While the update to the joint guidance does not represent a sea change in how OCR and ED interpret the interplay of the respective privacy regulations and student health information, it does provide an important reminder for institutions and entities to consider the nuance of their unique operational makeups as it relates to their handling and transmission of health and educational information for students and minors.
FERPA applies to educational agencies and institutions that receive federal funds under any program administered by ED. Generally, this applies to public elementary and secondary schools, school districts, and postsecondary institutions (including medical and professional schools). Any school subject to FERPA’s terms may not disclose a student’s educational records or any personally identifiable information (PII) from those records without the prior written consent of a parent or an “eligible student” or one of the exceptions to non-consensual disclosure. An eligible student is one who has reached the age of 18 years or attends a postsecondary institution. FERPA further distinguishes between an “education record” and a “treatment record.” A treatment record is a record for a student age 18 years or older or who is attending a postsecondary institution and which is made by a medical or mental health professional and maintained or used only in connection with the provision of treatment to the student and only available to appropriate professionals for that treatment.
HIPAA established national standards and requirements for electronic health transactions, as well as to protect the privacy and security of health information in any form. HIPAA requires those entities subject to it to protect individuals’ health records and other identifiable health information through safeguards, limitations and conditions on how protected health information must be maintained, as well as when it can be used and disclosed without a patient’s express permission.
As laid out in the joint guidance, there are circumstances where an institution may be subject to both FERPA and HIPAA, which can cause confusion as to the standards and applicable laws appropriate to specific information. Importantly, HIPAA specifically excludes records protected by FERPA from its coverage. This confusion is more pronounced in the postsecondary context, particularly where there is a covered HIPAA entity or portion of an entity within a larger postsecondary institution. The joint guidance from the OCR and ED helps clarify when specific health records are subject to FERPA and, therefore, not subject to HIPAA, and what to do with health records when they are subject to FERPA or HIPAA.
HIPAA applies to covered entities and business associates, as defined in HIPAA. But even schools that are HIPAA covered entities may not be required to comply with the HIPAA Privacy Rule and Security Rule, where the health records maintained by the covered entity are education, law enforcement or treatment records as defined by FERPA.
There are several specific circumstances where HIPAA and FERPA may overlap that the joint guidance addresses, including but not limited to the following:
- Elementary or Secondary Schools: Generally, the HIPAA Privacy Rule does not apply to elementary or secondary schools for one of two reasons: (1) the school is not considered a covered entity, or (2) the information isn’t protected health information under HIPAA:
- The school is not a covered entity under HIPAA: Generally, elementary and secondary schools do not engage in any covered transaction, such as billing a health plan electronically. Even if the school employs nurses, physicians or other healthcare providers, this lack of electronic billing means the school is not a covered entity.
- The information isn’t protected health information under HIPAA: If the school does conduct a covered transaction and is considered a covered entity under HIPAA, the school would still not be subject to the Privacy Rule because the health information in the student records is an “education record” or “treatment record” as defined by FERPA and not “protected health information” as defined by HIPAA. Note that non-PHI records – e.g., “treatment records” transferred from a school to a covered provider – may then become PHI for that covered provider.
- The school is a covered entity but not subject to FERPA: Schools that are not subject to FERPA (e.g., a private school) but that are covered entities under HIPAA (e.g., they provide covered services to the private school’s students) must comply with HIPAA.
- Private schools: Students placed in private school by an entity subject to FERPA for the provision of an Individualized Education Program are subject to FERPA and the Individuals with Disabilities Education Act (IDEA). IDEA generally incorporated FERPA’s confidentiality provisions and exceptions, with slightly broader protections. Note that ED is in the process of amending FERPA regulations to further address this scenario.
For elementary and secondary schools, student health records and immunizations typically fall within a FERPA education record maintained by the school, as in the case of a school nurse employed directly by a local elementary school who maintains immunization records. Records maintained by a school on a child’s disabilities would also generally fall within the definition of an education record, as well as a record under IDEA, for a student under the age of 21. When a physician, psychologist or other healthcare professional provides treatment to elementary and secondary students for a school, because such schools are typically not covered entities and the providers do not engage in covered transactions (e.g., billing a health plan electronically), FERPA and/or IDEA would typically apply to such treatment.
When the health information is maintained by a provider not employed by the school, it is still considered an education record under FERPA, so long as the provider is under contract or under the direct control of the school. Where the provider is not under contract to, employed by or otherwise acting on behalf of the school, the records are not subject to FERPA because the party creating them is not acting on behalf of the school. Distinguishing this is important because should the school want to share any PII from education records that are subject to FERPA with this provider, it would need to comply with FERPA before sharing that information. These records would then be subject to HIPAA only if the provider conducts one or more covered electronic transactions.
- Troubled Teens: The HIPAA Privacy Rule generally does allow a healthcare provider to disclose protected health information about a troubled teen to the teen’s parents. For minor children, the disclosure is allowed to the minor child’s personal representative. There may be some circumstances where the parent is not the minor child’s personal representative, such as when the child receives treatment without a parent’s consent under applicable law. In those cases, the disclosure is allowed in limited circumstances, such as when the provider believes the teen presents a danger to him- or herself or to others and such disclosure is necessary to prevent or lessen the threat. State laws may be more restrictive with teens’ health information.
- Postsecondary Institutions: FERPA applies to most public and private postsecondary institutions, including campus healthcare clinics. “Education records” under FERPA include records directly related to a student and maintained by an educational agency or institution or by a party acting on behalf of or for the agency or institution. “Treatment records” under FERPA include records on a student who is 18 years or older or is attending a postsecondary educational institution and which are maintained by a physician or other recognized professional/paraprofessional in connection with the provision of treatment to the student. Treatment records are not education records under FERPA but may be disclosed for purposes other than a student’s treatment, provided this is done under one of the enumerated exceptions to written consent under FERPA. If the records are disclosed for purposes other than treatment, then they are subject to all other FERPA requirements. Treatment records are not available to anyone other than the provider treating the student or others per the student’s choice and express permission. Importantly, there are many records related to healthcare or provision of healthcare to students that are not treatment records. For example, billing records are not treatment records, but are education records and would be subject to the rules and regulations afforded to education records under FERPA.
Nonstudent healthcare records, to the extent they exist, and where the institution is a HIPAA covered entity, are subject to the HIPAA Privacy Rule. Oftentimes, this Rule applies where a postsecondary institution provides healthcare to students (whose records are subject to FERPA) and nonstudents (whose records are subject to HIPAA).
In some cases, a patient may be both a student and an employee of a university. In this case, the records would be subject to the same protections the individual would be entitled to as a student, either as treatment records or education records.
Some postsecondary institutions may be considered a “hybrid entity” under HIPAA, which allows the HIPAA Privacy Rule to apply only to its healthcare unit and no other departments, such as education or research. To become a hybrid entity under HIPAA, the school must designate its health unit as a “health care component,” which must include all components of the institution that would meet the definition of a covered entity or business associate under HIPAA, if they were separate legal entities.
- University Hospitals: This is defined where a hospital affiliated with a university administers services without regard to a person’s status as a student and does not provide services on behalf of the university. Therefore, the hospital is a covered entity and is subject to HIPAA. This analysis may differ in the rare case where the university hospital runs a student health clinic on behalf of the university, which would mean records maintained by the hospital on the students would be subject to FERPA.
Beyond the avenues of overlap above, the joint guidance provides a helpful FAQ with factual scenarios showing where HIPAA or FERPA is applicable. Much of this guidance has been provided as additional clarity in the joint update related to the sharing of information in health and safety emergencies and student-initiated treatment. For example, the joint guidance makes clear that a school official can disclose PII from a minor student’s education record to a third-party healthcare provider when necessary to protect the health or safety of the student. The guidance also provides that under HIPAA, there are circumstances when providers can disclose PHI about students to school nurses for several purposes, including but not limited to discussing the student’s medication or other healthcare needs. In order to garner the most benefit from the examples provided in the FAQ, an institution first needs to determine whether FERPA, HIPAA or both are applicable. Because both regulations, particularly FERPA, are incredibly fact specific, it is recommended that an institution consult with its legal counsel regarding the analysis of whether HIPAA or FERPA applies and how the examples provided in the joint guidance may guide or counsel response in an institution’s specific factual scenario. Ultimately, the joint guidance provides further clarification that there are legitimate scenarios where the sharing of student health information, either as PII from an education record or as PHI subject to HIPAA, is permitted and will not be considered a breach under either statute.