Overview
Understanding the ins and outs of compliance with federal privacy and data protection regulations can be complicated for even the savviest of school administrators. Though both the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have a focus on protecting the rights of consumers of educational and healthcare-related services, respectively, some clear guidelines can help school-based health clinics stay in compliance while providing adequate student care. This article will briefly overview both acts, identify areas where they differ and overlap, and discuss strategies for staying compliant. Though these overviews are based on recommendations from the federal government, if you have any questions or are unsure about the privacy laws specific to your state or situation, you should consult an attorney.
What are HIPAA and FERPA?
Enacted in 1996, the purpose of HIPAA was to improve the means via which electronic transactions and transmission of health records would occur and to ensure the proper protection and security of those records, referred to as protected health information (PHI). The rules that govern HIPAA have been issued by the U.S. Department of Health and Human Services and dictate that “covered entities,” meaning those organizations that must be compliant with this act, are health plans, health care clearinghouses, and the rather large blanket term of “health care providers,” which encompasses hospitals and private clinics, as well as the physicians, dentists, and other practitioners who “furnishes, bills, or is paid for health care in the normal course of business.” [1]
Predating HIPAA by over twenty years, FERPA was first signed into law in 1974 and is administered by the U.S. Department of Education (ED). Applicable to any educational agency or institution that receives federal funds from the ED, FERPA applies to all public elementary and secondary schools and most post-secondary institutions. Whereas HIPAA protects PHI, FERPA was enacted to protect personally identifiable information found within “education records,” which, as we will see, is a term that is actually quite broad. [1]
Both HIPAA and FERPA stipulate the specific federal guidelines under which information must be protected, when it may be disclosed, and under what circumstances prior consent is not required.
Domains Where HIPAA and FERPA Overlap and Differ
Although one may presume that the dividing lines between HIPAA and FERPA are a simple matter of determining whether specific records or information pertain to health or education, respectively, this is not the case. Rather than the type of record, it is the type of overarching organization that determines whether FERPA or HIPAA is the preeminent law.[2] FERPA clearly defines “education records” as records that are “(1) directly related to the student and (2) maintained by an educational agency or institution or by a party acting for the agency or institution” (20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3), which means that health records that are collected by school- or university-based clinics technically fall under FERPA, because they usually only provide services to students (see part 1) and are maintained by the university (part 2). Thus, whether they are immunization records that are a requirement for enrollment or X-rays conducted by a university-affiliated physician through campus health services, neither is considered a “health record” per se that would be regulated by HIPAA.
There are, perhaps not surprisingly, a few wrinkles to this. Technically FERPA also specifies what are deemed “treatment records,” which are excluded from “education records.” [2] Treatment records are records maintained by a postsecondary institution that are “made, maintained, or used only in connection with the provision of treatment to the student.” Treatment records may only be disclosed to the individuals (i.e. physician, psychiatrist, psychologist, or other professional or paraprofessional involved in treatment) who have a treatment-related need to view them and, in cases where they need to be disclosed to anyone else, would be regulated by the rules specified under FERPA, and not HIPAA. Put differently, once a treatment record is communicated, it becomes subject to the privacy laws under FERPA. [3]
Where things can start to become confusing is if a university or school-run clinic also provides health care to non-student employees (i.e. staff, faculty) or members of the public, then those individuals’ records as they are created and/or collected through “the normal course of business” would be regulated by HIPAA and not FERPA. Note that even then, whether or not HIPAA is to be followed is dictated by whether or not the provider is a “covered entity,” which means that they are a healthcare provider that transmits healthcare information in electronic form. If it is determined that the records are not maintained by an educational entity or a healthcare provider, it still bears consideration of how specific state-level privacy laws may be applicable in any given circumstance.
Responsibilities of School-Based Health Clinics in Maintaining Compliance
Ensuring the privacy and safety of student information – be it technically PII or PHI – should be among the primary concerns of any school-based health clinic. One key to this is knowing whether the handling of one’s medical record is regulated by FERPA or HIPAA. As outlined above, if an individual is a student of the school, then chances are excellent that compliance with FERPA is warranted. [2,3,4] Thus, it is important for any school-based health clinic to know:
- The student status of a given individual seeking or receiving healthcare
- The status of the agent or agency providing healthcare to the individual (i.e. are they acting on behalf of the educational institution, in which case FERPA is applicable)
Strategies for Effectively Balancing Student Privacy and Healthcare Accessibility
Given how complex the respective rules may seem regarding the safeguarding of student information, it may be helpful to draw up a few simple steps to ensure students can access the healthcare they need:
- Be proactive: If not already on the books, schedule an annual discussion with your office of compliance and/or counsel to 1) go over any changes to federal or state rules or their interpretation and to 2) discuss any edge cases that may have arisen that were particularly vexing.
- Communicate thoroughly: Make sure that all staff involved in school-based health clinics are current on which rules apply to the organization and when and to whom they should be applied.
- Don’t rely on memory: Many organizations have produced flow charts or decision trees that help with “in-the-moment” decisions. For example, this document from the California School-Based Health Alliance [4]
Summary
For school-based health clinics, understanding whether to follow FERPA or HIPAA guidelines related to the protection and dissemination of healthcare-related information is critical. For most university-administered health clinics (i.e. those that only provide services for students), it may be straightforward (i.e. FERPA); however, to prepare for all contingencies, some straight-forward steps can be taken to prepare preemptively. As with all legal and regulatory matters, it is always best to validate all procedures and processes with compliance officers and affiliated attorneys, particularly as there may be nuances (e.g. third-party organizations, employees; [5]) that either fall under the HIPAA regulations or those set forward by state or local governments.
References
1. Mulligan, Stephen P., and Chris D. Linebaugh. 2019. “Data Protection Law: An Overview.” Accessed June 7, 2024.
2. U.S. Department of Health and Human Services and U.S. Department of Education. 2019. “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records.” Accessed June 7, 2024.
3. McDonald, Steven J. 2008. “The Family Rights and Privacy Act: 7 myths—and the Truth.” The Chronicle of Higher Education 54(32): A53-4.
4. California School-Based Health Alliance. n.d. “HIPAA, FERPA, Both* or Neither? A Flowchart for Decision-Making.” Accessed June 7, 2024.
5. Daggett, Lynn M. 2020. “The Myth of Student Medical Privacy.” Harvard Law & Policy Review 14:467-530.