New guidance issued jointly by the U.S. Department of Education and the U.S. Department of Health and Human Services advises schools that most health information relating to students at federally-funded elementary and secondary schools, including health and treatment records, is protected and governed by FERPA. The guidance also makes clear that since most schools are not “covered entities” under HIPAA, these student health records are NOT also subject to HIPAA protection.
This advice is important because complying with multiple regulations is both costly and confusing and creates unnecessary burdens on administrators, parents and health care professionals. The interplay and exceptions to this general principle are different depending upon whether the school is private or public and whether it is a K-12 school or one that offers graduate level education. To ensure that compliance is constructed correctly, we advise a careful read of this guidance along with a discussion with your attorney.
FERPA (20 USC § 1232g; 34 CFR Part 99) is the federal law that protects the privacy of student’s “education records” and applies to educational agencies and institutions that receive federal funds. Thus, FERPA generally does not apply to private or religious schools at the elementary and secondary levels.. “Educational Records” have a broad definition under FERPA and include records directly related to the student and those maintained by an educational agency or institution or by a party acting on behalf of the school. The guidance specifically identifies that student health records, including immunization records, such as those kept by a elementary or secondary school nurse, would generally constitute education records subject to FERPA and would not be subject to HIPAA. The exception is “treatment records,” which apply to students aged 18 or older (or a student attending a post-secondary educational institution) created by a physician or other professional offering direct treatment to the student.
FERPA prevents the disclosure of educational records or PII of a student without the consent of their parent or the student individually if they are an “eligible student.” Exceptions exist around need in cases of emergency or within the school if the individuals are authorized to see the information generally and revealing the records satisfies “legitimate educational interests.” The law also grants individual access and the right to seek corrections to these records to the parents or eligible students. In this sense, FERPA has many similarities to HIPAA.
HIPAA applies to “covered entities,” including health plans, health care clearinghouses and health care providers, that transmit health information in electronic form in connection with covered transactions and bill for their services. 45 CFR § 160.103; 45 CFR Part 163, Subparts K-R. For the most part a school would not be a covered entity and thus not subject to HIPAA. However, if the school does offer health care to students when school is in session, through for example a health clinic, and transmits those records electronically, it could subject itself to portions of the HIPAA regulations. But if the school merely maintains the records, they would be considered “education records” or “treatment records” and are specifically excluded under HIPAA.
HIPPA typically does not apply to elementary or secondary public schools because the institution is either not a covered entity or maintains the health information only on students as a part of their “education record” pursuant to FERPA. A public school that provides and charges Medicaid for certain medical care (for example care provided to a student under the Individuals with Disabilities Education Act “IDEA”) could be subject to the HIPAA Transactions and Code Set Rules, but may not have to comply with the entirety of the HIPAA Privacy Rules since the information would be an education record protected by FERPA. Certain private elementary or secondary schools might be subject to HIPAA because they are not regulated by FERPA and cannot claim the information is part of a FERPA protected “education record.” In that case, these health records could be governed by HIPAA. But even in this circumstance, both agencies are seeking to protect the information pursuant to FERPA where possible. For example, the U.S. Department of Education is in the process of preparing a Notice of Proposed Rulemaking to amend the FERPA regulation to protect IEP service records maintained by a private school under FERPA’s privacy rule rather than HIPAA’s.
Overall, we are seeing a rise in the number of cybersecurity and data privacy regulations potentially applicable to school districts and educational institutions. These include the two discussed here, HIPAA and FERPA, as well as New York’s Education Law 2D, regulations from the Department of Financial Services, standards promoted by the Payment Card Industry and New York’s new SHIELD law. Institutions could benefit greatly by identifying the laws that potentially apply to their activities and narrowly applying them to only the information and systems that store that information. Although this requires a greater upfront analysis and assessment, it will pay dividends in terms of limiting the number of technical, administrative and physical controls required by each regulation and reduce the likelihood of mistakes and training surrounding the implementation of multiple compliance regulations. Accordingly, this guidance is both timely and welcome.
