Mental Health Law Reform, which has been working since well before the Tech shootings, this month issued recommendations to modify Virginia law to specifically require health care providers to release records to the special justices who oversee mental health commitment hearings.

The commission also recommended that such hearings be closed to the public, although the outcome might be disclosed to individuals or agencies that argue they have a reason to know it.

Richard Bonnie, the commission's chairman and director of the Institute of Law, Psychiatry and Public Policy at UVa, this month called universities' reluctance to share information about troubled students "a complete misunderstanding" of FERPA.

He said as his commission learned how universities handle mental health treatment, "I was just flabbergasted to learn how this 'just say no' strategy had taken hold."

Lori Haas, whose daughter Emily was wounded April 16 and who has filed a notice preserving the right to file a lawsuit tied to the shootings, said the interpretation of information privacy laws are an especially frustrating aspect of her family's experience. After the shootings, a community mental health agency said that Lori Haas could not make a counseling appointment for her 20-year-old daughter because Emily is an adult and, under HIPAA, had to make appointments herself, Haas said.

And like the state review panel, Haas wonders what might have happened if Cho's family had been told of his behavior in the years before the shootings.

"I have a large problem with universities hiding behind FERPA. ... It was not intended to preclude parents from participating in their children's education, in their children's health."

Staff researcher Belinda Harris and staff writers Greg Esposito and Michael Sluss contributed to this report.