The intersection of FERPA and HIPAA
Have you ever collected student immunization records? Have you ever had a parent submit medical records so the school can accommodate a student’s health needs? If so, have you ever thought to yourself (or maybe panicked), “this looks like a medical record…does that mean HIPAA applies?”
As an administrator, you are likely familiar with the importance of the Family Educational Rights and Privacy Act (FERPA) and its impact on the privacy of education records. However, the impact of the Health Insurance Portability and Accountability Act (HIPAA) is often less intuitive. Fortunately, FERPA is typically the only regulation that applies to schools. Let’s examine the relationship between these two complex privacy laws.
What is FERPA?
FERPA is a federal law that protects the privacy of education records.1 If your school receives funding from a program administered by the U.S. Department of Education, then FERPA applies to your students’ “education records.” Unless an exception applies, FERPA prohibits a school from disclosing student education records, or personally identifiable information from education records, without a parent or eligible student’s consent. An education record includes any record that directly relates to a student that is created or maintained by a school.2
What is HIPAA?
HIPAA is a federal law that, among other things, protects patient health information. Only “covered entities” are subject to HIPAA’s requirements. Covered entities include health plans, healthcare clearinghouses and healthcare providers that transmit electronic medical information in connection with “covered transactions.” There are a lot of technical definitions at issue, but HIPAA becomes relevant in the education context when schools work with or employ a health care provider that bills a health care plan directly. As discussed below, even if your school falls into this category, HIPAA may still not apply to student records.
How do FERPA and HIPAA interact?
Rest easy: for the vast majority of records maintained by elementary and secondary schools, HIPAA is not an issue.3 This is because most records that contain medical information related to a student and shared with the school will be considered an “education record.” In most cases, the privacy requirements of FERPA apply, rather than HIPAA. HIPAA regulations state that HIPAA does not apply to records covered by FERPA; So, if FERPA applies, HIPAA does not. Consider the records with medical information that your school maintains: student immunization records, medical information used in IEPs or Section 504 plans, student physicals, treatment notes from a school nurse or counselor, etc. These are all records that directly relate to students, and they are either maintained or created by the school. This is the textbook definition of an “education record.” Furthermore, most schools do not qualify as a “covered entity” for purposes of HIPAA compliance.
Treatment records of school nurses or a healthcare clinic:
If your school employs a school nurse or a medical professional to provide services to students, it is likely that the medical records they create during the course of treatment are still covered by FERPA, not HIPAA. The general rule of thumb is that FERPA will apply to these records unless the health care provider is billing directly to a health plan. That is generally not the case for most schools. But if your school is an exception , you may want to consult with an attorney about whether HIPAA applies to you.
Are there special circumstances when HIPAA may apply?
Of course, schools should be aware of the limited instance in which HIPAA may apply. HIPAA may apply to third parties that provide health services directly to students, such as a service provider that comes to the school and offers flu shots to students. When the health care provider is not acting on behalf of the school, HIPAA will apply to that third party health care provider. But that does not mean HIPAA automatically applies to the school. However, keep in mind that in this situation HIPAA will limit what the health care provider can disclose to the school.
HIPAA may also apply in scenarios where the school employs a health care provider who directly bills a health plan, such as when the school participates in the Ohio Medicaid Schools Program and seeks reimbursement or when the school employs a service provider as part of an IEP. In such cases, the school may be a “covered entity” subject to HIPAA’s rules on billing transactions, but the HIPAA privacy rules would still not apply if the information was only maintained in education records covered by FERPA. Many technical definitions come into play here, so if your school falls into this category, it is best to consult an attorney to determine if HIPAA applies.
Therefore, in nearly every instance, FERPA will apply to the medical records created or maintained by your school. However, if an employee of the school should ever bill a health plan directly for services, you may have wandered into one of the limited scenarios where HIPAA does apply. If so, you will want to contact an attorney to ensure that you are in compliance.
1 See 20 U.S.C. § 1232g; 34 CFR Part 99.
2 34 C.F.R. § 99.3
3 U.S. Department of Education and U.S. Department of Health and Human Services, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, (November 2008), available at https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf