The September 11, 2001 attacks evoked a new era of national security and anxiety. The country responded with sweeping security measures that have sparked a growing concern over perceived violations of individual civil rights and liberties. This national debate surrounding the tension between national or organizational security and individual privacy can be especially complex when played out on one of the most widely recognized free speech forums: a university campus. Consider this hypothetical:
Jerry is a University student employed in the Student Center. He has had interpersonal problems on campus, including verbally abusive conflicts and non-violent confrontations with students regarding the U.S. military presence in the Middle East. Jerry is argumentative and disruptive in class, and has posted very negative remarks on social media and campus chat rooms about U.S. plans to maintain troops in Afghanistan.
Recently, Jerry came to class and reportedly appeared agitated. He made provocative comments critical of President Obama and students who disagreed with him. The professor asked him to stop or leave. Jerry stormed out, and later that night used a University computer in the Student Center to “anonymously” post angry tweets, including:
“Free Speech? Really? Let’s test this! Let’s kill the president…”
“Barack Obama, I wish you were DEAD!”
A reader became alarmed and contacted law enforcement, which determined that the tweets likely came from Jerry.
It is a federal crime to knowingly and willfully threaten to kill, kidnap, or inflict bodily harm upon the U.S. President. Law enforcement contacted the campus and asked to review:
- Jerry’s academic student records, including the courses he has taken and grades received;
- Jerry’s medical files, if any, in the custody of the University; and
- All electronic communications by or to Jerry in the University’s possession.
How should the campus respond?
- Can/should the University allow access to Jerry’s academic student records, including the courses he has taken and grades received?
- Can/should the campus allow access to Jerry’s medical files, if any, in the custody of the University?
- Can/should the campus allow access to Jerry’s electronic communications in the University’s possession?
- Does Jerry have First Amendment (freedom of speech) or Fourth Amendment (privacy) rights that are impacted by the investigation?
This hypothetical touches on four key legal issues that college and university administrators and campus law enforcement regularly face as they balance their responsibility for campus safety with protection of individual rights and liberties:
- Access to student records
- Access to campus medical records
- Access to electronic communications
- Protected speech and privacy rights
1. Can/should the University allow access to Jerry’s academic student records, including the courses he has taken and grades received?
Answer: Probably Not.
The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records from unauthorized disclosure. FERPA likely prohibits the University from sharing Jerry’s academic records without his prior written consent unless one of FERPA’s exceptions is met. FERPA applies to all schools that receive designated federal education funds. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level (“eligible students”). Parents or eligible students have the right to inspect and review the student’s education records maintained by the school.
Generally, schools must have written permission from the parent or eligible student to release any information from a student’s education record. Of the eight major exceptions to FERPA’s prior written consent requirement, two are relevant to this hypothetical. One exception permits disclosure in connection with a health or safety emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. Disclosures under this exception must relate to an actual, impending, or imminent emergency, rather than an emergency for which the likelihood of the occurrence is unknown. The school may also disclose education records if it determines there is an articulable and significant threat.
The University should probably not allow access to Jerry’s academic student records because the threat: 1) is vague and conditional; and 2) does not indicate an actual, impending, or imminent emergency. However, the school has discretion in determining what constitutes an emergency. Because Jerry has been outwardly disruptive in class and has made repeated threats of violence against President Obama, the school may have a rational basis to conclude that allowing law enforcement to view Jerry’s academic student records is necessary to protect the health of President Obama and others. But it is questionable how the disclosure of the courses Jerry took, and the grades he received, is necessary to prevent an emergency.
The University may also disclose Jerry’s student records if law enforcement provides the school with a judicial order or lawfully issued subpoena. Under this FERPA exception, the school must make a reasonable effort to notify Jerry before disclosing the records, unless the disclosure is in compliance with: a) a federal grand jury subpoena; b) any other subpoena issued for a law enforcement purpose; or c) a subpoena or an ex parte order obtained by the Attorney General.
2. Can/should the University allow access to Jerry’s medical files, if any, in the custody of the University?
Medical records made, maintained, and used in connection with Jerry in his capacity as a student are covered under FERPA. While these records are not “education records,” if the school wishes to disclose them for purposes other than treatment, such as to assist in a law enforcement investigation, they may be disclosed as education records under one of the enumerated exceptions in FERPA.
However, Jerry’s health plan with the University is likely in his capacity as an employee, and therefore his medical records would be covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA addresses the privacy and security of protected health information (PHI); limits the manner in which PHI can be used or disclosed by covered entities (most health care providers and plans); and limits permitted uses and disclosures to the minimum necessary. Under HIPAA, a health care provider must have a signed disclosure from the affected individual before giving a third party any information on provided health care.
Covered entities must: allow patients to inspect their own medical records; allow patients to request that their records be amended if they disagree with their content; allow patients to request that information in their records be restricted from use or disclosure without permission; and keep a record of the persons or organizations to whom they disclose patients’ records.
Colleges or universities covered by HIPAA must: a) identify a contact person who patients or health plan enrollees may contact for medical records privacy questions and who the Office for Civil Rights (which is charged with enforcing HIPAA privacy regulations) may contact regarding compliance; b) implement a policy governing medical records privacy and distribute a notice to patients or health plan enrollees outlining privacy policies and procedures and explaining patient/enrollee’s rights; and c) review the use and disclosure of medical records and parties with whom records are shared.
HIPAA violations may result in civil penalties, including monetary fines, or criminal penalties, (including jail sentences and significant monetary fines). Health care providers may disclose PHI if they believe good faith disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Similar to FERPA, HIPAA permits disclosure of medical records in compliance with a judicial order or subpoena.
The University may disclose Jerry’s PHI if the University believes in good faith the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Thus, similar to the analysis under FERPA, the analysis under HIPAA turns on how conditional Jerry’s statements are, and whether the University has a rational basis to conclude that the medical records would help prevent an imminent emergency. When disclosing PHI pursuant to a valid nondisclosure exception, the University must make a reasonable effort to minimize the disclosure of PHI to the amount necessary to accomplish the intended purpose of the disclosure.
3. Can/should the University allow access to Jerry’s electronic communications in the University’s possession?
Answer: Probably not.
If the messages are posted online on a public forum, Jerry has no expectation of privacy in those statements and they may be disclosed to law enforcement without a court order or subpoena. The Stored Communications Act (SCA) is a federal law that addresses voluntary and compelled disclosure of “stored wire and electronic communications and transactional records” held by third-party internet service providers (ISPs).
The SCA provides statutory privacy rights for customers and subscribers of computer network service providers to protect and regulate the privacy interests of network users with respect to government, network service providers, and the world at large. It creates a code of criminal procedure that law enforcement must follow to compel disclosure of stored communications from network service providers; regulates voluntary disclosure by network service providers of customer communications and records; and prohibits unlawful access to certain stored communications. Anyone who obtains, alters, or prevents authorized access to those communications is subject to criminal penalties.
Any entity that provides others with means to communicate electronically can be a “provider of electronic service.” An electronic communications service is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” Under the SCA, an entity providing an electronic service to the public may not knowingly divulge the contents of a communication while electronically storing that communication. An entity providing a remote computing service to the public may not knowingly divulge the contents of any communication which is carried or maintained on that service. A provider may disclose the contents of a communication to a government entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.
Generally, a university that provides electronic services to students or faculty does not provide electronic services “to the public” and may freely share the content of electronic communications under the SCA. However, electronic communications that are maintained by a university may be considered “education records” under FERPA as its definition of “records” includes computer media.
Here, if a University employee, such as an IT employee, has access to the electronic messages, then the messages are “maintained” by the University. Electronic messages maintained by the University would fall within the definition of education records, and the University must adhere to the requirements of FERPA. Therefore, a campus may not disclose student records contained in email messages or other electronic communications without satisfying the requirements of FERPA.
4. Does Jerry have First Amendment (freedom of speech) or Fourth Amendment (privacy) rights that are impacted by the investigation?
Jerry’s First Amendment rights are not implicated unless his speech is restricted, or he is punished or prosecuted for his speech. Thus, an investigation probably does not trigger Jerry’s First Amendment rights until he is actually punished for his speech.
A higher education institution may prohibit speech that constitutes a “true threat,” if the speaker meant to communicate the speech with a subjective intent to commit unlawful violence to a particular individual or group of individuals.
A university may restrict harmful or offensive speech if it constitutes a “material and substantial” disruption to school activities. Jerry’s provocative statements in class may or may not have risen to this level depending on how severely another student is likely to be affected by the statements.
It would be harder for the school to punish or restrict Jerry’s speech on Twitter because such speech is outside the classroom. However, Jerry’s statements are very offensive, so if they were placed on a message board where students were likely to view them, such as campus chat rooms, they may constitute a “material and substantial” disruption to the educational process.
Jerry has no expectation of privacy concerning statements he posts on a public message board. Private electronic communications, however, are protected by the Fourth Amendment and the SCA.
”Jaffe Dickerson is a Shareholder at Littler Mendelson in the firm’s Century City office. Corinn Jackson is Knowledge Management Counsel at Littler Mendelson in the firm’s Century City office.