On November 25, 2008, the U.S. Department of Health and Human Services and U.S. Department of Education released joint guidance on the application of HIPAA and FERPA to student health records. The guidance was issued to explain the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and “to address apparent confusion on the part of school administrators, health care professionals, and others as to how these two laws apply to records maintained on students.”
Hospitals are, of course, familiar with HIPAA. FERPA is a federal law that protects the privacy of the “education records” of students. FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education, which includes virtually all public schools and school districts and most private and public postsecondary institutions, including medical and other professional schools. FERPA also contains rules regarding some “treatment records” of students. When a school provides health care to students in the normal course of business, such as through a health clinic, it is also a “covered entity” under HIPAA if the school also conducts any covered transactions electronically in connection with that health care. Thus, FERPA and HIPAA can intersect often for schools. However, “education records” and “treatment records” covered by FERPA are excluded from coverage under the HIPAA Privacy Rule.
The new guidance sets forth a series of Frequently Asked Questions with explanations of how HIPAA and FERPA apply and interact in various scenarios involving schools and student health records. The new guidance will primarily be of benefit to schools and school administrators. However, the new guidance contains explanations on several topics directly relevant to hospitals.
Hospital-staffed School Clinics. Many hospitals have arrangements with schools to staff school clinics or to provide clinical services (such as immunizations) on school grounds. In such situations, which law applies depends on whether or not the hospital or hospital staff provides medical services under a contract or employment arrangement or is otherwise acting on behalf of the school. If so, FERPA applies to the records from such services. If not, HIPAA applies to the records from such services. The related FAQ from the new guidance on this topic states:
Question: Does FERPA or HIPAA apply to elementary or secondary school student health records maintained by a health care provider that is not employed by a school?
Answer: If a person or entity acting on behalf of a school subject to FERPA, such as a school nurse that provides services to students under contract with or otherwise under the direct control of the school, maintains student health records, these records are education records under FERPA, just as they would be if the school maintained the records directly. This is the case regardless of whether the health care is provided to students on school grounds or off-site. As education records, the information is protected under FERPA and not HIPAA. [Emphasis added.]
Some outside parties provide services directly to students and are not employed by, under contract to, or otherwise acting on behalf of the school. In these circumstances, these records are not “education records” subject to FERPA, even if the services are provided on school grounds, because the party creating and maintaining the records is not acting on behalf of the school. For example, the records created by a public health nurse who provides immunization or other health services to students on school grounds or otherwise in connection with school activities but who is not acting on behalf of the school would not be “education records” under FERPA. [...]
With respect to HIPAA, even where student health records maintained by a health care provider are not education records protected by FERPA, the HIPAA Privacy Rule would apply to such records only if the provider conducts one or more of the HIPAA transactions electronically, e.g., billing a health plan electronically for his or her services, making the provider a HIPAA covered entity.
Schools Treatment Records Disclosed to Hospitals or Physicians. Can a school disclose student treatment records to a hospital or physician? And if such a disclosure is made, does FERPA or HIPAA apply to those records when maintained by the hospital or physician? The new guidance provides the following FAQ to answer these questions:
Question: Under what circumstances does FERPA permit an eligible student’s treatment records to be disclosed to a third-party health care provider for treatment?
Answer: An eligible student’s treatment records may be shared with health care professionals who are providing treatment to the student, including health care professionals who are not part of or not acting on behalf of the educational institution (i.e., third-party health care provider), as long as the information is being disclosed only for the purpose of providing treatment to the student. In addition, an eligible student’s treatment records may be disclosed to a third-party health care provider when the student has requested that his or her records be “reviewed by a physician or other appropriate professional of the student’s choice.” See 20 U.S.C. § 1232g(a)(4)(B)(iv). In either of these situations, if the treatment records are disclosed to a third-party health care provider that is a HIPAA covered entity, the records would become subject to the HIPAA Privacy Rule [as maintained by that provider]. The records at the educational institution continue to be treatment records under FERPA, so long as the records are only disclosed by the institution for treatment purposes to a health care provider or to the student’s physician or other appropriate professional requested by the student. [Emphasis added.]
If the disclosure is for purposes other than treatment, an eligible student’s treatment record only may be disclosed to a third party as an “education record,” that is, with the prior written consent of the eligible student or if one of the exceptions to FERPA’s general consent requirement is met. […]
University Hospitals. Many universities operate hospitals. Generally, HIPAA – not FERPA – will apply to all treatment records of hospital services even when provided to students. But, student clinic services (as opposed to general hospital services) provided by a university-run student health clinic will be subject to FERPA, not HIPAA. The following FAQ from the new guidance explains:
Question: Does FERPA or HIPAA apply to records on students who are patients at a university hospital?
Answer: Patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically “education records” or “treatment records” under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. Rather, these hospitals provide such services without regard to the person’s status as a student and not on behalf of a university. Thus, assuming the hospital is a HIPAA covered entity, these records are subject to all of the HIPAA rules, including the HIPAA Privacy Rule. However, in a situation where a hospital does run the student health clinic on behalf of a university, the clinic records on students would be subject to FERPA, either as “education records” or “treatment records,” and not subject to the HIPAA Privacy Rule