Frequently Asked Questions about U.S Federal Laws & Confidentiality for Survivors
The Confidentiality Institute & the Safety Net Project
at the National Network to End Domestic Violence
What this is:
This piece addresses common confidentiality questions about several U.S. federal laws that may impact victims of domestic violence, dating violence, sexual assault, and stalking. It highlights key confidentiality and privacy provisions in the 2013 reauthorization of the Violence Against Women and Department of Justice Reauthorization Act (VAWA) and the 2010 reauthorization of the Family Violent Prevention Services Act (FVPSA). With VAWA confidentiality provisions in mind, it also answers questions regarding the following U.S. federal laws: Title IX of the Education Amendments of 1972, the Health Insurance Portability and Accountability Act (HIPAA), and the Family Educational Rights and Privacy Act (FERPA).
In analyzing the meaning and application of the confidentiality and privacy provisions of VAWA, the purpose of the statute (to protect adult, youth, and child victims of domestic violence, dating violence, sexual assault, or stalking and their families) must be kept at the forefront. In general, these answers are intended for victim advocates employed by nonprofit or community- based agencies. Additionally, it is important that other partner agencies and professionals involved in co-located and coordinated community responses understand these answers. If you request information from another individual or agency, you want to be sure that any information you receive has been obtained properly. Many entities, including nonprofit advocates, must abide by strict legal confidentiality and privacy provisions when considering requests for information.
What this is not:
Confidentiality and privilege laws vary from one jurisdiction to another, as do other laws that may be impacted by VAWA legislation. The National Network to End Domestic Violence (NNEDV) is not an expert on individual state laws and does not provide legal advice to VAWA grantees. The analysis below is not intended to be a substitute for local, legal advice from an attorney who is familiar with a particular jurisdiction’s laws related to confidentiality and privilege of victim/victim advocate relationships.
Most significantly, the users of this piece should keep in mind that many situations are unique. These questions and answers are not to be taken as definitive answers to every circumstance that might arise for a victim or a domestic violence or sexual assault agency in regard to confidentiality and privacy. They are general guidance in how to think about the issues. If you have specific questions or situations that you wish to discuss further, please contact NNEDV’s Safety Net Project by phone: 202- 543-5566 or email: firstname.lastname@example.org.
Q: What is VAWA?
A: Initially passed in 1994, the Violence Against Women Act (VAWA) was the first U.S. federal legislation to acknowledge domestic violence and sexual assault as crimes. It provides federal resources to enhance investigation, prosecution, and community-coordinated responses.
Reauthorized in 2000, 2005, and 2013, VAWA is administered by the U.S. Department of Justice’s Office on Violence Against Women. VAWA 2013 reauthorized existing programs to combat domestic violence, sexual assault, dating violence and stalking, and created new programs and provisions to address the emerging needs of victims and communities.
Q: What confidentiality protections are provided by VAWA?
A: VAWA Section 3, 42 USC §13925(b)(2)(2016) became effective in 2006, and has a universal grant condition that requires VAWA grantees and subgrantees to maintain the confidentiality of personally identifying and individual victim information. This condition protects the confidentiality of anyone who requests or receives victim services from a domestic violence, sexual assault, dating violence or stalking program that receives VAWA funds. Failure to follow the VAWA universal grant conditions regarding victim confidentiality and privacy could result in a loss of funding. VAWA prohibits disclosure of personally identifying information or individual information collected in connection with services requested, utilized, or denied through grantees’ and subgrantees’ programs without the informed, written, reasonably time-limited consent of the survivor or when compelled by state law or court order. For more information about VAWA provisions regarding consent for releases of information, please see our materials, Survivor Confidentiality and Privacy: Releases & Waivers At-A-Glance and FAQ’s on Survivor Confidentiality Releases.
Q: VAWA has an exception for statutory or court mandates. What does that mean?
A: VAWA grantees and subgrantees are prohibited from disclosing any personally identifying information unless compelled by statutory or court mandate. Such mandates are the only exceptions to the VAWA confidentiality provision. To count as a “mandate” to breach VAWA confidentiality, the statute or court order should specifically address confidentiality and a public policy decision to require a breach of confidentiality.
Statutory mandates can differ greatly from one place to another because the statutory exception must be written into the state, territory, or tribal law. The most common statutory exception is the mandatory reporting of suspected child abuse or neglect, which may be found in many states’ laws.
If a statutory mandate (such as a mandatory reporting law) does require the disclosure of certain information, your agency must determine what the law actually requires in terms of: who must report, when they must report, what they report, and to whom they must report. Grantees need to: (1) limit the information released to the minimum required to meet the statutory requirement, (2) take steps to protect the privacy and safety of those impacted by the disclosure, and (3) make reasonable attempts to notify the victim about the disclosure.
Court mandates are specific orders given by a court of law. For example, in a state where victim advocate confidentiality is not absolute, a court may be allowed to order a release of specific information. Programs faced with a potential court mandate should consult a local attorney to determine whether a court order actually complies with local law. For more information about your individual state’s victim advocate confidentiality provisions, see our Summary of U.S. State Laws Related to Advocate Confidentiality.
Q: Is a subpoena for records a court mandated exception?
A: Generally not. In the vast majority of U.S. states, a subpoena is not a court order. Best practice in every state is to ask the court to quash (throw out) any subpoena that asks for a program’s records or for the program to answer questions about an individual. Responding to subpoenas can raise unique questions. For help in responding to subpoenas, programs should contact a local attorney with knowledge about both VAWA and state laws regarding confidentiality. Programs may also contact NNEDV’s Safety Net Project for resources to address subpoenas or to access training for local attorneys on this issue. See also, question 54 “What should our DV/SA program do if we get a subpoena” in our piece: FAQ’s on Survivor Confidentiality Releases.
Q: Did VAWA confidentiality change in the 2013 version of the law?
A: VAWA 2013 retained the strong confidentiality provisions and strengthened survivor control over when to give consent to share information. It also clarified that minors and people with guardians who are allowed to receive services without parent/guardian permission are also specifically allowed to sign their own informed consents for disclosure of information, and do not have to seek a signature from the parent or guardian. Additionally, grantees are prohibited from requiring victims to sign a consent to release personal information as a condition of receiving services.
FVPSA and Confidentiality
Q: What is FVPSA?
A: First authorized in 1984, the Family Violence Prevention and Services Act (FVPSA) is the only U.S. federal funding source dedicated directly to domestic violence shelters and services.
Administered by the U.S. Department of Health and Human Services, FVPSA was reauthorized as part of the U.S. Child Abuse Prevention and Treatment Act (CAPTA) through fiscal year 2015 and was signed into law on December 20, 2010
Q: How does FVPSA confidentiality differ from VAWA confidentiality?
A: With the 2010 amendment, the U.S. federal FVPSA confidentiality obligations (42 USC§10402) specifically parallel those of VAWA 2005 (because the 2013 changes had not happened when the 2010 FVPSA amendment was made). FVPSA prohibits their grantees from disclosing, revealing, or releasing any personally identifying information of survivors without their informed, written, and reasonably time-limited consent. As with VAWA, if victim information is disclosed pursuant to a court order or state statute, the release should be limited to the minimum amount necessary to comply with the statute/court order, the program needs to take steps to protect the privacy and safety of those impacted by the disclosure, and the program must make reasonable attempts to notify the victim about the disclosure.
Title IX and VAWA Confidentiality
Q: What is Title IX?
A: Passed in 1972, Title IX is part of the federal civil rights law and it prohibits discrimination on the basis of sex in federally funded education programs and activities. The US Department of Education has made clear that sexual violence and sexual harassment are forms of sex discrimination, and campuses have a duty to address violence and harassment.
Q: Does Title IX require a campus-based victim advocacy agency to disclose victim identifying information to the Title IX Coordinator or other campus administrators?
A: Probably not. The Office of Civil Rights (OCR) of the US Department of Education explicitly interprets Title IX to allow schools to offer confidential advocacy services to victims of sexual violence, domestic violence, and harassment. OCR also recognizes that victim services are often provided by people who are not professional counselors. Additionally, state law for practicing advocates may create a legal privilege and require that privacy be protected. “OCR does not require campus mental-health counselors, pastoral counselors, social workers, psychologists, health center employees or any other person with a professional license requiring confidentiality to report incidents of sexual violence in a way that identifies the student.” Finally, if a campus-based victim advocacy agency is receiving VAWA funding to provide victim services, VAWA prohibits disclosure of any personally identifying or individual information about victims without written, informed, time-limited consent of the individual. A campus administrative policy purporting to require disclosure is not an exception to VAWA unless it is a statute passed by a legislature or a valid court order.
Clery Act and VAWA Confidentiality
Q: What is the Clery Act?
A: The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery) 20 USC § 1092(f) requires all colleges and universities that participate in U.S. federal financial aid programs to keep and disclose information about crime on and near their respective campuses.
Q: The Clery Act requires college and university campuses to report crime data, which could include domestic violence, dating violence, sexual assault, and stalking. Does Clery require a campus- based victim advocacy agency to report victim identifying information?
A: No. A victim in a college or university community should still have the same confidentiality protections as someone outside of the campus setting. In terms of confidentiality, the strongest and most protective law is what should be followed. First, Clery only requires “campus security authorities” to report non-identifying information about criminal activity to college or university officials. Second, Clery does not override VAWA/FVPSA confidentiality provisions, so if a campus-based program receives VAWA or FVPSA funds, it is required to follow those federal confidentiality provisions. Third, in some states, the state victim advocate confidentiality/privilege law protections may apply to campus-based victim advocacy programs and may prohibit sharing information with campus security authorities.
Q: What provisions of Clery should I look at to better understand why non-security personnel are not required to report?
A: Even before VAWA provisions specified that personally identifying victim information shall not be disclosed, Clery regulations created similar protections. As clarified by the commentary, 64 Fed. Reg. at 59063 (Nov. 1, 1999), Clery regulations do not require counselors, pastors, individual faculty, physicians, or any other personnel that are not “campus security authorities” to report crime statistics. Rape crisis and domestic violence counselors, even those paid by the college or university, are not automatically considered campus security authorities and are thus not necessarily required to report criminal activity. By way of comparison, many campuses offer students prepaid legal services. If a student client tells a legal services attorney about a criminal act either committed by the student or of which the student is a victim, the legal services attorney is under no obligation to violate attorney-client privilege and reveal that confidential communication. Clery neither requires nor encourages breaches of privilege or confidentiality.
Q: Do campus security authorities have to report personally identifying victim information?
A: No. According to 34 CFR 668.46(c)(5), even the “campus security authorities” who are required to report crime statistics are prohibited from identifying the victim. Clery regulations promote victim privacy rights in a way that is consistent with the later more specific confidentiality provisions in VAWA 2013, Section 3 and FVPSA 2010.
Q: What is HIPAA?
A: The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law originally enacted in 1996 with extensive security and privacy regulations, which guides how medical providers must handle patients’ protected health information in the context of payment for services. HIPAA set out a national minimum standard for privacy of health information; state standards may provide more protections. HIPAA applies to medical records maintained by health care providers, health plans, and health clearinghouses, and to the maintenance and transmission of those records. The extent of the privacy protection for an individual’s medical information can depend on where the records are located and the purpose for which the information was compiled, and whether insurance payment is requested for a given medical procedure or service. See 45 CFR §§ 164.501 to 164.534.
Q: What is the HIPAA privacy rule?
A: The HIPAA privacy rule creates a minimum standard for protection of private, protected health information, regardless how that information is maintained (i.e., on paper or electronically)(45 CFR § 164.520), and describes permitted uses and disclosures, and when consent for disclosure is and is not required. See 45 CFR §§164.506 to 164.514.
Q: Is our domestic violence or sexual assault victim advocacy agency required to follow HIPAA?
A: Generally not. HIPAA regulations apply to “covered entities”, which are health plans, health care clearinghouses, and health care providers. Domestic violence and sexual assault agencies rarely fall into one of those three categories. If you want to determine whether your agency is a covered entity, answer the series of questions on the HHS website.
If you are a covered entity, you will be required to follow the specific HIPAA regulations, so you should seek help from an attorney in your community who specializes in health care law to be sure you are complying with HIPAA requirements.
Q: Which is the most protective: HIPAA, VAWA, or my state law?
A: Both HIPAA and VAWA are protective of personal information, but VAWA is generally seen as more protective, and having far fewer exceptions to confidentiality. State laws can vary, and may be more or less protective than either HIPAA or VAWA. In any event, advocacy programs should follow the most protective confidentiality law that applies to them. For a side-by-side comparison chart of HIPAA and VAWA on privacy, see Privacy in HIPAA, VAWA, & FVPSA: Different Laws, Different Purposes.
Q: What are some exceptions to HIPAA confidentiality?]5
A: HIPAA permits certain limited disclosures of protected health information when there is a risk of domestic violence, even in some circumstances where the patient does not consent to the disclosure. 45 CFR § 164.512. The HIPAA privacy rule provides for a permitted disclosure of protected health information about an individual whom the provider reasonably believes to be a victim of abuse, neglect, or domestic violence. When a provider makes a permitted disclosure, the provider is required to notify the individual of the disclosure unless informing the individual of the disclosure would place the individual at risk of serious harm. 45 CFR §164.512(c). Victims of domestic violence who seek medical help could be at grave risk if the fact that they sought help is revealed. Although HIPAA permits disclosure of protected health information of a victim of domestic violence without her consent in certain, limited circumstances, it does not require it, and advocacy agencies can help medical providers understand that they should rarely, if ever, share a victim’s protected health information without consent with government authorities unless absolutely required to do so.
Q: We’ve been hearing a lot of information about electronic health records. What does that mean for victims and confidentiality?
A: HIPAA sets out specific security standards for electronically maintained health information. See 45 CFR § 164.302 to § 164.318 (minimum requirements for administrative safeguards, physical safeguards, technical safeguards, organizational requirements, and requirements for policies and procedures and documentation of electronically maintained protected health information). Victim advocacy programs should be aware of what the HIPAA regulations specifically require so that victim information can be as protected as possible.
Q: We’ve provided substance abuse and mental health services up until now, and now we have a VAWA grant. How can we be sure that we are complying with VAWA?
A: Generally, both VAWA and HIPAA protect private information. Your agency can comply with VAWA confidentiality provisions by never releasing any personally identifying information without an informed, written, reasonably time-limited release from an individual, unless, you are subject to a specific state-law mandated reporting obligation (such as child abuse or neglect reporting) or a court order. Our model Client Limited Release of Information Form is available in English and Spanish.
Q: What if the abuser wants access to a child’s medical records under HIPAA?
A: Under federal HIPAA regulations, the personal representative of a minor normally acts on behalf of a minor in regards to medical records. This means the personal representative (usually the parent) has a right to control access to the minor’s health and mental health records. However, health care providers may refuse to treat a parent as a personal representative (and thus refuse to provide the parent with access to the minor’s medical records) if the providers have a “reasonable belief” that: (a) The minor has been or may be subjected to domestic violence, abuse or neglect by the parent, guardian or other giving consent; or (b) Treating such person as the personal representative could endanger the minor; and the provider, in the exercise of professional judgment, decides that it is not in the best interest of the minor to give the parent, guardian or other such representative access. 45 C.F.R. § 164.502(g)(5). Victim advocacy agencies can provide training to medical providers on how to make this type of assessment more safely and accurately.
FERPA and VAWA Confidentiality
Q: What is FERPA? How does it protect a student’s personal and private information?
A: The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99, gives students the right to access to their education records, to seek to have those records amended, and to have some control over the disclosure of personally identifiable information from the education records. These FERPA rights are held by the parents of the student until the student turns 18 years old or enters a postsecondary institution7. Under FERPA, educational institutions are prohibited from sharing information in a student’s record with any person or institution without the student’s written permission, or that of her parent or legal guardian if she is under the age of 18. 20 USC § 1232g(b); 20 U.S.C. § 1232g(d). Whenever a school receives a request for records, it must notify the student, who may then deny or grant access. However, for adult/postsecondary students, educational institutions are also allowed to disclose student record information to parents if the student is being claimed on their taxes as a dependent under IRS rules, and there is no requirement that the school notify the student of the disclosure to the parent. 34 CFR 99.31(a)(8)
Q: How does FERPA compare to VAWA?
A: FERPA is, in many ways, less protective than VAWA. Although a student’s record cannot be shared without written permission of the student or parent or guardian, under FERPA, a lawfully-issued subpoena is a specific exception to confidentiality. If there is a lawfully-issued subpoena in a civil action, FERPA enables the disclosure of records upon notification to the student (so the student has an opportunity to object to the disclosure). If a school receives a lawfully-issued subpoena in connection with a criminal prosecution and a judge has ordered that there be no notification, then FERPA requires disclosure, even without notification to the student. 20 U.S.C. § 1232g(b); 34 C.F.R. § 99.31(9) (2010).
Q: Does FERPA apply to the preschool program we offer at our domestic violence agency?
A: Probably not. FERPA confidentiality requirements are tied to Department of Education funding, which would generally not apply to your preschool program. In any event, VAWA confidentiality practices regarding releases (informed, written, and reasonably time-limited) provide best practice for releasing educational information from a domestic violence agency’s preschool program as well.
Q: If we are required to follow VAWA and we reveal information about a client in violation of VAWA, can we be sued and ultimately held liable?
A: Yes. The agency could be sued by the client or former client, and could be at risk of losing VAWA funds if it does not follow VAWA confidentiality protections. By comparison, HIPAA has a specific civil rights cause of action for a violation of its privacy regulations. On the other hand, FERPA does not allow any civil action for damages by the student whose privacy has been violated.
However, if the violation has not yet occurred but is imminent, a victim may move for a civil injunction to prevent the school from sharing information.
 U.S. Violence Against Women and Department of Justice Reauthorization Act of 2013 (VAWA 2013), enacted as Public Law 113-4 on March 7, 2013.
 U.S. Family Violence Prevention Services Act (FVPSA 2010) reauthorized as part of the U.S. Child Abuse Prevention and Treatment Act (CAPTA) and enacted as Public Law 111-320 on December 20, 2010.
 Title IX of the Education Amendments of 1972, codified at 20 USCA § 1681 et seq.
 U.S. Health Insurance Portability and Accountability Act (HIPPA) originally enacted in 1996 as Public Law 104-191.
 U.S. Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 C.F.R. Part 99.
 42 U.S.C. § 13925 Definitions and grant provisions [http://www.ovw.usdoj.gov/docs/overarching_definitions.pdf] 7 U.S. Department of Education. “Frequently Asked Questions about FERPA” [http://www2.ed.gov/policy/gen/guid/fpco/faq.html] Last modified July 14, 2005.
 U.S. Department of Education. “Questions and Answers on Title IX and Sexual Violence”, E-3, pg. [http://www2.ed.gov/about/offices/list/ocr/docs/qa-201404-title-ix.pdf] Last modified April 29, 2014.