The Health Insurance Portability and Accountability Act of 1996—commonly referred to as “HIPAA”—is a federal law imposing certain data privacy and data security requirements with respect to medical information, including the personal health information of individual persons. Colleges and universities maintain medical information related to employees and students in a host of locations, including human resources files, student records, and in the records of on-campus health and counseling centers, among others. Higher education administrators unfamiliar with the intricacies of HIPAA often believe the law imposes more obligations on colleges and universities than it actually does. This post dispels some of the most common myths relating to HIPAA and higher education.
Myth #1: HIPAA applies to all medical information we maintain as a college or university.
While HIPAA’s privacy rule does govern the privacy of protected health information (PHI), HIPAA’s privacy rule only applies to HIPAA “covered entit[ies].” As a general rule, covered entities include: (1) health plans; (2) health care clearinghouses; and (3) healthcare providers who electronically transmit health information in connection with certain electronic transactions relating to billing, payment, and/or insurance coverage.
Taking HIPAA’s “covered entit[ies]” provisions at face value, college and university administrators often conclude their institution is a HIPAA-covered entity because a student health center provides medical treatment to students and engages in electronic billing transactions. However, HIPAA’s privacy rule contains an important exception—it does not apply to health records maintained by an educational institution if those health records meet the definition of “education records” or “treatment records” under the Family Educational Rights and Privacy Act (FERPA). Because student health records generally do fall within these FERPA definitions, they are exempted from the reach of HIPAA’s privacy rule. See Department of Health and Human Services and Department of Education, Joint Guidance on The Application of FERPA and HIPAA to Student Health Records (November 2008). If a student health center provides medical treatment to non-students and bills for those services, medical records relating to such treatment are not within the scope of FERPA (which applies only to student records) and thus would be subject to HIPAA’s privacy rule.
Human resources professionals who work in higher education may mistakenly believe that all medical records held by an institution are subject to HIPAA’s privacy rule because the institution offers health insurance to its employees and thus constitutes a HIPAA covered “health plan.” However, under HIPAA, health plans are considered to be separate legal entities from the institution that sponsors the plan. Thus, while HIPAA may regulate the conditions under which the health plan can share health information with the institution as a whole, HIPAA does not apply to the sponsoring institution’s other operations.
Put differently, HIPAA’s privacy rule applies only to PHI that it disclosed or generated in the course of a covered-entity’s HIPAA-covered operations. Thus, for example, while HIPAA may protect the privacy of medical records a college employee submits to the institution’s health plan for purposes of making an insurance claim, HIPAA would not apply to copies of the same records the employee shared with his or her supervisor for the purpose of substantiating sick days.
Myth #2: If we release medical information about a student or employee we can be sued for violating HIPAA.
While a disgruntled student or employee might attempt to sue your institution for violating his or her “HIPAA rights,” such a suit will almost certainly fail because federal courts have consistently held that HIPAA does not create private right of action that would permit a person to sue in the event his or her records are improperly released. See, e.g., Adams v. Eureka Fire Protection Dist., 352 F. App’x 137, 139 (8th Cir. 2009). Instead, HIPAA is generally enforced through regulatory action from the Department of Health and Human Services and the Department of Justice. Similarly, courts have consistently held that there is no private right of action for a violation of FERPA. Thus, a suit by a student who claims his or her medical records were released in violation of FERPA is almost certain to fail as well.
While HIPAA and FERPA do not recognize private rights of action, employees or students whose private medical information is released may have successful claims under state common law governing negligence or under state “data breach” laws that apply when certain personal information is released. Thus, institutions still have a powerful incentive to treat medical information with great care.
Myth #3: HIPAA prohibits a college or university from asking an employee or student for medical information.
HIPAA’s privacy rule generally prohibits HIPAA covered entities from releasing PHI that is received or generated in the course of operating a health plan, a health care clearing house, or in the provision of health care services. It does not regulate the ability of institutions to request medical information from their employees and students for legitimate business reasons. So if an employee refuses to provide a doctor’s note that her supervisor has requested in order to substantiate a claimed sick day on the basis that “HIPAA prohibits you from asking for that,” the employee is wrong. Similarly, HIPAA in no way protects a student from having to provide medical documentation to substantiate absences or to provide the basis for a request for accommodations under the Americans With Disabilities Act (ADA) or Section 504 of the Rehabilitation Act.
Myth #4: HIPAA applies to any person with medical training and a professional license.
Because they receive training in HIPAA as part of their professional education, a nurse, athletic trainer, or counselor may believe that he or she has an individual obligation to comply with HIPAA whenever he or she comes into receipt of medical information. While this type of caution in handling medical information is laudable, as set forth above, HIPAA only applies to health care providers who are engaged in certain types of covered transactions, and even then, it does not apply with respect to medical records that fall within the scope of FERPA. Thus, HIPAA’s privacy rule does not apply to records generated by an athletic trainer who provides free treatment to student athletes. Similarly, HIPAA’s privacy rule would not apply to medical information about a student that a licensed nurse or counselor receives in the course of teaching a class (for example, if a student provided a doctor’s note to substantiate an absence).
Myth #5: HIPAA prohibits employees from talking about the health situation of their co-workers or their students.
HIPAA applies to protected health information received or generated by covered entities in the course of operating a health plan, a health care clearing house, or in the provision of health care services. It does not apply generally to any medical information that may be learned about or observed by employees of a college or university. Thus, for example, if a faculty member shares with her chair that she will need to take a leave of absence to undergo cancer treatment, it does not violate HIPAA for the chair to share this information with a faculty member who will have to take over instruction duties in the sick faculty member’s absence.
As noted above, HIPAA does not apply to student records covered by FERPA. Thus, while it might be imprudent and violate institutional policies for a faculty member to discuss a student’s medical information with a colleague, this act would not violate HIPAA. However, if the faculty member learned of the medical information from a student record (as opposed to a personal observation), the faculty member would violate FERPA if he or she disclosed it to a colleague without a legitimate educational interest in the information or if he or she disclosed it to a third-party without the presence of a valid FERPA exception, such as a health or safety emergency.
What this means to you
While it is important for colleges and universities to comply with the concepts of privacy provided in HIPAA, for most, HIPAA will apply to only a small subset of their operations, if at all. Administrators, student affairs workers, student health care providers, and human resources managers should understand the limited circumstances in which HIPAA will apply to medical records maintained by a college or university and understand the relationship between HIPAA and FERPA. While this post provides a general overview dispelling some commonly held myths, the Joint Guidance provides a deeper treatment of the issue and is a must read for those persons likely to address HIPAA and FERPA concerns on campus.