Does HIPAA Apply to Schools?
HIPAA applies to schools in certain circumstances, such as when a school is a private school, when it provides medical services to the public, or when an unattached healthcare professional provides vaccination services to students.
HIPAA applies to most healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities but how does HIPAA apply to schools? In this post we explore when HIPAA applies to schools and how the Health Insurance Portability and Accountability Act intersects with the Family Educational Rights and Privacy Act (FERPA).
Does HIPAA Apply to Schools?
Generally, HIPAA compliance does not apply to schools because they are not HIPAA covered entities, but in some situations a school can be a covered entity if healthcare services are provided to students. In such cases, HIPAA may still not apply because any student health information collected would be included in the students’ education records and education records are exempt from the HIPAA Privacy Rule as they are covered by FERPA.
More and more schools are offering healthcare services to their students. Medical professionals are employed by some schools, some have on-site health clinics, and they often dispense medications and administer vaccines. When healthcare services are provided, health information will be collected, stored, maintained, and transmitted. Even if a school employs nurses, psychologists, or physicians, schools are not usually classed as covered entities because they do not conduct healthcare transactions electronically, as opposed to, for example sending report cards digitally, for which the Department of Health and Human Services has adopted standards. Most schools fall into this category and are not covered entities so HIPAA does not apply.
Some schools employ a healthcare provider that conducts transactions electronically for which the HHS has adopted standards. In this case, the school would be classed as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules would have to be followed when electronic transactions are conducted, but it would not be a requirement to comply with the HIPAA Privacy Rule if healthcare data is stored in education records, which are covered by FERPA. If health information is stored in education records, it is not classed as protected health information and is therefore not covered by the HIPAA Privacy Rule. The school would however have to comply with FERPA privacy requirements.
One scenario where the HIPAA Privacy Rule would apply is when a healthcare professional provides medical services such as vaccinations at the school but is not employed by the school. In this situation, the healthcare professional would be required to comply with HIPAA, the records would be covered by HIPAA while they are held by the healthcare professional, and that individual would be required to obtain authorization before the health information is disclosed to the school. When those records are added to the student’s education records by the school, FERPA would apply rather than HIPAA.
FERPA, HIPAA, and Private Schools
FERPA applies to all educational institutions that receive direct funding through programs administered by the Department of Education. FERPA therefore applies to public schools, but private schools are not typically covered by FERPA as they do not receive federal funding direct from the Department for Education. If the private school is not covered by FERPA, it may or may not be covered by HIPAA depending on whether it conducts electronic transactions for which the HHS has adopted standards. If it does, it would be required to comply with HIPAA although if not, neither HIPAA nor FERPA would apply.
Further Information
To help clear up confusion over disclosures of health information under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights updated their joint guidance in December 2019. The updated guidance is available on this link.
FAQs
When might a school be considered a HIPAA covered entity?
A school might be considered a HIPAA covered entity if the school is a private school or if healthcare services are provided to the public and the school conducts electronic transactions for which the Department of Health and Human Services has adopted standards. If the school also provides healthcare services to students, the school is considered to be a hybrid entity for the purposes of HIPAA because students medical records are protected by FERPA.
When does the HIPAA Privacy Rule apply in a school setting?
The HIPAA Privacy Rule applies in a school setting if a healthcare professional, who is not employed by the school, provides medical services such as vaccinations at the school. In this scenario, the health records held by this professional would be covered by HIPAA, and the professional would need to obtain authorization before disclosing the health information to the school.
How does FERPA intersect with HIPAA in the context of schools?
FERPA intersects with HIPAA in the context of schools when FERPA covers student educational records (of which their medical records are a part) and HIPAA covers the medical information of non-students (assuming the school qualifies as a HIPAA covered entity). In such circumstances, students’ educational/medical records must be maintained separately from non-students’ medical information.
Does FERPA apply to private schools?
FERPA does not apply to private schools as they do not receive federal funding directly from the Department for Education. Therefore, if a private school qualifies as a HIPAA covered entity, the medical records of students are protected by HIPAA rather than FERPA. The same applies in private medical colleges and universities.
What happens when a healthcare professional’s records are added to a student’s education records by the school?
When a healthcare professional’s records are added to a student’s education records by the school, FERPA applies rather than HIPAA. The exception to this rule is if the school is not covered by FERPA – for example, the school is a private school that does not receive funding from the Department of Education. In such circumstances, HIPAA applies if the private school qualifies as a HIPAA covered entity.
