DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Student medical record privacy can be governed by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule or by another federal law, the Family Educational Rights and Privacy Act (FERPA).
What is FERPA and What Entities Does it Cover?
The Family Educational Rights and Privacy Act, or FERPA, protects the privacy of student educational records. FERPA applies to educational agencies and institutions that receive funds under a program administered by the U.S. Department of Education. This includes virtually all public schools and school districts as well as most private and public postsecondary institutions, including medical and other professional schools.
Private and religious schools at the elementary and secondary level generally do not receive funds from the Department of Education and are therefore not generally subject to FERPA.
What is an “Education Records” under FERPA, and When May It Be Disclosed?
Under FERPA, educational records include those records that are:
1. Directly released to a student; and
2. Maintained by an educational agency or institution or by a party acting for the agency or institution
Whether student medical information may be disclosed under FERPA can depend on whether the student is attending elementary or secondary school, or post-secondary school.
Elementary and Secondary School Level
At the elementary or secondary school level, a student’s health records, including immunization records, maintained by an educational agency or institution subject to FERPA, as well as school nurse records, are considered “education records” under FERPA.
Disclosure Rule for Elementary and Secondary Schools
Generally, parents have a right to inspect and review elementary and secondary school education records under FERPA. However, these records generally may not be shared with third parties without written parental consent unless a FERPA exception permits disclosure.
Exceptions to the Disclosure Rule
The most prominent exceptions allowing schools to disclose medical information and other “education records” to teachers and other school officials, without written parental consent, include:
1. School officials have “legitimate educational interests,” in accordance with school policy, in obtaining the records.
2. Emergencies. Disclosure of records, without consent, may be made to appropriate parties in connection with an emergency, if knowledge of the information is necessary to protect the health or safety of the student or other individuals.
Postsecondary Institutions
Under FERPA, covered educational agencies and institutions may not disclose the education records of postsecondary school students, or personally identifiable information from education records, without an eligible student’s written consent.
Postsecondary school education records, as defined under FERPA, mean records that are:
1. Directly related to a student; and
2. Maintained by an educational agency or institution by a party acting for the agency or institution
An “eligible student” is defined under FERPA as a student who is at least 18 years of age, or a student who attends a postsecondary institution at any age.
FERPA Distinction Between Education Records and Treatment Records
FERPA “education records” do not include records on a student who is 18 years of age or older, or attending a postsecondary institution, that are: (1) made or maintained by a physician or other recognized professional acting in that capacity; (2) made, maintained, or used only in connection with treatment of the student; and (3) disclosed only to individuals providing the treatment.
FERPA refers to such records as “treatment records.” Treatment records may be disclosed for purposes other than treatment, provided the records are disclosed pursuant to the student’s written consent, or under a FERPA exception to written consent. Exceptions include when the school has a legitimate educational interest in the disclosure; and when disclosure is necessary for enrollment or transfer purposes.
How Are FERPA and HIPAA Related?
The HIPAA Privacy Rule expressly excludes FERPA “education records,” and FERPA “treatment records” of eligible students under FERPA, from the definition of “protected health information.”
Education and treatment records of eligible students under FERPA are also excluded from the HIPAA Security Rule’s coverage of electronic protected health information (ePHI).
One instance where the HIPAA Privacy Rule would apply to student medical records is where a private school (that is not federally funded) hires a healthcare worker (who does not work for the school) to provide medical services such as vaccinations at the school. If the healthcare worker is a covered entity - if it provides healthcare and engages in one or more of eight standard transactions, the healthcare worker would be required to adhere to HIPAA. The records would be covered by HIPAA while they are held by the healthcare worker, and the healthcare worker would be required to obtain authorization before the health information is sent to the school.
Does the HIPAA Privacy Rule Apply to an Elementary or Secondary School?
Generally, no.
In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule. Each of these two scenarios is discussed below.
1. The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. Most elementary and secondary schools fall into this category.
2. The school is a HIPAA covered entity but does not have “protected health information.” Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. For example, if a public high school employs a healthcare provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article