We're frequently asked about HIPAA and FERPA and how they apply to our schools. We're not experts, so we asked an expert to share insight with us. And that's exactly what Karen Gregory, Director of Compliance and Education at Total Medical Compliance (TMC) did for us in a webinar. Below are the basics of HIPAA and FERPA, taken from Karen's presentation. We'll go briefly into what each law is, and how they each apply to schools and student records.
This is not legal advice, nor is it intended as legal advice.
The Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal law that protects the privacy of student education records. This law applies to all schools receiving funds from the U.S. Department of Education. That means schools typically covered under FERPA are:
- most public schools and school districtsmost private
- most public postsecondary institutions including medical and professional schools
Schools not typically covered under FERPA include any private and religious elementary and secondary level schools who do not receive federal funds.
FERPA requires the written consent of a parent or an eligible student (18 years old OR attends a postsecondary institution at any age) prior to the disclosure of education records, or release of personally identifiable information from the records. Education records are records that are:
- Directly related to a student
- Maintained by an educational agency or institution or by a party acting for the agency or institution
- At the elementary or secondary school level, health records (including immunization records) are considered education records
- When released to school officials who are determined to have a "legitimate educational interest" in the information. However, the school must have identified who those people are (administrators, teachers, coaches, etc.) and inform the parent of the people who might have access to the information.
- To schools in which the student seeks or intends to enroll
- In connection with financial aid for which the student has applied or which the student has received
- For postsecondary institutions
- For health or safety emergency
- To comply with a judicial order or a lawfully issued subpoena
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA sets standards for protection and sharing of individually identifiable health information, often referred to as protected health information (PHI). It includes the Privacy and Security Rules, and the Transactions and Code Sets. The Privacy Rule establishes guidance on how health care providers must protect patient information and outlines certain patient rights. The Security Rule identifies protections for protected health information stored electronically.
When HIPAA applies:
- Health care services are provided to students AND you're filing a claim for payment electronically. In this case, the records are still education records and are not covered under the Privacy or Security rules, but the filing of the claim must abide by the rules for Transactions and Code Sets.
- The school is private and not receiving any federal funding AND they bill electronicially to be reimbursed. In this case, all the HIPAA rules apply. HIPAA does not apply if electronic billing does not take place.
- Student receives health services in a hospital affiliated with a university subject to FERPA. The hospital records would fall under HIPAA for protection and access.
- Exception: If the hospital runs a health clinic for students on behalf of the university, and there's no filing of claims, the records would fall under "education" or "treatment records", both covered by FERPA.
- An institution is a covered entity providing healthcare services to non-students such as staff members, spouses of students, and the public, HIPAA Privacy and Security rules apply to the protection and access of these records
Regardless of if you have to comply with FERPA or HIPAA, you need to make sure you have a system in place to protect the information. You should ensure the information cannot be accessed by anyone who doesn't need or have the clearance to access it in order to protect from malicious behavior, including identify theft. You should also keep in mind the various ways that PHI can be lost, including fire, natural disasters, intentional or accidental destruction of information, theft of computers or hardware or printed information.
In that same manner, you need to evaluate the different methods in which you’re storing information. Is it all written down and on paper? Is it electronic? Is it on any other business equipment like fax machines or scanners? Are you storing things on computers, thumb drives, flash drives, smartphones, etc? And don’t forget, verbal communication should be limited. Employees should not discuss work matters involving PHI outside of the work environment. This includes hallways - you never know who is around the corner listening, either intentionally or accidentally.
Want more on HIPAA and FERPA? Watch the full webinar recording.
Plus! Check out blog posts written by our guest expert, Karen Gregory:
- The Intersection of HIPAA & FERPA Part 1
- The Intersection of HIPAA & FERPA Part 2
- The Intersection of HIPAA & FERPA Part 3