As school attorneys, we are constantly admonishing school staff to be
mindful of their obligation to keep student information confidential pursuant
to FERPA and the IDEA. However, we also frequently encounter confusion
among staff about the Health Insurance Portability and Accountability Act
(HIPAA) on school districts. HIPPA is a federal law which, among other
things, provides the first national privacy law for individual health
information. HIPAA mandates actions that “covered entities” must take to
protect the privacy of an individual’s health information. The U.S.
Department of Health and Human Services (“HHS”) has issued rules to
implement and enforce these privacy requirements. Generally, entities
covered by HIPAA may release or receive “protected health information”
about an individual only if that individual gives permission or the Act
expressly permits its release.
HIPAA defines “covered entity” to mean a health plan; a health care
clearinghouse; or a health care provider who transmits any health
information in electronic form in connection with a transaction covered under
the Act. “Protected health information” is defined as individually identifiable
health information that is transmitted by electronic media; maintained in any
medium meeting the definition of electronic media; or transmitted or
maintained in any other form or medium.
Under a final rule issued by HHS, health information contained within
student educational records that are subject to the Family Educational Rights
and Privacy Act (“FERPA”) is exempt from the requirements of HIPAA. (See
HIPAA, 24 CFR 164.501.) “Educational record” includes individually
identifiable health information of students under the age of 18 created by a
nurse in a primary or secondary school receiving federal funds. In addition,
medical records that are excepted from FERPA’s definition of “education
records” under FERPA section 99.3 are also exempted from coverage by
HIPAA. The HHS reasoned that subjecting districts to both FERPA and HIPAA
requirements as to these records would be confusing and unduly
burdensome. Of course, districts must continue to ensure that these records
are received, maintained and transmitted in a manner consistent with
FERPA.
The regulations suggest that school-based health centers may qualify
as “health care providers.” This will only be an issue where centers are
sponsored by health care entities covered by HIPAA, such as health
departments, hospitals or community health centers. Those entities are
subject to the HIPAA privacy requirements and will be responsible for
compliance. This may result in health information kept in the school district
being treated as FERPA records, and the same information kept in the health
facility being covered by HIPAA.
For example, when a center is performing school health functions or
implementing health mandates on behalf of the school board, and the health
information of students who use the facility are entered into the educational
record, the information is covered by FERPA. Any health care information
that is retained by the health care provider will be covered by HIPAA.
Protected health information that exists only in the office of a health care
provider may not be released to school personnel or other third parties
without parental authorization. Districts may need to coordinate with these
centers in drafting HIPAA-compliant authorizations if the school requires
health information that is produced and available only outside of the school
district. These health care providers will most likely be able to provide
forms for this purpose.
A confusing aspect of HIPAA is whether school nurses who are
employees of the district are subject to HIPAA as “health care providers.”
The regulations are silent on this precise point, but the 2000 regulations
state, “The educational institution or agency that employs a school nurse is
subject to our regulation as a health care provider if the school nurse or the
school engages in a HIPAA transaction.”
Some sources interpret this regulation to mean that school nurses, as
health care providers, are covered entities under HIPAA only if they transmit
health information electronically in connection with a HIPAA transaction. This
language suggests that when a school nurse is not billing electronically but
simply providing care pursuant to an IEP or section 504 plan, the
information generated by the care becomes an educational record covered
under FERPA, but not subject to HIPAA.
Another area of concern is the release of health information relating to
student athletes, as in when an athletic trainer is asked to disclose
information regarding an injury to a player. While it is disputed that such a
disclosure to the coaching staff would violate HIPAA (as FERPA applies), the
safest course is for personnel to refrain from discussing such injuries with
third parties outside the school/district (such as the media) absent a specific
authorization. There is nothing in the regulations, however, that would limit
the trainer from sharing this information with other school staff members.
Student confidentiality is an important legal issue, but staff should not
be so fearful of violating HIPAA that they neglect to adequately share
information with other district staff that could better serve students. If you
have questions, we recommend that you consult with your school district’s
attorney or call Karen, Steve or Bobby.