This is part 2 of a 3-part series by guest author, Karen Gregory.

In the last post the players, FERPA and HIPAA were defined, but are there times when student records may fall under HIPAA, or are there times when an institution must comply with both FERPA and HIPAA?

As a quick review, FERPA, The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. FERPA applies to all schools that receive funds under any program administered by the U.S. Department of Education. HIPAA or The Health Insurance and Portability and Accountability Act, which is another Federal law, is multifaceted and sets standards for protection and sharing of individually identifiable health information often referred to as protected health information.

Part II – Defining the scenarios is which the standards apply.

FERPA will always apply to any student education record in all schools that receive funds under any program administered by the U.S. Department of Education. When evaluating protection of records in most circumstances the FERPA rules will take precedent as it relates to access and release of student records. As a reminder any health or medical records stored or created fall under the FERPA definition of “education” records in elementary or secondary schools. When a student 18 and older receives healthcare related services the records maintained by those healthcare providers and used only in the provision of care are considered “treatment” records. These records are NOT considered education records unless they are disclosed for any reason other than treatment. Once released for any other reason, the records are then identified as education records and are subject to the FERPA rules.

Permission for release must be granted by the parent or eligible student prior to release of the records even for billing purposes. Parents and eligible students have a right to inspect or view education records which may include health and medical information under FERPA.

*FERPA does allow the sharing of pertinent information without the consent of either the parent or eligible student. In the following situations educational institutions may release or share student information:

To school officials, who may include teachers, administrators, counselors, and health workers, for which the school has determined that they have “legitimate educational interest” in the information. Students must be informed of who the school has identified as having the need for access.

To another school in which the student seeks or intends to enroll.

In connection with financial aid for which the student has applied or which the student has received in certain circumstances.

For postsecondary institutions, to appropriate parties, including parents of an eligible student, in connection with a health or safety emergency.

To comply with a judicial order or a lawfully issued subpoena

*This is not an all-inclusive list. For a complete listing refer to 20 U.S.C. § 1232g; 34 CFR Part 99.

The question then becomes: Is there any time when the HIPAA rules come into play in the education system. Below are several scenarios which would require compliance with the HIPAA standards.

• The school is a “covered entity” – By definition, a school becomes a covered entity when it provides a health care service to an individual and then submits a claim electronically for payment to a payer. For instance a school bills Medicaid for a health service provided to a student. When this occurs the school must comply with the HIPAA Simplification Rules for Transactions and Code Sets as it relates to those transactions. However, the school would not have to comply with the Privacy or Security Rules as the records are considered education or treatment records under FERPA and are thus excluded from coverage under the HIPAA Rules.

• The school is a private institution not receiving any funding from the US Department of Education and is considered a covered entity. Most private elementary and secondary schools do not receive federal funding and if they provide health care services to students for which they bill electronically all of the HIPAA rules including Privacy and Security will apply to the institution and the student health records.

• If a student receives health services in a hospital affiliated with the university subject to FERPA, the hospital records would fall under the HIPAA requirements for protection and access. An exception would be if the hospital runs a health clinic for students on behalf of the university the records would fall under “education” or “treatment” records both covered by FERPA.

• If the institution is a covered entity providing healthcare services to non-students such as staff members, spouses of students, and the public, the HIPAA Privacy and Security rules will apply to the protection and access of these records.

There are it seems situations where an institution will fall under both FERPA and HIPAA guidelines, but what are your obligations to protect records covered by the HIPAA rules? Join us for the final blog post next week as we review the practical application of the HIPAA rules in an educational system.

Disclaimer: This information is for educational purposes only and is not intended as legal advice.

About the author

Karen Gregory, RN, joined Total Medical Compliance in 2006 as Director of Compliance and Education where she is responsible for the development and supervision of compliance programs within the organization. TMC provides onsite OSHA, infection control, and HIPAA compliance solutions to dental and medical practices, as well as seminars and webinars on various compliance issues. Karen is a requested speaker at local and state medical and dental meetings, and was a presenter at the 2010 Hinman Dental Meeting, several OSAP Symposium and the 2012 and 2013 Federal Dental Services Infection Prevention and Control Course. She is on the Editorial Review Board for Infection Control in Practice and is frequent contributor of articles in local and state organizational newsletters and magazines. Karen has been recognized as a Hu-Friedy Thought Leader and was recently presented the Dr. Milton E. Schaefer Superior Service Award for service to The Organization for Safety, Asepsisand Prevention (OSAP). Passionate about employee and patient safety, Karen takes every opportunity to share this very important information in order to improve the quality of healthcare for all involved.