FERPA or HIPAA compliant? Protecting health information in schools

Featured image

Share this article

Woman holding a pen to sign a legal document

When schools share students’ protected health information (PHI), sometimes it can be confusing to know whether the Family Educational Rights and Privacy Act (FERPA) or Health Insurance Portability and Accountability Act (HIPAA) applies. 

The two Federal laws cannot pertain to the same record at the same time, so if FERPA applies HIPAA does not and vice versa. But how do schools know whether the transmission of their student health records should be FERPA or HIPAA compliant? 

When health records are subject to FERPA

In most cases, FERPA applies to schools unless the provider of healthcare is a health plan, healthcare clearinghouse, or healthcare provider who electronically transmits health information. However, even in this case, many schools aren’t required to be HIPAA compliant if the school maintains health information only in student health records that are considered education records under FERPA. 

In this scenario, the school has to comply with FERPA’s privacy requirements. This includes the requirement to obtain parental consent to disclose billing information about a service provided to a student.

When health records are subject to HIPAA

In the event that a school employs a healthcare provider who electronically shares PHI, such as submitting healthcare claims to a health plan for payment, the school must be HIPAA compliant. 

The range of healthcare providers covered by HIPAA includes:

  • Physicians
  • Nurses
  • Clinical social workers
  • Other medical and mental health practitioners
  • Hospitals
  • Clinics
  • Organizations that present bills or are paid for healthcare in the normal course of business

Even if the school-based provider uses an offsite billing service to transmit electronic records it is not exempt from HIPAA. Tools like Paubox’s HIPAA compliant encrypted email can integrate with a school’s existing IT infrastructure to provide a seamless and secure email solution. 

Conclusion

Whether FERPA or HIPAA applies to a school’s health information, these laws are in place to protect student’s privacy. Electronic transmission of PHI requires adequate safeguards to ensure that it’s shared without unwarranted disclosure. Organizations that are non-compliant can face stiff penalties and fines, including for workforce violations. 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022