Does HIPAA apply to schools?

HIPAA generally does not apply to schools and educational institutions as FERPA protects student information adequately. However, there are exceptions, such as private schools and health services provided to employees or non-students, where HIPAA regulations may come into play. Schools must assess their circumstances and consult legal experts to determine compliance obligations. 

Understanding HIPAA and FERPA

HIPAA is a federal law that protects personal health information (PHI) held by covered entities, such as healthcare providers, health plans, and healthcare clearinghouses. However, when it comes to schools and educational institutions, another federal law takes precedence — the Family Educational Rights and Privacy Act (FERPA).

FERPA protects all information in a student's education record, including grades, disciplinary actions, and any other personally identifiable information. It applies to all educational institutions that receive federal funding, ensuring the privacy and confidentiality of student records.

On the other hand, HIPAA protects only PHI, which is health information created or received by covered entities in the course of providing healthcare services. While HIPAA sets strict standards for the privacy and security of health information, it does not cover information stored in a student's education record.

Read more: How FERPA and HIPAA work together to protect student data 

When does HIPAA apply to schools?

Schools and educational institutions are often not subject to HIPAA's data privacy requirements. FERPA provides adequate protection for student information, and schools must comply with its provisions. However, there are exceptions where HIPAA applies to schools and educational institutions:

• Private schools: Although FERPA applies only to schools that receive federal funding, private schools are not shielded from HIPAA's data protection requirements. Therefore, private schools are more likely to be subject to HIPAA regulations.
• Health services for employees and non-students: If a school's health services provide care to employees or other non-students, the health information of those individuals may be protected by HIPAA. FERPA only covers student information, not employee information.

Related: FERPA or HIPAA compliant? Protecting health information in schools 

HIPAA's coding regulations and covered entities

HIPAA addresses data privacy and includes regulations related to electronic transactions and code sets. These regulations apply to covered entities that engage in electronic healthcare transactions. To be considered a covered entity, a school must meet the following criteria:

• Electronic healthcare transactions: Covered entities must engage in electronic healthcare transactions, such as billing a health plan for treatment provided to a student. A school that does not conduct electronic transactions may not qualify as a covered entity.
• Treatment providers as employees: A covered entity must employ the organization or individuals providing treatment. For example, if a pharmacist provides vaccinations on school grounds but is not an employee of the school, the school may not be considered a covered entity.

Ensuring HIPAA compliance for schools

While most schools are not subject to HIPAA's data protection requirements, they must still adhere to other aspects of the law. Here are some steps schools can take to ensure HIPAA compliance:

• Legal consultation: Schools should consult with legal experts to determine which laws apply to their specific circumstances. This will help clarify whether they are considered covered entities and need to comply with HIPAA's requirements.
• HIPAA transactions, code sets, and identifier rules: If a school qualifies as a covered entity, it must comply with HIPAA's transactions, code sets, and identifier rules. These rules outline the standard formats for coding electronic claims and simplify healthcare transactions.
• FERPA information regulations: Even if a school is not subject to HIPAA's privacy rule, it must still comply with FERPA's information regulations. This includes restrictions on access to students' educational records, notification requirements for including students in a school directory, and allowing students to opt out of certain disclosures.
• Protection of PHI: If a school is subject to HIPAA's privacy rule, it must ensure the protection of any information considered PHI. This includes using secure channels that encrypt data when receiving and sending PHI. HIPAA-friendly online forms, such as those provided by Jotform, automatically encrypt sensitive data to ensure secure transmission.

See also: HIPAA Compliant Email: The Definitive Guide

In the news

A ransomware attack on the Los Angeles Unified School District exposed detailed psychological evaluations of former students, potentially impacting thousands. The breach, orchestrated by the Vice Society ransomware gang, disclosed sensitive information including medical histories and academic records. 

Despite the gravity of the situation, the district refrained from notifying affected individuals, revealing disparities in federal privacy laws that exempt schools under FERPA, unlike HIPAA-covered healthcare providers. The breach's enduring implications on students' privacy and service funding are worrisome, alongside the complexities of notifying affected parties, posing significant risks to students and their families.

FAQs

How does FERPA differ from HIPAA regarding student health records?

FERPA primarily deals with the privacy and confidentiality of student education records, including health records maintained by schools. It gives parents certain rights concerning their children's education records, while HIPAA focuses on the privacy and security of health information held by covered entities.

Can schools share student health information with parents under HIPAA?

Under HIPAA, parents generally have the right to access their children's medical records. However, in the context of schools, FERPA typically governs the access and disclosure of student health records, and it grants parents the right to access and amend their children's educational records, including health information maintained by the school.

Are there any situations where HIPAA may apply to schools?

There are certain circumstances where schools may be considered covered entities under HIPAA, such as when they operate a healthcare component, such as a school-based health center, that conducts covered transactions electronically.

What are the implications of FERPA and HIPAA for student health records?

Schools and educational institutions must understand the differences between FERPA and HIPAA when it comes to student health records to ensure compliance with the relevant laws. This includes knowing when and how student health information can be shared, as well as the rights of parents and eligible students regarding access to these records.