Where HIPAA and FERPA Meet: Student Health Records and Disclosure Requirements
The Departments of Education and Health and Human Services have issued joint guidance on how the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to student health records. The guidance also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.
FERPA is a federal law that generally prohibits an institution from disclosing the education records or personally identifiable information from education records, without a parent or eligible student’s written consent. An eligible student is one who is over 18 years of age or who attends a post-secondary institution at any age. FERPA applies to institutions that receive funds pursuant to any program administered by the U.S. Department of Education, including medical and other professional schools. Please note that if an institution receives funds in this manner, FERPA applies to the recipient as a whole, including all its components, such as a department within a university.
“Education records” are broadly defined to include records that are directly related to a student and that are maintained by an educational institution or by a party acting for the institution. At the elementary and secondary levels, this can include student health records. In post-secondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. If the disclose is for purposes other than treatment, the records are then subject to FERPA’s requirements and can only be disclosed with the student’s written consent or under one of several enumerated exceptions to written consent.
HIPAA requires covered entities (health plans, health care clearinghouses and health care providers) to implement appropriate safeguards to protect the privacy of patients’ identifiable health information and to set limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Whether FERPA or HIPAA apply to a particular set of records first depends on the record holder’s status as a FERPA or HIPAA covered entity. In some situations, an entity may be both. For example, when a school provides health care to students in the normal course of business, such as through its health clinic, it is both a “health provider” under HIPAA and subject to FERPA’s requirement. The analysis then hinges on whether the records meet FERPA’s “education” or “treatment” records definitions. If the records are education or treatment records under FERPA, HIPAA does not apply because HIPAA specifically excludes these records from coverage. For example, if a school is a HIPAA covered entity, and the only health records maintained by the school are education or treatment records under FERPA, the school does not have to comply with the HIPAA Privacy or Security Rules because these records are specifically excluded from coverage.
Other examples of arrangements where either HIPAA or FERPA apply:
- If a person such as a school nurse acts on behalf of a school subject to FERPA, and maintains student health records, these records are education records under FERPA, just as if the school maintained them directly, even if the health care is provided to students off-site. HIPAA would not apply to these records.
- FERPA applies to most post-secondary institutions. Student records at post-secondary campus health clinics are either education records or treatment records under FERPA, even if the school is a HIPAA covered entity. If the student health clinic is open to the public or school staff or both, the protected health information of the clinic’s non-student patients is still subject to HIPAA Privacy and Security Rules.
- Patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically education records or treatment records under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. If the hospital runs the student health clinic, clinic records of students would be subject to FERPA as education records or treatment records and not HIPAA.
There is a never-ending array of possible situations that may arise when considering the interplay between FERPA and HIPAA. Consult legal counsel when presented with a request for disclosure of student health information to avoid inappropriate disclosures or denials for information.