A Capehart Scatchard Blog

USDOE and USHHS Issue Joint Guidance on Application of FERPA and HIPAA to Student Health Records

By on January 14, 2020 in Students with 0 Comments

In December 2019, the U.S. Department of Education (“USDOE”) and U.S. Department of Health and Human Services (“USDHHS”) jointly issued a 26-page document, providing updated guidance on the application of the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g, 34 C.F.R. Part 99, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), see 45 C.F.R. Parts 160, 162, and 164 (the “HIPAA Rules”), and their application to student health records.  The updated guidance provides a basic overview of each of the two federal statutes, as well as 27 frequently asked questions (“FAQs”).  The new guidance document will serve as a useful tool for school districts and related service providers as a quick reference guide to the legal requirements and applicability of the FERPA and HIPAA statutes in various sets of circumstances.

For lawyers practicing in the area of school law, advising school districts and educational service providers of students’ rights under FERPA is an ongoing element of practice.  In general, FERPA is a federal law that provides various protections for the privacy of students’ “education records,” including the right of parents, legal guardians, and adult students to access their or their child’s education records, the right to seek to have these records amended, and the right to provide consent for the disclosure of personally identifiable information (“PII”) from these records, unless an exception to consent applies.  The statute contains a number of exceptions permitting disclosure absent parental consent, which are generally mirrored in New Jersey by state statutes and regulations (see N.J.A.C. 6A:32-7.1 et seq.).  

However, FERPA only applies to educational agencies and institutions that receive federal funds under any program administered by the U.S. Department of Education, including but not limited to public school districts and charter schools.  The term “educational agency or institution” generally refers to public elementary and secondary schools, school districts, and postsecondary institutions, including medical and other professional schools.  Private and religious schools at the elementary and secondary levels generally do not receive funds from the USDOE and are, therefore, not subject to FERPA.

The HIPAA statute, on the other hand, was enacted in 1996 in order to improve efficiency and establish a national standard for protecting the privacy and security of individually identifiable health information.  HIPAA applies to “covered entities,” which are health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions.  See 45 C.F.R. § 160.103.  “Health care providers” include institutional providers of health or medical services, such as hospitals, as well as non-institutional providers, such as physicians, dentists, and other practitioners, along with any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. “Covered transactions” are those for which the USDHHS has adopted a standard, such as health care claims submitted to a health plan.  Once a health care provider becomes a covered entity, the HIPAA Privacy Rule applies and requires the protection of individuals’ health records and other personal health information the entities maintain or transmit, known as protected health information (PHI), by requiring appropriate safeguards to protect privacy and setting limits and conditions on the uses and disclosures that may be made of such information without patient authorization.  The rule also gives patients certain rights with respect to their health information, including rights to examine and obtain a copy of their health records, and to request corrections.  Where the HIPAA Privacy Rule applies, it permits covered entities to disclose PHI without patient authorization in certain circumstances, including emergency or other situations.

While FERPA generally applies to all public school districts and charter schools, as most or all are recipients of federal funds, the new guidance helps provide clarity on those situations in which the HIPAA Privacy Rule may apply to educational institutions and intersect with FERPA.  In most cases, HIPAA does not apply to an elementary or secondary school for one of two reasons:  (1) either the school is not a HIPAA covered entity, or (2) the school is a HIPAA covered entity but maintains health information only on student records that are also “education records” under FERPA, and, therefore, are expressly not PHI covered by the HIPAA Privacy Rule.  However, the guidance explains that, in some circumstances, a private school would be required to comply with the HIPAA Privacy Rule when it is a HIPAA covered entity because it does not receive federal funds from USDOE.  These circumstances, will generally fall into one of the following categories:

  • The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 C.F.R. § 160.102.  Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity unless the providers engage in any of the covered transactions defined by regulation, such as billing a health plan electronically for their services.  According to the new guidance, “It is expected that most elementary and secondary schools fall into this category.”
  • The school is a HIPAA covered entity but does not have PHI.  Even if a school is a covered entity and must comply with the HIPAA Transactions and Code Sets Rules, the school would not be required to comply with the HIPAA Privacy Rule if it only maintains health information in FERPA “education records.”  For example, a public high school might employ a health care provider that bills Medicaid electronically for services provided to a student under the Individuals with Disabilities Education Act (“IDEA”).  The school is a HIPAA covered entity because it engages in one of the covered transactions electronically, and, therefore, would be subject to the HIPAA transaction standard requirements. However, if the school provider maintains health information only in “education records” under FERPA, the school is not required to comply with the HIPAA Privacy Rule because the Privacy Rule explicitly excludes FERPA “education records.” See 45 CFR § 160.103.  Importantly, although the HIPAA Privacy Rule does not apply, FERPA’s and the IDEA’s privacy requirements do apply, including the requirement to obtain prior written parent or eligible student consent to disclose to Medicaid billing information about a service provided to a student.
  • The school is a HIPAA covered entity and is not subject to FERPA.  Schools that are covered entities and are not subject to FERPA must comply with both the HIPAA transaction requirements and the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules regarding any individually identifiable health information the school has about students and others to whom it provides health care. For example, if a private elementary or secondary school not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (thereby making the school a “covered entity”), the school must comply with the HIPAA Rules regarding the individually identifiable health information of its patients.
  • Certain private school placements. Where a student is placed in a private school for the provision of Individualized Education Program (IEP) services on behalf of a school or school district subject to FERPA, the education records of the privately placed student maintained by the private school are subject both to FERPA and to the confidentiality requirements under the IDEA, which incorporate the provisions of FERPA, and not the HIPAA Privacy Rule.  USDOE is in the process of preparing a Notice of Proposed Rulemaking to amend the FERPA regulations to add this provision and will provide an opportunity for the public to comment on this proposed amendment.

The guidance continues with an explanation of 27 FAQs concerning the applicability of FERPA and HIPAA to various types of educational institutions.  The full text of the new guidance can be found at the following link: https://bit.ly/35LDctO


Tags: , , , , , , ,

About the Author

About the Author: .

Post a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.