The Intersection of HIPAA and FERPA

As school attorneys, we are constantly admonishing school staff to be

mindful of their obligation to keep student information confidential pursuant

to FERPA and the IDEA. However, we also frequently encounter confusion

among staff about the Health Insurance Portability and Accountability Act

(HIPAA) on school districts. HIPPA is a federal law which, among other

things, provides the first national privacy law for individual health

information. HIPAA mandates actions that “covered entities” must take to

protect the privacy of an individual’s health information. The U.S.

Department of Health and Human Services (“HHS”) has issued rules to

implement and enforce these privacy requirements. Generally, entities

covered by HIPAA may release or receive “protected health information”

about an individual only if that individual gives permission or the Act

expressly permits its release.

HIPAA defines “covered entity” to mean a health plan; a health care

clearinghouse; or a health care provider who transmits any health

information in electronic form in connection with a transaction covered under

the Act. “Protected health information” is defined as individually identifiable

health information that is transmitted by electronic media; maintained in any

medium meeting the definition of electronic media; or transmitted or

maintained in any other form or medium.

Under a final rule issued by HHS, health information contained within

student educational records that are subject to the Family Educational Rights

and Privacy Act (“FERPA”) is exempt from the requirements of HIPAA. (See

HIPAA, 24 CFR 164.501.) “Educational record” includes individually

identifiable health information of students under the age of 18 created by a

nurse in a primary or secondary school receiving federal funds. In addition,

medical records that are excepted from FERPA’s definition of “education

records” under FERPA section 99.3 are also exempted from coverage by

HIPAA. The HHS reasoned that subjecting districts to both FERPA and HIPAA

requirements as to these records would be confusing and unduly

burdensome. Of course, districts must continue to ensure that these records

are received, maintained and transmitted in a manner consistent with

FERPA.

The regulations suggest that school-based health centers may qualify

as “health care providers.” This will only be an issue where centers are

sponsored by health care entities covered by HIPAA, such as health

departments, hospitals or community health centers. Those entities are

subject to the HIPAA privacy requirements and will be responsible for

compliance. This may result in health information kept in the school district

being treated as FERPA records, and the same information kept in the health

facility being covered by HIPAA.

For example, when a center is performing school health functions or

implementing health mandates on behalf of the school board, and the health

information of students who use the facility are entered into the educational

record, the information is covered by FERPA. Any health care information

that is retained by the health care provider will be covered by HIPAA.

Protected health information that exists only in the office of a health care

provider may not be released to school personnel or other third parties

without parental authorization. Districts may need to coordinate with these

centers in drafting HIPAA-compliant authorizations if the school requires

health information that is produced and available only outside of the school

district. These health care providers will most likely be able to provide

forms for this purpose.

A confusing aspect of HIPAA is whether school nurses who are

employees of the district are subject to HIPAA as “health care providers.”

The regulations are silent on this precise point, but the 2000 regulations

state, “The educational institution or agency that employs a school nurse is

subject to our regulation as a health care provider if the school nurse or the

school engages in a HIPAA transaction.”

Some sources interpret this regulation to mean that school nurses, as

health care providers, are covered entities under HIPAA only if they transmit

health information electronically in connection with a HIPAA transaction. This

language suggests that when a school nurse is not billing electronically but

simply providing care pursuant to an IEP or section 504 plan, the

information generated by the care becomes an educational record covered

under FERPA, but not subject to HIPAA.

Another area of concern is the release of health information relating to

student athletes, as in when an athletic trainer is asked to disclose

information regarding an injury to a player. While it is disputed that such a

disclosure to the coaching staff would violate HIPAA (as FERPA applies), the

safest course is for personnel to refrain from discussing such injuries with

third parties outside the school/district (such as the media) absent a specific

authorization. There is nothing in the regulations, however, that would limit

the trainer from sharing this information with other school staff members.

Student confidentiality is an important legal issue, but staff should not

be so fearful of violating HIPAA that they neglect to adequately share

information with other district staff that could better serve students. If you

have questions, we recommend that you consult with your school district’s

attorney or call Karen, Steve or Bobby.