HIPAA FAQ – FERPA and HIPAA
Yes. A post-secondary institution that is a HIPAA covered entity may have health information to which the Privacy Rule may apply not only in the health records of non-students in the health clinic, but also in records maintained by other components of the institution that are not education records or treatment records under FERPA, such as in a law enforcement unit or research department. In such cases, the institution, as a HIPAA covered entity, has the option of becoming a “hybrid entity” and, thus, having the HIPAA Privacy Rule apply only to its health care unit. The school can achieve hybrid entity status by designating the health unit as its “health care component.” As a hybrid entity, any individually identifiable health information maintained by other components of the university (i.e., outside of the health care component), such as a law enforcement unit, or a research department, would not be subject to the HIPAA Privacy Rule, notwithstanding that these components of the institution might maintain records that are not “education records” or treatment records under FERPA.
To become a hybrid entity, the covered entity must designate and include in its health care component all components that would meet the definition of a covered entity if those components were separate legal entities. (A covered entity may have more than one health care component.) However, the hybrid entity is not permitted to include in its health care component other types of components that do not perform the covered functions of the covered entity or components that do not perform support activities for the components performing covered functions. That is, components that do not perform health plan, health care provider, or health care clearinghouse functions and components that do not perform activities in support of these functions (as would a business associate of a separate legal entity) may not be included in a health care component. Within the hybrid entity, most of the HIPAA Privacy Rule requirements apply only to the health care component, although the hybrid entity retains certain oversight, compliance, and enforcement obligations. See 45 CFR § 164.105 of the Privacy Rule for more information.
The individual’s health records would be considered “education records” protected under FERPA and, thus, excluded from coverage under the HIPAA Privacy Rule. FERPA defines “education records” as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR § 99.3 (“education records”). While FERPA excludes from this definition certain records relating to employees of the educational institution, to fall within this exclusion, such records must, among other things, relate exclusively to the individual in his or her capacity as an employee, such as records that were created in connection with health services that are available only to employees. Thus, the health or medical records that are maintained by a university as part of its provision of health care to a student who is also an employee of a university are covered by FERPA and not the HIPAA Privacy Rule.
The HIPAA Privacy Rule permits a covered entity to disclose PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat. This may include, depending on the circumstances, disclosure to law enforcement, family members, the target of the threat, or others who the covered entity has a good faith belief can mitigate the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i). For example, consistent with other law and ethical standards, a mental health provider whose teenage patient has made a credible threat to inflict serious and imminent bodily harm on one or more fellow students may alert law enforcement, a parent or other family member, school administrators or campus police, or others the provider believes may be able to prevent or lessen the chance of harm. In such cases, the covered entity is presumed to have acted in good faith where its belief is based upon the covered entity’s actual knowledge (i.e., based on the covered entity’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member or other person). See 45 CFR § 164.512(j)(4).
For threats or concerns that do not rise to the level of “serious and imminent,” other HIPAA Privacy Rule provisions may apply to permit the disclosure of PHI. For example, covered entities generally may disclose PHI about a minor child to the minor’s personal representative (e.g., a parent or legal guardian), consistent with state or other laws. See 45 CFR § 164.502(b).
Patient records maintained by a hospital affiliated with a university that is subject to FERPA are not typically “education records” or “treatment records” under FERPA because university hospitals generally do not provide health care services to students on behalf of the educational institution. Rather, these hospitals provide such services without regard to the person’s status as a student and not on behalf of a university. Thus, assuming the hospital is a HIPAA covered entity, these records are subject to all of the HIPAA rules, including the HIPAA Privacy Rule. However, in a situation where a hospital does run the student health clinic on behalf of a university, the clinic records on students would be subject to FERPA, either as “education records” or “treatment records,” and not subject to the HIPAA Privacy Rule.
FERPA applies to most public and private post-secondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity. See the exceptions at paragraphs (2)(i) and (2)(ii) to the definition of “protected health information” at 45 CFR § 160.103.
The term “education records” is broadly defined under FERPA to mean those records that are: (1) directly related to a student and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 CFR § 99.3, “Education records.”
“Treatment records” under FERPA, as they are commonly called, are: records on a student who is eighteen years of age or older, or is attending an institution of post-secondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.
See 20 U.S.C. § 1232g(a)(4)(B)(iv); 34 CFR § 99.3, “Education records.” For example, treatment records would include health or medical records that a university psychologist maintains only in connection with the provision of treatment to an eligible student, and health or medical records that the campus health center or clinic maintains only in connection with the provision of treatment to an eligible student. (Treatment records also would include health or medical records on an eligible student in high school if the records otherwise meet the above definition.)
“Treatment records” are excluded from the definition of “education records” under FERPA. However, it is important to note, that a school may disclose an eligible student’s treatment records for purposes other than the student’s treatment provided that the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30. If a school discloses an eligible student’s treatment records for purposes other than treatment, the treatment records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements, including the right of the eligible student to inspect and review the records.
While the health records of students at post-secondary institutions may be subject to FERPA, if the institution is a HIPAA covered entity and provides health care to non-students, the individually identifiable health information of the clinic’s non-student patients is subject to the HIPAA Privacy Rule. Thus, for example, post-secondary institutions that are subject to both HIPAA and FERPA and that operate clinics open to staff, or the public, or both (including family members of students) are required to comply with FERPA with respect to the health records of their student patients, and with the HIPAA Privacy Rule with respect to the health records of their non-student patients.
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school. In addition, a covered health care provider may disclose proof of a student’s immunizations directly to a school nurse or other person designated by the school to receive immunization records if the school is required by State or other law to have such proof prior to admitting the student, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi).
In most cases, yes. If the teen is a minor, the HIPAA Privacy Rule generally allows a covered entity to disclose PHI about the child to the child’s parent, as the minor child’s personal representative, when the disclosure is not inconsistent with state or other law. For more detailed information, see 45 CFR § 164.502(g) and the personal representatives fact sheet. In some cases, such as when a minor may receive treatment without a parent’s consent under applicable law, the parents are not treated as the minor’s personal representative. See 45 CFR § 164.502(g)(3). In such cases where the parent is not the personal representative of the teen, other HIPAA Privacy Rule provisions may allow the disclosure of PHI about the teen to the parent. For example, if a provider believes the teen presents a serious danger to self or others, the HIPAA Privacy Rule permits a covered entity to disclose PHI to a parent or other person(s) if the covered entity has a good faith belief that: (1) the disclosure is necessary to prevent or lessen the threat and (2) the parent or other person(s) is reasonably able to prevent or lessen the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i).
In addition, the Privacy Rule permits covered entities to share information that is directly relevant to the involvement of a family member in the patient’s health care or payment for care if, when given the opportunity, the patient does not object to the disclosure. Even when the patient is not present or it is impracticable, because of emergency circumstances or the patient’s incapacity, for the covered entity to ask the patient about discussing his or her care or payment with a family member, a covered entity may share this information with the family member when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR § 164.510(b).
There are some circumstances in which an elementary or secondary school would be subject to the HIPAA Privacy Rule, such as where the school is a HIPAA covered entity and is not subject to FERPA. As explained previously, most private schools at the elementary and secondary school levels typically do not receive funding from the U.S. Department of Education and, therefore, are not subject to FERPA.
A school that is not subject to FERPA and is a HIPAA covered entity must comply with the HIPAA Privacy Rule with respect to any individually identifiable health information it has about students and others to whom it provides health care. For example, if a private elementary school that is not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity), the school is required to comply with the HIPAA Privacy Rule with respect to the individually identifiable health information of its patients. The only exception would be where the school, despite not being subject to FERPA, has education records on one or more students to whom it provides services on behalf of a school or school district that is subject to FERPA. In this exceptional case, the education records of only those publicly-placed students held by the private school would be subject to FERPA, while the remaining student health records would be subject to the HIPAA Privacy Rule.
If a person or entity acting on behalf of a school subject to FERPA, such as a school nurse that provides services to students under contract with or otherwise under the direct control of the school, maintains student health records, these records are education records under FERPA, just as they would be if the school maintained the records directly. This is the case regardless of whether the health care is provided to students on school grounds or off-site. As education records, the information is protected under FERPA and not HIPAA.
Some outside parties provide services directly to students and are not employed by, under contract to, or otherwise acting on behalf of the school. In these circumstances, these records are not “education records” subject to FERPA, even if the services are provided on school grounds, because the party creating and maintaining the records is not acting on behalf of the school. For example, the records created by a public health nurse who provides immunization or other health services to students on school grounds or otherwise in connection with school activities but who is not acting on behalf of the school would not be “education records” under FERPA. In such situations, a school that wishes to disclose to this outside party health care provider any personally identifiable information from education records would have to comply with FERPA and obtain parental consent. See 34 CFR § 99.30.
With respect to HIPAA, even where student health records maintained by a health care provider are not education records protected by FERPA, the HIPAA Privacy Rule would apply to such records only if the provider conducts one or more of the HIPAA transactions electronically, e.g., billing a health plan electronically for his or her services, making the provider a HIPAA covered entity.
Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.
- The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. It is expected that most elementary and secondary schools fall into this category.
- The school is a HIPAA covered entity but does not have “protected health information.” Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student.