The Intersection of FERPA & HIPAA

 

As a parent or legal guardian, have you ever submitted medical records so the school can accommodate your student’s health needs? If so, have you ever thought to yourself if the school asked itself, “this looks like a medical record…does that mean HIPAA applies?”

At Xavier Academy, we are familiar with the importance of the Family Educational Rights and Privacy Act (FERPA) and its impact on the privacy of education records. However, the impact of the Health Insurance Portability and Accountability Act (HIPAA) is often less intuitive. Fortunately, FERPA is typically the only regulation that applies to schools. Therefore, let’s examine the relationship between these two complex privacy laws.

 

What is FERPA?

FERPA is a federal law that protects the privacy of education records.[1] If a school receives funding from a program administered by the U.S. Department of Education, FERPA applies to students’ “education records, unless an exception applies. FERPA prohibits a school from disclosing student education records, or personally identifiable information from education records, without a parent or eligible student’s consent. An education record includes any record that directly relates to a student that is created or maintained by a school.[2]

 
What is HIPAA?

HIPAA is a federal law that, among other things, protects patient health information. Only “covered entities” are subject to HIPAA’s requirements unless an exception applies. Covered entities include health plans, healthcare clearinghouses, and healthcare providers that transmit electronic medical information in connection with “covered transactions.” See Does the HIPAA Privacy Rule Apply to an elementary or secondary school? (https://www.hhs.gov/hipaa/for-professionals/faq/513/does-hipaa-apply-to-an-elementary-school/index.html). There are a lot of technical definitions at issue. Still, HIPAA becomes relevant in education when schools work with or employ a health care provider that bills a health care plan directly. As discussed below, even if your school falls into this category, HIPAA may still not apply to student records.

 

How do FERPA and HIPAA interact?

Rest easy: for the vast majority of records maintained by elementary and secondary schools, HIPAA is not an issue[3] because most records that contain medical information related to a student and are shared with the school will be considered an “education record.” In most cases, the privacy requirements of FERPA apply rather than HIPAA. HIPAA regulations state that HIPAA does not apply to records covered by FERPA. If FERPA applies, HIPAA does not. For example, consider the records with medical information your school maintains: student immunization records, medical information used in IEPs or Section 504 plans, student physicals, treatment notes from a school nurse or counselor, etc. These are all records that directly relate to students and are either maintained or created by the school. This is the textbook definition of an “education record.” Furthermore, most schools do not qualify as a “covered entity” for purposes of HIPAA compliance.

CDC HIPAA FERPA Infographic (https://www.cdc.gov/phlp/docs/hipaa-ferpa-infographic-508.pd)

 
Treatment records of school nurses or a healthcare clinic:

Suppose a school employs a school nurse or a medical professional to provide services to students, likely. In that case, the medical records they create during treatment are still covered by FERPA, not HIPAA. The general rule of thumb is that FERPA will apply to these records unless the health care provider is billing directly to a health plan. That is generally not the case for most schools. But if a school is an exception, HIPAA may apply.

 

Are there special circumstances when HIPAA may apply?

HIPAA may apply to third parties that provide health services directly to students, such as a service provider that comes to the school and offers flu shots to students. When the health care provider is not acting on behalf of the school, HIPAA will apply to that third-party health care provider. But that does not mean HIPAA automatically applies to the school. However, keep in mind that HIPAA will limit what the healthcare provider can disclose to the school in this situation.

HIPAA may also apply in scenarios where the school employs a healthcare provider who directly bills a health plan, such as when the school participates in the Texas School Health and Related Services (SHARS) and seeks reimbursement or employs a service provider as part of an Individualized Education Program (IEP). In such cases, the school may be a “covered entity” subject to HIPAA’s rules on billing transactions. However, the HIPAA privacy rules would still not apply if the information was only maintained in education records covered by FERPA. 

In nearly every instance, FERPA will apply to the medical records created or maintained by your school. However, if an employee of the school should ever bill a health plan directly for services, the school may have wandered into one of the limited scenarios where HIPAA does apply.

 

If you have academic concerns for your student, please contact the Wellness Center at 210-464-4556.

 

[1]   See 20 U.S.C. § 1232g; Title 34 CFR Part 99.

[2]   See 20 U.S.C. § 1232g; Title 34 CFR Part 99.3.

[3]   U.S. Department of Education and U.S. Department of Health and Human Services, Joint Guidance on the Application of the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA) to Student Health Records, (November 2008).