Colleges Weigh Privacy Against Security in Handling Mentally Ill Students

When it comes to issues of mental health on campus, lawyers, psychologists and university administrators all agree on one thing: Striking an appropriate balance between protecting an individual's privacy and the community's security is not easy.

In federal law and in most states, privacy concerns generally trump security, but in practice, universities say situations are handled on a case-by-case basis and sometimes result in a school contacting a student's parents or the police for help.

Privacy and security "don't need to be in conflict with one another," said Craig Haney, a professor of psychology and law at the University of California at Santa Cruz.

"By protecting people's privacy interests, in the long run you're advancing security concerns as well. If outside sources have access [to private health information], people might be reluctant to seek help."

Since the deadly shootings at Virginia Tech on Monday, however, many have wondered why the school did not take more proactive steps to treat or remove from campus gunman Seung-hui Cho, despite his known history of mental illness.

Both professors and students told university officials they believed Cho was unstable. In an English class, he wrote explicit and violent plays, which ultimately led to his removal from the class for private tutoring.

Two female students reported him for stalking and local law enforcement authorities had him sent for psychological evaluation

According to William Winsdale, a licensed psychoanalyst and professor of law at the University of Houston, administrators at Virginia Tech had a responsibility to the school's other students because "Cho was clearly psychotic and they should have erred on the side of caution."

"This is the classic horrendous example of when someone gets identified as a risk and then the system doesn't work to follow though to determine how big a risk and to whom he is a risk."

Winsdale said privacy rules had a place, particularly when it comes to limiting the media's access to health records, but institutions like Virginia Tech should not "hide behind bureaucracy … [or] behind 'privacy.'"

In some states, most notably California, if a therapist knows his patient is going to commit a specific violent act and does not report it, he can be held liable. These laws came out of the 1976 case, Tarasoff vs. Regents of the University of California, in which the California Supreme Court ruled therapists had a "duty to protect" intended victims.

However, in most states, including Virginia, conversations between a therapist and his patient are considered privileged and mental health professionals cannot be held responsible for violence caused by patients in their care unless that patient is being held at a hospital.

"Therapists generally have no legal duty to protect the public from the harm their patients might cause," Jeffrey Rachlinski, a professor of law and psychology, told

Similarly, he said, "Universities don't have a legal responsibility to tell parents" if a student is exhibiting signs of mental illness.

Though not required to report threats of violence, Rachlinski explained that "professional norms," the rules psychologists make for themselves, require therapists to alert authorities if they believe someone is "a threat to himself or others."

"The rules" concerning when a university can contact parents or others outside the university when a student shows signs of mental distress "are complicated," said Patti Richards, a spokesperson for the Massachusetts Institute of Technology.

MIT was at the center of the privacy-versus-security storm in 2001 when a student, Elizabeth Shin, set herself on fire after receiving on-campus counseling and writing several suicide notes. Shin's parents, who had not been informed of her threats, brought a $27.7 million lawsuit against the school. MIT and the family settled for an undisclosed amount.

"It's a delicate dance, and we have to honor confidentiality, but its best to look at each case individually," she said.

Universities are bound by the Family Educational Rights and Privacy Act, which prevents universities from turning over the records of students over the age of 18 to their families.

However, the law makes an exception for instances of mental illness. And it is that exception, university administrators say, that allows them to -- in certain instances -- contact students' families or the police.

"We have to balance the rights of the individual versus the community," said Karen Pennington, vice president for student development at Montclair State University in New Jersey.

Pennington said that cases that originate with a student going for counseling are held to a privacy standard different from those in which students or faculty alert the administration to a troubled student.

"If a faculty member has a problem and contacts the dean, the dean is only bound by FERPA, which has a mental health exclusion, so we wouldn't be bound by confidentiality," she said.

Montclair State, like the College of William and Mary in Virginia, both convene special committees of administrators and health professionals to figure out whether to involve third parties.

"We would draw the line at when someone is a threat to himself or others," said Sam Sadler, vice president for student affairs at William and Mary. "Everything is confidential until there is a threat.

"At that point, we would immediately employ something called the Medical Emergency Emotional Protocol. … A counselor, plus a physician and a member of the dean of students staff … would determine if we were in a position to provide the level of support needed to make the community and student safe.

"If we couldn't get support from parents … then we might request a detention order, but we usually try to persuade students to get help," he said.

The experts with whom spoke agreed that while instances of students seeking counseling on college campuses is increasing, incidents of extreme violence were rare.

"It is always easy in retrospect when some horribly tragic event occurs, to second guess things, but that's unfair," said Haney, of the University of California at Santa Cruz. "It is fair to assume that this is extraordinarily unusual and tragic, but an otherwise isolated incident in which a person slipped through the system and the system didn't work in the way we would have liked it to. In the long run protecting privacy is compatible with security-related concerns."