Schools are increasingly providing students with more health services. Health clinics, counselors on site, the administration of prescription drugs, and vaccinations are among the types of healthcare offered on school campuses ranging from kindergarten through graduate school. Given that schools may have sensitive health information — or request that information from students and parents — what law covers health record privacy for school records? The answer is important. It is also messy, because two laws can apply to this information. In some cases, no privacy law applies to the health records. Let’s begin with the basics.
Whether your records are covered under HIPAA or FERPA — or in some cases are not covered under any law — can be a challenging question to answer in some instances. Here are some basics to guide you through the most important parts of what information is covered by what law, when, and where.
FERPA, which was passed in 1974, came first. The Department of Health and Human Services issued the HIPAA health privacy rule in 2000. The Department knew that the pre-existing FERPA student record privacy law already covered health records held by schools. So it decided that HIPAA would not apply to health records that were already subject to FERPA. The idea was to avoid conflicts that would force a school to decide when to apply FERPA and when to apply HIPAA.
A good rule of thumb is that a school health record covered under FERPA is NOT covered under HIPAA.
The decision to make school health records subject to FERPA sounds like a simple solution to a difficult problem. However, the real world is messy, and even simple solutions can be difficult to apply. We have discovered that sometimes the general rule of thumb does not apply. In some cases, HIPAA will indeed apply to school health records because sometimes school health records lose their FERPA coverage.
FERPA and HIPAA do not always mesh cleanly, and that creates convoluted exceptions. Here are some of the key exceptions you need to know about:
Most private schools are not subject to FERPA at all because the schools do not receive federal funds. When FERPA does not apply, then the HIPAA exemption for records covered by FERPA does not apply.
While this means that HIPAA may potentially apply, it is also possible that no privacy law applies. HIPAA does not actually apply to every healthcare record held by schools, even when FERPA does not apply. HIPAA only applies to certain types of businesses which are defined strictly under HIPAA as “covered entities.” Covered entities are typically healthcare providers who bill for services, for example, hospitals, doctors, etc. This is a very important point to be clear on before a student receives health care, including mental health counseling, at a private school. For more on what kinds of businesses are covered under HIPAA regulations, see our Patient’s Guide to HIPAA entry on this topic.
Some school health records may be subject to HIPAA, FERPA, or even both. For example, consider a public health nurse who provides immunization to students on school grounds but who is not acting on behalf of the school. The records that the nurse creates would not be education records subject under FERPA. The nurse’s records could be subject to HIPAA while in the hands of the nurse.
If a school then obtains the records from the nurse, the records are FERPA records in the hands of the school. Disclosures between the nurse and the school requires parental consent that meets either FERPA or HIPAA standards for consent.
FERPA does not cover treatment records for a student 18 years old or older as long as the school only discloses the records to persons providing treatment. Because FERPA does not apply, HIPAA would likely apply to those treatment records.
However, if a college discloses a record to anyone not providing treatment (including disclosure to the student), then it becomes a FERPA record and is no longer subject to HIPAA in the hands of the school.
The determination depends on a factual test that can produce a different result from case to case. Thus, the application of one law or the other will depend on how a specific record was actually disclosed.
If a university hospital runs a student health clinic on behalf of a university, the clinic’s records on students would probably be subject to FERPA, not HIPAA. Hospital records about students that are not student health clinic records (e.g., inpatient records) are probably HIPAA records.
Hospital records generated from non-student health clinic visits may be subject to HIPAA, as they are unrelated to the school. If you are being treated at what seems to be a student health clinic run by your university, read the privacy notice to find out which law applies.
A college that operates a clinic open to staff, or the public, or both must comply with FERPA with respect to the health records of students, and it must comply with the HIPAA Privacy Rule with respect to the health records of nonstudents.
Do you have better privacy protection if your records are subject to HIPAA or FERPA? The answer varies, and some privacy rights are better under one law, and some are better under the other. The differences can be quite complex and subtle. Ultiately, these complexities may not be that important in many circumstances. Besides, the applicable law is not in your control so you have to take the law that applies and work with it. Here are some basics about the two statutes, and how to work with them.
If your records are subject to HIPAA, you have 8 specific rights under HIPAA. For example, the right of access, the right to restrict disclosures, the right to ask for an accounting of disclosures, and more.
Here are the eight key rights of HIPAA:
For a step-by-step explanation of how to use your HIPAA rights, see our Patient’s Guide to HIPAA, Part II, Basic Patient Rights.
FERPA gives parents and eligible students these basic rights:
Excerpted from the Department of Education Family Policy webpage, available at http://familypolicy.ed.gov/ferpa-parents-students.
If you are a student (or parent of a student) and you want to know what privacy rule applies, you should ask or look for a copy of the privacy policy or notice of information practices. It matters at times because privacy protections differ under the HIPAA and FERPA.
Whether your school health files are held under HIPAA or FERPA, request a copy of your files. This is important for all patients, including students. Having these records becomes especially important in cases of medical forms of identity theft.
The Department of Education and HHS issued an explanation of the two laws: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records. Be warned. It’s a complicated document and a challenge even for lawyers to understand. However, if you want the fine print, this is a good document to peruse.
A Patient’s Guide to HIPAA This is a comprehensive and yet easy to read guide written expressly for patients.
Paying Out of Pocket to Protect Health Privacy This is a report with extensive tips on how to exercise your right to pay out of pocket.
Updated January 2017. Originally published Feb. 2015.
Global Visualization of Countries with Data Privacy Laws, Treaties, or Conventions Background and Methodology: The conceptualization and initial research for this.
New Report: Risky Analysis: Assessing and Improving AI Governance Tools We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map About this Data Visualization: This interactive map displays the presence.