Is My Public School, Private School, or College or University Subject to the HIPAA Privacy Rule? Revised Federal Guidance Provides Answers
School leaders are often understandably confused as to which law applies to health- or medical-related records in schools: The Family Educational Rights and Privacy Act (FERPA) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) “Privacy Rule.” Whether you work in a public or private K-12 institution or a college or university, the answer to that question can have many implications. For those struggling with the question, recently revised guidance from the U.S. Departments of Education and Health and Human Services provides some answers. Although we recommend that those who work with student or health records in schools, colleges, and universities review the entire 25-page guidance document, our summary below includes some of the key points from the guidance of which you should be aware.
Background on the Guidance
The joint guidance on the intersection of federal privacy laws governing student educational records and health records in schools was first issued in 2008. Both the original and the revised guidance explain but do not change the laws governing these types of records. The intent of the new guidance is to provide “updates and expand[ ] on prior guidance to help address potential confusion on the part of school administrators, healthcare professionals, and others on how FERPA and HIPAA apply to records maintained on students.”
General Applicability of the HIPAA Privacy Rule
As the guidance describes, FERPA covers student education records and HIPAA covers health records. Both FERPA and HIPAA generally prohibit release of records without written consent, but the two laws are very different. In addition to its Privacy Rule, HIPAA also contains Security, Breach Notifications, and Enforcement Rules.
Notably, HIPAA’s Privacy Rule does not generally apply to records maintained on students by a school, even if those records relate to health concerns. The guidance explains:
The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.
Yet even if a school meets the definition of a HIPAA “covered entity,” it may not need to comply with HIPAA because, as the guidance explains, “the school’s only health records are considered ‘education records’ or ‘treatment records’ under FERPA,” and so are specifically excluded from HIPAA oversight.
The guidance addresses a “few limited circumstances” when educational institutions may be subject to HIPPA. These include:
- An educational institution at any level that provides health care to students in the normal course of business, such as through a health clinic, and that transmits personal health information (PHI) electronically in connection with certain transactions
- A K-12 private school that does not receive funds from the U.S. Department of Education (and so is not subject to FERPA) and is otherwise a covered entity, such as one that employs a physician who bills a health plan electronically for care provided to students
- Most postsecondary institutions that are HIPAA covered entities and provide health care to nonstudents such as employees and members of the public, but only as to the health information of the nonstudent patients; records relating to student patients are subject to FERPA and exempt from HIPAA coverage, even if the students is both a student and an employee, and
- Hospitals affiliated with a university that is subject to FERPA because they do not typically provide services to students “for the university,” except if the hospital runs a student health clinic (see #3, above).
Release of FERPA and HIPAA Covered Information Without Consent
The guidance addresses a number of situations in which schools, colleges, and universities that are subject to the HIPAA Privacy Rule and/or FERPA may nonetheless release such information without written consent. For example, the guidance includes thorough answers to questions about whether an institution can release information without consent in the following situations:
- For student educational or health information, release of information to parents (questions 9, 11, 12, and 14) and Protection and Advocacy systems (questions 24-25)
- For student health information, release of information to school nurses or physicians (question 15), and
- For student educational information, release of information to third-party health care providers, law enforcement, and the National Criminal Background Check System (NICS) (questions 26-27).
Release of Information in Emergencies
Another category of exceptions—those that apply in an emergency—addressed in the guidance is of particular note in light of a recent report from the Federal Commission on School Safety indicating confusion in schools about the ability to share information during emergency situations. The guidance clarifies when HIPAA and FERPA allow the release of otherwise protected information to allow or facilitate treatment of a student in an emergency situation and in other situations involving a threat to the health and safety of the student or others.
Under HIPAA, permitted emergency disclosures include disclosures:
- for treatment
- to family, friends, and others involved in an individual’s care and for notification, and
- to prevent a serious and imminent threat.
Under FERPA, educational record information, including student health records, may be disclosed by an educational institution to anyone if the educational institution determines that knowledge of the information is necessary to protect the health or safety of the student or other individuals. The guidance provides a number of useful examples of situations and detailed discussion of the various exemptions and how they can come into play during a safety incident.
For more information about the guidance, the issues raised in this alert, or any other issues in the guidance not summarized here, contact the authors of this alert or any other Franczek attorney.