Bar News - October 19, 2016
Lessons for NH Lawyers from the Virginia Tech Massacre
By: Jennifer de Lyon Stralka
Editor’s Note: Jennifer Stralka represented her family members in settlement negotiations arising from a negligence suit against the Commonwealth of Virginia following the murder of her cousin, 20-year-old Matthew La Porte, during the April 16, 2007, shooting at Virginia Tech. See related article.
One of the most difficult parts to grasp about the massacre at Virginia Polytechnic Institute & State University was that neither the school, local and state police, nor the university, saw it coming.
This was despite the fact that the shooter, Seung-Hui Cho, was well known both on and off campus for evincing highly disturbing and violent behavior towards himself and others. Critical failures surrounding Cho’s mental health treatment and the university’s response to his behavior contributed to the massacre, with the main factors being: 1) serious flaws in a number of applicable federal and state privacy laws and misunderstandings as to their breadth and scope; 2) decentralized processes; and 3) a lack of institutional organization and communication regarding Cho’s behavior. All of the aforementioned were identified in a 2007 report issued by the VA Tech Review Panel, which demonstrated that the massacre could have been prevented.
The legal lessons gleaned from the VA Tech tragedy included some proactive measures that could help spare New Hampshire from facing a similar tragedy. Astonishingly, as of 2015, New Hampshire was one of only a few states that had not experienced a mass shooting in the United States. However, the statistics overwhelmingly suggest that such a shooting here is imminent. Hence, the question for New Hampshire is not “if” but “when.”
Background of Violence
and Mental Illness
The specific question posed by several legal, mental health and law enforcement experts is: How could Cho – despite his violent tendencies – fall so far between the cracks that no one could see the danger posed by his behavior? Cho’s mental health records provided warning signs as to his deteriorating mental state, including these, as identified in the VA Tech Review Panel Report:
1. Cho was diagnosed with selective mutism in eighth grade (a social anxiety disorder that inhibits one from speaking, especially when there is the expectation to speak) and an inability to make eye contact with others, including family members.
2. Following the Columbine High School Massacre, Cho remained transfixed by the shootings and wrote a paper for his high school English class titled, “Repeat Columbine.”
3. In high school, Cho was placed in special education under the “emotional disturbance” classification after being evaluated by a child psychiatrist.
4. Cho’s guidance counselor, knowing his difficulties, urged him not to attend a large school like VA Tech due to a fear that it would lead to difficulty in transitioning.
5. Cho in 2005 and 2006 displayed troubling behavior and violent themes in his writing, resulting in many of his classmates refusing to attend class.
6. Cho’s persistent and unwelcomed advances to a female student gave rise to stalking and resulted in Cho being asked to stop by campus police.
7. Soon thereafter, Cho threatened to kill himself and was involuntarily hospitalized after a health screening indicated he was mentally ill and a danger to himself and others.
8. He refused to comply with a court order to seek outpatient counseling.
Notwithstanding the gravity of the above, there were many missteps taken by the university, mental health professionals, and others. What follows is a summary of the major arguments that were raised to demonstrate what could have been done differently to prevent the tragedy, including:
Federal Privacy Laws
The lack of understanding of federal privacy laws – intended to strike a balance between protecting one’s privacy and disseminating necessary information – resulted in key players being unware of their ability to access and share critical information that could have led to preventive, life-saving actions. The Health Insurance Portability and Accountability Act (HIPAA) protects an individual’s mental and physical health information from disclosure (whether orally or in writing), yet the privacy protections are not absolute, despite what various “covered entities” and others had thought in treating Cho. (Pursuant to HIPAA, a covered entity refers to health plans, health care clearinghouses, and health care providers that conduct covered transactions electronically. Mental health practitioners who are employed by schools may be covered by HIPAA; however, this is not completely clear under the law. Specifically, some schools consider their mental health professionals to constitute “covered entities,” while others don’t).
To illustrate, when Cho was involuntarily hospitalized at a psychiatric facility in 2005, as described in the VA Tech Review Panel’s Report, a court ruled that he presented an “imminent danger to self and others,” which justified his temporary detention order. Notwithstanding, he was let go after being evaluated by a state mental health physician and ordered to seek outpatient counseling because these entities did not have access to information on Cho’s past history of mental illness.
As a result, Cho was never involuntarily committed, as it was clear that without vital information, the court and Cho’s treating physicians were not able to fully appreciate the severity of his situation. Note that several criticisms were raised regarding the fact that perhaps due to HIPAA, pertinent information was not given to those involved in the commitment hearing as to Cho’s mental health background, which if available, may have resulted in Cho being more aggressively treated. A clearer understanding of the scope of HIPAA would have allowed for those treating Cho to access and release key background information pertaining to the outcome of his hearing and their rather disturbing findings to family members, law enforcement, and school officials.
For example, HIPAA did not prohibit the magistrate who granted Cho’s temporary detention order from alerting VA Tech and his parents. It also did not prohibit the VA Tech’s Cook Counseling Center from disclosing to Cho’s parents and school officials the nature and frequency of Cho’s requests for treatment. (Even though Cho never pursued outpatient treatment, he requested and received three triage appointments in a two-week period). Had this been disclosed, it perhaps would have alerted VA Tech and Cho’s family that his mental health was rapidly deteriorating.
Moreover, HIPAA further did not prohibit the VA Tech police from informing Cho’s parents, officials at the school, and others of his commitment hearing. Lastly, under HIPAA’s emergency exception, background information on Cho’s mental health status could possibly have been released to alert the school and others that Cho was deemed an imminent threat to himself and others. Specifically, under HIPAA, “[a] covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure... is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public[.]”
Additionally, no one had a duty to enforce or keep track of Cho’s court order to seek outpatient treatment, so Cho went without the counseling he desperately needed (in Virginia, the duty to comply with an order to seek outpatient treatment is exclusively that of the individual and no one else).
The report also highlighted that it was unclear whether the Cook Counseling Center, pursuant to HIPAA, even had the right to disclose to school officials, the court, or Cho’s parents that he was not complying with the treatment order. Altogether, key misinterpretations of the law and an overly rigid adherence to HIPAA led to critical failures in being able to proactively respond to Cho’s increasingly intransigent behavior, monitor his treatment progress, and potentially prevent him from killing 32 people, including himself.
In addition to HIPAA, misinterpretations of the Family Educational Rights and Privacy Act (FERPA) also may have contributed to the massacre. Under FERPA, students’ “educational records” are generally protected from disclosure unless permission is granted by the affected student. Like HIPAA, FERPA has a provision that gives educators the discretion to disclose protected information during a health or safety emergency. Pursuant to FERPA’s emergency exception, information may be disclosed to “appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons.”
Under FERPA, only information found in a student’s record is actually protected. FERPA does not prohibit the disclosure of information based on one’s eyewitness account of behavior or communications with a student. As such, and despite what many believed, FERPA would not have prevented disclosure to Cho’s parents that their son was taken to the hospital. Further, it would not have prohibited those who were aware of Cho’s behavior, including faculty, students, residence hall staff, VA Tech counselors, and the school’s law enforcement, from meeting with one another to discuss the gravity of his situation. Had this happened, perhaps those involved would have been able to better appreciate the totality of circumstances and proactively respond to Cho’s deteriorating mental state. Additionally, FERPA likely did not prohibit Cho’s high school from orally disclosing to VA Tech his writing, “Repeat Columbine.”
Taken together, the strict adherence to and misunderstanding of the prohibitions on disclosure embodied in both HIPAA and FERPA discouraged critical information sharing among VA Tech officials, mental health providers, and Cho’s parents.
Virginia Gun Laws & the
Violently Mentally Ill
An additional contributing factor to the massacre is that under Virginia gun law, Cho was not prohibited from purchasing the two firearms that he used to carry out the shootings. Although Cho’s purchase violated federal gun law (18 USC Section 922(g)(4)), Cho was able to legally purchase guns in Virginia despite being involuntarily hospitalized and deemed an imminent threat to himself and others. This is because in Virginia, persons are prohibited from purchasing firearms who are adjudged incompetent or who are committed to a mental institution – two definitions that Cho did not clearly meet.
In addition, the law does not specifically state that a person who is found to be an imminent threat to oneself or others qualifies as “incompetent” necessary to prevent the sale of a gun. Hence, even though Virginia is one of a number of states that report any information about mental health to the FBI’s National Instant Criminal Background Check System (a federal database used to conduct background checks on prospective gun purchasers), Cho’s information was never reported. Therefore, those who sold him guns had no way of knowing he had a troubling mental health history (Cho also lied about his history on his gun application).
Lessons for NH
It is important for those in the New Hampshire legal community to be sure that relevant clients truly understand how privacy laws such as HIPAA apply, what triggers an emergency situation necessary for information to be disclosed, and what they can do to better educate their employees.
Several New Hampshire health care practitioners interviewed for this article stated that although they receive HIPAA training, they either didn’t remember what was covered or they never received specific instruction on when emergency-related information disclosures are warranted. HIPAA requires employers to train employees on HIPAA’s policies and procedures with respect to protected health information (PHI), but does not provide specifics on the topics that should be covered, the length of time necessary for effectively training people, and how people should be trained. (HIPAA’s Privacy Rule and the HIPAA Security Rule both have employer training requirements). In general, HIPAA simply states that training must be conducted as “necessary and appropriate for all members of the workforce to carry out their functions within the covered entity.” This is not to suggest that all employers provide inadequate HIPAA training, but to note that improvements across the board may be necessary.
In light of the statute’s ambiguous language, many people receive lengthy training sessions that make it nearly impossible for them to retain critical information about HIPAA. One such practitioner said that when she started her job, she was bombarded with so much information during her new employee orientation that she could hardly remember anything, including her HIPAA training. Moreover, not all practitioners, including nurses and doctors, as well as business associates who handle PHI, are effectively trained in knowing when critical information disclosures are necessary, including in an emergency. Even if a health care professional does not treat people for mental illness, it is important for everyone subject to HIPAA to know what emergency circumstances warrant disclosures. Because many health care professionals become privy to information beyond the scope of their practice (i.e., a urologist is told by a patient that he is suffering from severe depression when asked about the medication he is taking), it is important for everyone to be prepared and properly educated.
Furthermore, HIPAA training is not always conducted in a way that helps people learn and retain the information. Training that is more interactive and engaging helps people to be motivated to act when necessary.
In 2006, the US Department of Health and Human Services’ Office for Civil Rights (OCR) created an interactive online decision-support tool to assist covered entities, business associates, and others who have access to PHI in determining how information may be accessed, used, or disclosed consistent with the HIPAA Privacy Rule in emergency situations. OCR has several other web pages that explain various parts of HIPAA, of which all health practitioners and those who may receive PHI (such as law enforcement) should be aware.
With regard to FERPA, the good news is that many academic institutions across the United States responded with positive changes in their policies and procedures following the VA Tech massacre. However, it is still worth having a dialog with institutional clients regarding their understanding of the law and when disclosures are permitted, and whether they are effectively communicating with others. (Helpful guidance on FERPA issued by the US Department of Education is available online).
Further, it is critical to recognize the warning signs of someone who is experiencing homicidal or suicidal ideations. Appendix M of the report issued by the VA Tech Review Panel provides a list of red flags, warning signs, and indicators that someone may harm themselves or others. This information is definitely worth sharing with clients, especially those who are health professionals, employers, and business owners.
Jennifer de Lyon Stralka
Jennifer de Lyon Stralka is an attorney licensed in multiple jurisdictions including New Hampshire, a professional legal freelance writer and editor, and an adjunct professor of law at the Vermont Law School. Jennifer welcomes questions and comments from the community regarding her article and can be reached by email.