Avoiding Liability Bulletin – February 2009
… As a result of confusion among health care professionals and school administrators throughout the country, the U.S. Department of Education and the U.S. Department of Health and Human Services have issued a joint guidance (November 2008) on the application of two federal acts – the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – to student health records. I have used the content of this written guidance, often “word for word,” quite liberally in this article so as to avoid inaccuracies. The intersection of these two laws has caused some confusion, primarily for school administrators, when faced with questions about the release of student health records to parents and/or to third parties. This article touches upon only some of the aspects of this rather complex subject matter.
FERPA protects the privacy of students’ “education records,” which term is defined broadly enough (e.g., records that are directly related to a student and maintained by an educational agency or institution or by one acting for the agency or institution) to include certain student health records. HIPAA, among other things, deals with the privacy of mental health records maintained by those mental health practitioners (and other “covered entities”) who are “covered providers” because they transmit health information in electronic form with respect to specified transactions related to insurance billing. The HIPAA Privacy Rule specifically excludes from its coverage those records that are protected by FERPA – that is, “education records.” (The HIPAA Privacy Rule also excludes “treatment records,” as defined in FERPA, from its coverage.)
These two federal laws intersect with each other when a school that is covered by FERPA (generally, educational institutions/agencies that receive funds from the U.S. Dept. of Education, such as virtually all public schools and school districts and most private and public postsecondary institutions, including medical and other professional schools) provides health care to students in the normal course of business and conducts covered transactions electronically in connection with that health care.
One of the areas clarified by the joint guidance is whether the HIPAA Privacy Rule applies to elementary or secondary schools that maintain health records of students. Generally, the HIPAA Privacy Rule does not apply to these schools. This is typically so because the school is not a “covered entity,” or if a “covered entity,” the health information maintained on students is contained in records that are considered “education records” under FERPA, which are not subject to the HIPAA Privacy Rule. Also, elementary or secondary schools may employ mental health practitioners to provide therapy or counseling services to students, but if the school or the provider does not bill a health plan electronically for such services the school is not a “covered entity” under HIPAA.
A different example would be where a public high school employs a mental health practitioner that bills Medicaid electronically for services provided to a student under IDEA (Individuals with Disability Education Act). In that case, the school is a HIPAA “covered entity” and would be subject to HIPAA requirements concerning transactions, but would probably not be subject to the HIPAA Privacy Rule because the mental health information may be maintained in what is considered to be “education records,” as defined in FERPA. The school would then have to comply with the FERPA privacy requirements. (Private and religious schools at the elementary and secondary level generally do not receive funds from the U.S. Department of Education and are, therefore, not subject to FERPA.)
Some therapists or counselors may be employed at a university hospital. A question arises as to whether FERPA or HIPAA applies to the patient records maintained by the hospital affiliated with a university that is subject to FERPA. Since these hospitals typically provide health care services without regard to the person’s status as a student and not on behalf of the university, patient treatment records are subject to all of the HIPAA rules, including the Privacy Rule – assuming that the hospital is a “covered entity” (usually the case). These particular patient records would not ordinarily be considered “education records” or “treatment records” covered by FERPA. However, if the hospital runs the student health clinic on behalf of a university, the clinic records on students would be subject to FERPA and not subject to the HIPAA Privacy Rule.
Why is it important to know whether the HIPAA Privacy Rule applies, or the privacy requirements of FERPA, in any given situation? The rules regarding disclosure of student health records may differ between FERPA and the HIPAA Privacy Rule, depending upon the circumstances involved. Questions are likely to arise as to a student’s right to access (inspect or copy) his or her own records, both as a minor and as an adult. Additionally, parents may desire to access the health records of their minor children who are students (the HIPAA Privacy Rule essentially defers to state law with respect to the issue of a parent’s right to access the health care records of a minor patient). Finally, schools may be faced with requests by parents or the student that the student’s health records be sent to other health care providers or to “third parties.” In each situation, it is critical for the practitioner and the school to know which law applies.
I was able to access this thirteen-page document by “googling” the words “joint guidance on FERPA and HIPAA.” It can likely be accessed through the websites for either the U.S. Department of Education or the U.S. Department of Health and Human Services.