Hackable: Schools and Children’s Private Medical Records
Part 2 in a series on privacy
The ethics literature on cybersecurity rarely focuses specifically on children’s data stored by or for schools. Critical analysis should inform an ethics debate over the collection, storage, and use of children’s medical records at the foundational level. Hackers have breached vulnerable websites of labs, insurers, and hospitals. While the cybersecurity ethical space applies multiple principles, critical analysis of pediatric data collection, use, and storage may call for a stronger application of the collection limitation principle. Additional considerations should inform an analysis of the data in education and the special vulnerability of children to wrongdoers who abuse or misuse personal information.
This post focuses on schools rather than on the ability of doctors to collect what is needed or even what is optimal for medical treatment.
Genetic and Medical Data in the Wrong Hands
The important ethical issues are wide-reaching: what is the extent of the ethical duty to keep records safe and confidential of society, parents, the medical community, education community, and government? The issues include whether children and young adults identify privacy differently or value it less (discussed in the next post); whether practicality is being used as an ethics consideration in school medical record-keeping; and the ethics of what medical information is collected, required, and stored, and where, and why.
Use-Based Concepts: Genetically Informed Education or Detrimental Tracking?
While few articles explore risks specific to genetic and cognitive data, one article addressing the use of genetic psychological and neurocognitive medical information in an education setting highlights the potential for abuse. An educational interest in predicting behavioral or cognitive differences that impact learning or engaging in the social aspects of school is arguably legitimate. But I argue educational legitimacy is not enough to justify collection, storage, or access to sensitive information by schools or electronic medical record.
The potential harms to students are too severe. They include bias and discrimination. The genetic disposition toward schizophrenia, low IQ, learning difficulties, aggressive or hyperactive behaviors does not make acquiring the condition inevitable. For example, some syndromes are highly linked to ADD or bipolar behaviors. Yet when not associated with syndromes, those behaviors tend to have many causes often involving multiple genes as well as environmental factors. Adapting the curriculum or adding special services may limit academic opportunities before symptoms appear. Even well-meaning proponents of genetically informed education could increase polarization and inequality. The concept of providing extra services early is proven in some areas, but is not consistently demonstrated in behavioral genetics. Early intervention for learning or physical disabilities commonly occurs after diagnosis normally sparked by symptoms.
One danger is that teachers could act on odds of success rather than personal performance. By having lower expectations when they know there are genetic predispositions toward behavioral problems that interfere with learning, schools could use the information to categorize people unfairly. Combining the data with other adverse circumstances could worsen the discrimination. For example, someone in poverty who is food insecure and has a genetic predisposition to depression, aggression, or ADHD may benefit from early attention to potential issues or they may be subjected to disparate treatment, singled out, and relegated to less competitive classes. In the end the latter approach could impede success. The genetic information could even increase the school to prison pipeline. Absent distinct symptoms, genetic data should not be used to warrant disparate treatment. If and when symptoms appear, parents, schools, and doctors may agree on a plan.
Education discrimination may result from stored (non-genetic) data that includes neuro-psych reports, treatments for neuro-cognitive conditions, and encounters with school psychologists. The exposure to mandatory reporters like school physical, occupational, and psychological therapists could increase due to recommended interventions. Interaction with mandatory reporters increases the likelihood of unnecessary parental surveillance.
The issue of what information to divulge to schools is overlooked as the prevailing assumption is that the school medical forms are an acceptable imposition or exception to privacy. That is, providing some information is the proper exchange for the ability to attend school. The system originated to protect the public from contagious diseases. The development of concussion baselines or neuro-psych reports push the rationale beyond public health and require different ethical justification. Critical thinking calls for questioning the assumption that the school needs quite so much health information. Records on special needs can be helpful for parents seeking the help of the school in organizing and providing services and could be provided at the parents’ discretion. But neurocognitive or neuro-psych evaluations may expose children to discrimination.
Often, parents provide such data in exchange for extra time on tests. That relatively new development can create stigma or a new status quo with its own set of issues. (For example, the data is unclear concerning whether the extra time phenomenon is related to learning and career success.)
On a relatively small scale, over 800 schools store health records with Magnus health in North Carolina. While they speak to cybersecurity and safe recordkeeping, like almost every data storage mechanism, the information might be or become hackable. Many cities store health records for public school systems and NYC has a vast vaccine records database. Throughout the country, all student medical forms are due annually plus there are seasonal sports forms and a few other permissions.
FERPA protects some medical records from being released to those other than medical professionals at schools although there are exceptions. HIPAA, adopted well after FERPA, exempted schools. FERPA and HIPAA are rights-based data privacy laws. Medical record cybersecurity is an ethical issue different from the general privacy that FERPA and HIPAA seek to protect. That is, the acts tend to require a level of care in keeping records secure, but allow for some record sharing and dictate what call for privacy. They are not foremost cybersecurity laws. Most of the new, stronger consumer data protection acts (that exclude health data) address privacy and cybersecurity and include liability provisions.
As with all data in a hackable world, people must consider the possibility of the entirety being hacked and identifiable. Whether held in a ransomware plot or simply dumped onto the internet, the private can become public. That worst case scenario highlights the need to justify the collection and storage of pediatric medical data for schools.
The AAP, Medical Records, and Storage
The American Association of Pediatrics recognizes vulnerability to ransomware and other cybersecurity risks and has genuine concern for patient privacy. The AAP tends to evaluate personal health records by their value to healthcare quality, a measure that is important as many people would consent to data collection for their own health. Yet even with a focus on consumer empowerment and privacy, organizations focusing on health may overlook the privacy risks and long-term consequences of a breach. By framing the potential for ransomware attacks as an inconvenience to doctors (or worse a danger to patients) needing to access files, some of the literature does not cover the special harms to children associated with misuse of data and inflates the value of convenience. (Future posts in this series cover additional personal harms of privacy breaches.)
Convenient Access to Records is a Topic of Logistics Not Ethics
The bioethics literature often weighs the practicality, convenience, and efficiency against the risks. I argue the framework should allow information storage for medical and bodily safety, but not solely for physician or school convenience. Some of the privacy frameworks do not adequately protect vulnerable children. I suggest that a framework for schools collecting data must consider wide-ranging principles in light of potential harms. The following are considerations:
- There is a limited legal protection preventing sharing certain forms submitted with school employees and teachers (as per FERPA) (FERPA does not address parents’ ability to discuss child’s medical or neurocognitive conditions with teachers as their discretion.)
- Need for ethical parameters for defining a “legitimate educational interest”.
- Could there be a larger role for parental or student explicit consent for schools to access medical records stored for schools? (e.g., should the nurse be able to access each child’s Magnus health records or just know that Magnus has the records…)
- Ethical justification is needed for each entry on the school medical form beyond immunization for communicable disease and activity clearance.
- Zero trust model of cybersecurity in schools.
- Openness principle must apply.
- The principle of accountability: who bears responsibility for a leak?
- Principled liability should ensure recordkeeping companies achieve cybersecurity. Security safeguards must be much more than “reasonable”, possibly best efforts. Objective standards from new privacy laws should be applied. (“Security safeguard principle” is not enough as it requires “reasonable”.)
- A data collection limitation principle must be applied to schools, but may not be right for doctors or in a patient’s best interest.
- Does a fear of liability underlie the increased pool of data required by the schools’ forms?
Revisiting FERPA, HIPAA, school, municipal, and state policies, these consideration reflect critical analysis. Whether a change in practice occurs, rethinking the rationales for schools’ collection and use of medical data is timely in light of increased hacking, cybercrime, and ransomware attacks. The opening for discrimination must not be forgotten in the drive to address non-school related social or medical problems at school. Access to medical care, universal preschool, healthy diets, and high quality air each may have a role in limiting the value of stored medical records to educators.