DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA
The Department of Education and the Department of Health and Human Services’ Office for Civil Rights have issued updated guidance on the sharing of student health records under the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
The guidance document was first released in November 2008 to help school administrators and healthcare professionals understand how FERPA and HIPAA apply to student educational and healthcare records. The guidance includes several Q&As covering both sets of regulations. Further questions and answers have been added to clear up potential areas of confusion about how HIPAA and FERPA apply to student records, including when it is permitted to share student records under FERPA and the HIPAA Privacy Rule without first obtaining written consent.
HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. HIPAA does not usually apply to schools, since health information collected by an educational institution would usually be classed as educational records under FERPA. The HIPAA Privacy Rule excludes educational records from the definition of protected health information, but there are instances where HIPAA and FERPA intersect.
The HIPAA Privacy Rule requires consent to be obtained prior to the sharing of health information for purposes other than treatment, payment, or healthcare operations. The guidance explains that in emergencies and situations when an individual’s health is at risk, educational institutions and healthcare providers may disclose a student’s health information to someone in a position to prevent or lessen harm, including to family, friends, caregivers, and law enforcement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The guidance states that “Healthcare providers may share (protected health information) with anyone as necessary to prevent or lessen a serious and imminent threat to the health or safety of the individual, another person, or the public—consistent with applicable law (such as state statutes, regulations or case law) and the provider’s standards of ethical conduct.” It is also permissible to share psychotherapy notes and information about mental health issues and substance abuse disorder in certain situations. The update details the situations when these disclosures are permitted.
“This updated resource empowers school officials, healthcare providers, and mental health professionals by dispelling the myth that HIPAA prohibits the sharing of health information in emergencies,” said OCR Director Roger Severino.
The update also includes information on when protected health information or personally identifiable information can be shared about a student that poses a danger to themselves or others. Additionally, disclosures of health data to law enforcement and the National Instant Criminal Background Check System are also now included in the guidance.
“Confusion on when records can be shared should not stand in the way of protecting students while they are in school,” said U.S. Secretary of Education Betsy DeVos. “This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.”
