On December 19, 2019, the U.S. Department of Education and the Office for Civil Rights at the U.S. Department of Health and Human Services released updated joint guidance addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to student education and health records.
First issued in November 2008, the joint guidance clarifies how HIPAA and FERPA apply to educational institutions, school administrators, healthcare providers, family members and others when it comes to student health records. The joint guidance provides background on FERPA and HIPAA and analyzes how the two laws may intersect, addressing questions many educational institutions grapple with regularly.
Among other topics, the joint guidance addresses the following:
- When covered entities are permitted to disclose protected health information (PHI) without patient authorization, including to family members;
- When a covered entity can disclose PHI of a minor with mental health or substance use disorder to the minor’s parents;
- When an educational institution can disclose personally identifiable information (PII) from a student’s education records to a third-party health care provider;
- Whether an educational organization can disclose PII to law enforcement officials or the National Instant Criminal Background Check System; and
- When PHI or PII can be shared about a student who presents a danger to themselves or others.
Health care providers and educational organizations should be aware of the topics included in this guidance and note the applicability of these laws to the records they maintain. A link to the guidance is included here.