Featured Publications

Religious Institutions: Update - May 17, 2012

This month’s update warns of sanctions religious institutions could face should they transfer something of value to someone in the organization whom the IRS determines to be “disqualified,” resulting in an “excess benefit transaction.”

More

Labor, Employment and Benefits: Alert - May 14, 2012

New legislation recently enacted in Maryland will make it unlawful for employers to request or require employees or job applicants to provide user names or passwords relating to personal email or social media platforms.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Education
Alert - December 30, 2008
 
U.S. Department of Health and Human Services and U.S. Department of Education Publish Joint Guidance on the Applicability of FERPA and HIPAA to Student Health Records
 
 December 30, 2008
 
Marlo M. Del Percio- Chicago

Public and private educational agencies at both the compulsory and postsecondary level may often confront dilemmas relating to the disclosure of student records under the Family Educational Rights and Privacy Act (FERPA). These decisions become strikingly more difficult when the records in question also concern a student’s medical history or treatment, as the confidentiality of medical records is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Because of these complexities, the U.S. Department of Health and Human Services and the U.S. Department of Education have recently issued “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records.” The publication clarifies the applicability of FERPA and HIPAA to a variety of institutions, types of records and scenarios.

Overview of FERPA
FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. The Act protects the privacy of students’ “education records,” which are broadly defined as those records that are directly related to a student and maintained by an educational agency or institution or by a party acting on behalf of the agency or institution. Private and religious elementary and secondary schools are generally not subject to FERPA’s requirements, unless such an institution is providing a service for a student with a disability on behalf of the student’s school district. FERPA prohibits the disclosure of “education records” of students, or personally identifiable information from “education records,” without a parent or eligible student’s consent.

At the compulsory level, a student’s health records, including immunization records, records maintained by a school nurse and records of services provided under the Individuals with Disabilities Education Act (IDEA), are considered “education records” and are subject to FERPA. At postsecondary institutions, medical and psychological treatment records of students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with the treatment of the student and only disclosed to treatment providers. These types of student records are considered to be “treatment records” and may only be disclosed for reasons other than treatment, with the student’s written consent, or pursuant to the FERPA exceptions found in 34 CFR §99.31(a). If a student’s “treatment records” are disclosed for purposes other than treatment, they then become subject to all FERPA requirements.

Overview of HIPAA and Its Intersection With FERPA

HIPAA implements requirements to protect the privacy of individuals’ health records. It governs the transmission of health care records and applies to a variety of health care providers, insurers and related entities. When a school provides health care services to students in the normal course of business, such as through a health clinic, the school is considered a covered entity under HIPAA. Although such a school’s transactions must comply with the HIPAA Administrative Simplification Rules for Transactions and Code Sets and Identifiers, these transactions need not comply with HIPAA’s Privacy Rule because the records are exempt from its coverage as “education records” or “treatment records” of eligible students under FERPA.

HIPAA Privacy Rule’s Applicability in Elementary and Secondary Schools

Generally, the HIPAA Privacy Rule does not apply to an elementary or secondary school since the school is either not a HIPAA-covered entity or is a HIPAA-covered entity but maintains health information that falls under the definition of “education records,” which are not subject to the HIPAA Privacy Rule. If a school or district is receiving funds from the U.S. Department of Education, a student’s immunization records and other health records that are maintained by a district or school, (including those maintained by a school-operated health clinic or school nurse, regardless of the source of funding for that particular service), are considered “education records” subject to FERPA, so long as the provider is acting on behalf of the school. As such, parents have the right to inspect and review these records pursuant to FERPA. If, however, an outside party provides services directly to students but is not acting on behalf of the school, the records are not “education records” subject to FERPA, even if the services are provided on school grounds.

In rare cases, the HIPAA Privacy Rule might apply to an elementary or secondary school. A school that is not subject to FERPA, such as a private school that receives no funding from the Department of Education, and also qualifies as a HIPAA-covered entity for engaging in acts such as billing a health plan electronically for the care provided to students, must comply with the HIPAA Privacy Rule.

Disclosures Under HIPAA

Even if the HIPAA Privacy Rule applies, a covered entity may generally disclose health information about the minor to the minor’s parent, as the minor child’s personal representative, unless the minor would be allowed by law to receive treatment without a parent’s consent for the particular condition in question. Also, if a provider believes the minor presents a serious danger to self or others, the necessary health information may be disclosed to a parent or other person, so long as the covered entity has a good faith belief that the disclosure is reasonably necessary to lessen the threat of harm and the person receiving the information is reasonably able to reduce such a threat. Emergency circumstances or a patient’s incapacity may also warrant the sharing of information with a family member. The HIPAA Privacy Rule also allows providers to disclose personal health information about students to school nurses, physicians, or other health care providers for treatment purposes without authorization form the student or parent.

Applicability of HIPAA and FERPA in Postsecondary Institutions’ Health Clinics

Records on students at campus health clinics are subject to the requirements of FERPA, since they are considered to be either “education records” or “treatment records.” Both “education records” and “treatment records” are excluded from the coverage of the HIPAA Privacy Rule, even if the school is a HIPAA-covered entity. If the institution qualifies as a HIPAA-covered entity, any records maintained that are related to nonstudents are subject to the HIPAA Privacy Rule. As such, postsecondary institutions may be subject to both HIPAA and FERPA.

Status of Records in Postsecondary Institutions

Under FERPA, only records available to professionals providing treatment or other appropriate professionals of the student’s choice qualify as “treatment records.” This does not prevent an institution from allowing a student to inspect and review such records, disclosing records to any party with student consent, or permitting certain disclosures without consent under 34 CF § 99.32 of FERPA. If the institution does release such records for any of the above reasons, though, the records qualify as “education records” pursuant to FERPA and become subject to all of the requirements therein.

Absent any such consent or exemption, a student’s “treatment records” may be shared with any health care professionals who are providing treatment to the student. Records may also be disclosed to a third-party health care provider when the student has requested that his or her records be reviewed by a physician or other appropriate professional. If the records are disclosed to a third-party provider that qualifies as a HIPAA-covered entity, the records become subject to the HIPAA Privacy Rule. The records at the educational institution continue to qualify as “treatment records” under FERPA, so long as the records are only disclosed for treatment purposes or to other appropriate professionals requested by the student. Billing or other records maintained by a postsecondary-operated health clinic that are not made, maintained, or used in connection with treatment, continue to qualify as “education records” under FERPA, the disclosure of which would require prior written consent from the student, unless an exception applies.

Patient records maintained by a hospital affiliated with a postsecondary institution that is subject to FERPA are not typically “education records” or “treatment records” under FERPA because the university hospitals are not providing services on behalf of the educational institutions. As such, these records are subject to the HIPAA Privacy Rule. If the same hospital operates the student health clinic, the clinic records are subject to FERPA, as either “education records” or “treatment records” – but not to the HIPAA Privacy Rule.

Health or medical records maintained by a postsecondary institution, as part of its provision of health care to a student who is also employed by the institution, are covered by FERPA and not the HIPAA Privacy rule.

Disclosures Under the HIPAA Privacy Rule and FERPA If a Student Is a Danger to Self or Others
The HIPAA Privacy Rule permits a covered entity to disclose certain records when the entity has a good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, and the disclosure is made to a person reasonably able to prevent or lessen the threat, including law enforcement, family members, or the object of the threat. Under FERPA, “education records” and “treatment records” may be disclosed without consent to appropriate parties in connection with an emergency if the knowledge of the information is necessary to protect the health and safety of the student or others.

Hybrid Entities
A postsecondary institution that qualifies as a HIPAA-covered entity may have health information of nonstudents to which the HIPAA Privacy Rule would apply in other departments, such as the law enforcement unit or research departments. Such an institution may elect to become a “hybrid entity” to ensure that the HIPAA Privacy Rule would only apply to the health care unit. To become a “hybrid entity” the school must designate the health care unit as its “health care component,” and include all components that would be the definition of a HIPAA-covered entity if those components were separate legal entities.

Conclusion
Because of the confusion that may arise in the categorization of records relating to the health care of students in a variety of education institutions, the U.S. Department of Health and Human Services and the U.S. Department of Education have attempted to clarify the points of intersection between the HIPAA Privacy Rule and FERPA. Ultimately, education institutions should make individualized determinations if questions arise as to how to classify a particular record. If uncertain, an institution should always refer to the FERPA requirements or the Department of Education’s Family Policy Compliance Office. Holland & Knight lawyers can assist in all aspects of compliance regarding FERPA and HIPAA.

For more information, contact:

Marlo Del Percio
312.263.3600
marlo.delpercio@hklaw.com
toll free: 1.888.688.8500

About Our Education Practice

Related Practices