This week marks an important date in the healthcare community: required compliance with recently published HIPAA Omnibus Rules. But, do these updates impact the protection of, or access to, student health records? This is part one of a two part series on the relationship between FERPA and HIPAA in the educational system.

Part 1 – Defining the Players

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. FERPA applies to all schools that receive funds under any program administered by the U.S. Department of Education. Included in this category are most public schools and school districts, and most private and public postsecondary institutions including medical and professional schools. Typically, private and religious elementary and secondary level schools are not in receipt of such funds, and thereby exempt from protections provided by FERPA. 

FERPA provides protection of education records by requiring the written consent of a parent, or an eligible student, prior to the disclosure of the education records, or release of personally identifiable information from the records. An eligible student is a student who has reached 18 years of age or who attends a postsecondary institution at any age.

Education records are records that are: (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. At the elementary or secondary school level, health records including immunization records, are considered education records. At the post-secondary level, medical and psychological treatment records of students are excluded from the definition of education records IF they are made, maintained, and used only in the treatment of the student and only those involved in the delivery of care have access to the information. These records are considered treatment records. However, if the school discloses these records for any other purpose than treatment, the records then are designated as education records and all FERPA requirements apply.

HIPAA or The Health Insurance and Portability and Accountability Act is multifaceted and sets standards for protection and sharing of individually identifiable health information often referred to as protected health information. These rules include the Privacy and Security Rules, and The Administrative Simplification Rules for Transactions and Code Sets. The HIPAA Privacy rule establishes guidance on how health care providers who perform certain electronic transactions, such as billing for a service, must protect patient information. The Privacy Rule also outlines certain patient rights of access and the ability of the patient to direct how their health information may be used or disclosed. The HIPAA Security Rule identifies protections for protected health information stored in an electronic form.

There are times when a school will provide health care services to students and as such is considered a health care provider. If the school then submits a claim for payment electronically to a payer, for instance Medicaid, the health clinic would then be considered a covered entity and thus must comply with the HIPAA Simplification Rules for Transactions and Code Sets as it relates to those transactions. However, the school would not have to comply with the Privacy or Security Rules, as the records are considered education or treatment records under FERPA and are thus excluded from coverage under the HIPAA Rules.

45 CFR 160.103

2) Protected health information excludes individually identifiable health information in:

(i) Education records covered by the Family Educational Rights and Privacy Act.

Based on this information it appears that access to student education or treatment records will be dictated by FERPA, but is there more to the story?

Part two of the series will address the following:

• How to handle records in your health clinic if services are provided to spouses or other family members who are not students.
• Circumstances in which the HIPAA Privacy Rule may apply to an elementary or secondary schools.
• HIPAA and FERPA access to records.
• Students at a university hospital.

There are always exceptions it seems!

About the author

Karen Gregory, RN, joined Total Medical Compliance in 2006 as Director of Compliance and Education where she is responsible for the development and supervision of compliance programs within the organization. TMC provides onsite OSHA, infection control, and HIPAA compliance solutions to dental and medical practices, as well as seminars and webinars on various compliance issues. Karen is a requested speaker at local and state medical and dental meetings, and was a presenter at the 2010 Hinman Dental Meeting, several OSAP Symposium and the 2012 and 2013 Federal Dental Services Infection Prevention and Control Course. She is on the Editorial Review Board for Infection Control in Practice and is frequent contributor of articles in local and state organizational newsletters and magazines. Karen has been recognized as a Hu-Friedy Thought Leader and was recently presented the Dr. Milton E. Schaefer Superior Service Award for service to The Organization for Safety, Asepsisand Prevention (OSAP). Passionate about employee and patient safety, Karen takes every opportunity to share this very important information in order to improve the quality of healthcare for all involved.