In joint guidance, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education clarify how the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to student records and addresses the disclosures permitted without written consent of the parent or eligible student.
FERPA is a Federal law that applies to educational agencies and institutions (Schools) that receive Federal funds through the U.S. Department of Education. FERPA protects the privacy of students’ “education records” and provides parents specific rights to those records, including the right to access, the right to seek amendment, and the right to consent to the disclosure of personally identifiable information (PII) unless an exception applies. Once a student reaches 18 years of age or attends a postsecondary institution at any age, the student becomes an “eligible student,” and the rights transfer to him or her.
Schools subject to FERPA may not disclose students’ education records or PII from students’ education records without the prior written consent of the parent or, if applicable, the eligible student, unless an exception applies. For instance, generally, Schools may disclose this information to teachers or other school officials within the School without prior written consent if these individuals have “legitimate educational interests” in the information. In addition, schools may disclose this information without prior written consent to appropriate parties in an emergency if it is necessary for these parties to know this information to protect the health or safety of the student or other individuals. Education records are those (1) directly related to a student, and (2) maintained by a School or by a party acting for the School. “Treatment records,” which generally are records on a student 18 years of age or older receiving psychological treatment from a professional at the School, are excluded from the definition of education records and have their own maintenance and disclosure requirements under FERPA.
The HIPAA Privacy Rule requires covered entities to establish appropriate safeguards to protect the privacy of individuals’ protected health information (PHI) (i.e., health records and personal health information) the entities maintain or transmit and sets limits and conditions on the uses and disclosures of PHI without an individual’s consent with limited exceptions. Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions. The Privacy Rule also gives rights to patients to their PHI, such as the right to examine and the right to obtain a copy.
According to the joint guidance, in a few limited circumstances, Schools subject to FERPA can also be subject to HIPAA. For example, a School that “provides health care to students in the normal course of business, such as through a health clinic” would be a health care provider under HIPAA, and if that School also “transmits any PHI electronically in connection with a transaction for which HHS has adopted a transaction standard, it is then a covered entity under HIPAA.” Yet, the joint guidance goes on to explain that “many schools that meet the definition of a HIPAA covered entity do not have to comply with the requirements of the HIPAA Rules because the school’s only health records are considered “education records” or “treatment records” under FERPA, which are expressly excluded from the HIPAA Privacy Rule. Further, most Schools that employ nurses, physicians, psychologists, or other health care providers do not engage in HIPAA covered transactions, such as billing a health plan electronically for their services.
However, private schools that do not receive funds from the U.S. Department of Education are not subject to FERPA. Accordingly, the joint guidance notes that if a private school is a covered entity under HIPAA, but not subject to FERPA, the school must comply with HIPAA as to all individually identifiable health information it has about students. Also, when a student is placed in a private school for Individualized Education Program (IEP) services by a school or school district subject to FERPA, the student’s education records, even those maintained by the private school, are subject to FERPA and confidentiality requirements under the Individuals with Disabilities Education Act (IDEA).
Here are some other highlights from the joint guidance:
Health records maintained by a health care provider who is a third party contractor acting on behalf of a FERPA-covered elementary or secondary school would qualify as education records subject to FERPA.
Patient records maintained by a hospital affiliated with a university who is not providing services to students on behalf of the university are subject to HIPAA if the hospital is a HIPAA covered entity.
HIPAA allows covered health care providers to disclose PHI about students to school nurses, physicians, and other health care providers without the authorization of the student or student’s parents in certain circumstances, including for treatment purposes. For example, where a physician provides information on medication and administering medication to a school nurse who will provide such medication to the student during the school day.
FERPA allows schools to disclose PII from a student’s education records, including student health records, to appropriate parties in connection with a health or safety emergency, without the consent of the parent or eligible student, if knowledge of the information is necessary to protect the health or safety of the student or other individuals.
Note:
FERPA and HIPAA remain complex laws. While the joint guidance is a good resource for schools, universities, and colleges, FERPA and HIPAA’s applicability and the overlap between the two can be murky. While FERPA does not apply to many of our private schools and colleges the standards set by FERPA may still establish standards that should be followed to reduced exposure to negligence and other claims. We recommend seeking legal counsel for specific questions concerning your school, university, or college’s obligations under FERPA and HIPAA. For more information, the joint guidance is available here: https://studentprivacy.ed.gov/sites/default/files/resource_document/file/2019%20HIPAA%20FERPA%20Joint%20Guidance%20508.pdf