The Intersection of FERPA and HIPAA: Which Rule Applies? (Part 3) [Guest Post]

Magnus Health
October 30, 2013
Blog, Student Health
1 Minute Read

The Intersection of FERPA and HIPAA: Which Rule Applies? (Part 3) [Guest Post]

This is part 3 of a 3-part series by guest author, Karen Gregory.

In the last two posts we have reviewed how FERPA, and at limited times HIPAA, apply to student records. This last post will review the basic precepts of how the HIPAA Privacy and Security Rules protect health information.

The HIPAA Privacy and Security Rules, which are part of The Health Insurance and Portability and Accountability Act, outline protections for specific health information in verbal, written, and electronic format.

Computer security

The Privacy Rule establishes certain patient rights of access and the ability of the patient to direct how their health information may be used or disclosed. Additionally the Privacy Rule describes how protected health information may be utilized to provide healthcare services.

Patient Rights

  • Access – Patients have the right to review and obtain a copy of their protected health information, which includes medical and financial information. For minor children this right falls to either the parents or legal guardian.
  • Amendment – A request can be made to the healthcare provider (covered entity), for an amendment to information included in the medical record set when that information is inaccurate or incomplete.
  • Disclosure Accounting – An accounting of the disclosures is a list of releases, other than for treatment, payment, or certain healthcare operations, that the patient would not be aware of.
  • Restriction Request – Patients or their legal representative have the right to restrict the use and disclosure of their information.
    • Restriction of the use or disclosure of protected health information for treatment, or health care operations.
    • Restriction of release of information to an insurance company if the services are paid for out of pocket.
    • Disclosure to persons involved in the individual’s health care.
    • Disclosure to notify family members or others about the individual’s general condition, location, or death.
  • Confidential Communications – Patients may request to be contacted in a confidential manner such as information being sent to a different address or calling at a specific phone number.

Use or Release of Patient Information

  • For treatment, payment and healthcare operations after providing the patient a Notice of Privacy Practices.
  • To the individual or legal representative.
  • To friends and family with informal approval or for emergencies. The healthcare provider should ask the patient for permission to discuss healthcare with others if the patient is present and able to respond.
  • When the patient provides authorization.

The HIPAA Security Rule identifies protections for health information stored in an electronic format. In order to comply with the Security Rule the following must occur:

  • A risk analysis should be performed to identify areas of vulnerability.
  • Implement Administrative Safeguards which include: policies and procedures and employee training.
  • Establish Physical Safeguards which provide physical protection for the hardware/software. Proper use of workstations as well as disposal and destruction of electronic media must be outlined.
  • Establish Technical Safeguards which limit access to authorized persons through the use of audits and integrity controls. Safeguards must be established to secure electronic protected health information during transmission.

While there may be limited application of the HIPAA Privacy and Security Rules to student records, these guidelines will provide a level of protection for those records not covered by FERPA.

Disclaimer: This information is for educational purposes only and is not intended as legal advice.

November 5th, Karen Gregory will join us for a webinar further detailing the HIPAA and FERPA complexities in a school environment. Click here to register for the webinar!


About the author

Karen Gregory, RN, joined Total Medical Compliance in 2006 as Director of Compliance and Education where she is responsible for the development and supervision of compliance programs within the organization. TMC provides onsite OSHA, infection control, and HIPAA compliance solutions to dental and medical practices, as well as seminars and webinars on various compliance issues.

Karen is a requested speaker at local and state medical and dental meetings, and was a presenter at the 2010 Hinman Dental Meeting, several OSAP Symposium and the 2012 and 2013 Federal Dental Services Infection Prevention and Control Course. She is on the Editorial Review Board for Infection Control in Practice and is frequent contributor of articles in local and state organizational newsletters and magazines. Karen has been recognized as a Hu-Friedy Thought Leader and was recently presented the Dr. Milton E. Schaefer Superior Service Award for service to The Organization for Safety, Asepsisand Prevention (OSAP).

Passionate about employee and patient safety, Karen takes every opportunity to share this very important information in order to improve the quality of healthcare for all involved.