Does HIPAA Apply to Schools?
HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities but how does HIPAA apply to schools? In this post we explore when HIPAA applies to schools and how the Health Insurance Portability and Accountability Act intersects with the Family Educational Rights and Privacy Act (FERPA).
Does HIPAA Apply to Schools?
Generally, HIPAA does not apply to schools because they are not HIPAA covered entities, but in some situations a school can be a covered entity if healthcare services are provided to students. In such cases, HIPAA may still not apply because any student health information collected would be included in the students’ education records and education records are exempt from the HIPAA Privacy Rule as they are covered by FERPA.
More and more schools are offering healthcare services to their students. Medical professionals are employed by some schools, some have on-site health clinics, and they often dispense medications and administer vaccines. When healthcare services are provided, health information will be collected, stored, maintained, and transmitted. Even if a school employs nurses, psychologists, or physicians, schools are not usually classed as covered entities because they do not conduct healthcare transactions electronically, as opposed to, for example sending report cards digitally, for which the Department of Health and Human Services has adopted standards. Most schools fall into this category and are not covered entities so HIPAA does not apply.
Some schools employ a healthcare provider that conducts transactions electronically for which the HHS has adopted standards. In this case, the school would be classed as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules would have to be followed when electronic transactions are conducted, but it would not be a requirement to comply with the HIPAA Privacy Rule if healthcare data is stored in education records, which are covered by FERPA. If health information is stored in education records, it is not classed as protected health information and is therefore not covered by the HIPAA Privacy Rule. The school would however have to comply with FERPA privacy requirements.
One scenario where the HIPAA Privacy Rule would apply is when a healthcare professional provides medical services such as vaccinations at the school but is not employed by the school. In this situation, the healthcare professional would be required to comply with HIPAA, the records would be covered by HIPAA while they are held by the healthcare professional, and that individual would be required to obtain authorization before the health information is disclosed to the school. When those records are added to the student’s education records by the school, FERPA would apply rather than HIPAA.
FERPA, HIPAA, and Private Schools
FERPA applies to all educational institutions that receive direct funding through programs administered by the Department of Education. FERPA therefore applies to public schools, but private schools are not typically covered by FERPA as they do not receive federal funding direct from the Department for Education. If the private school is not covered by FERPA, it may or may not be covered by HIPAA depending on whether it conducts electronic transactions for which the HHS has adopted standards. If it does, it would be required to comply with HIPAA although if not, neither HIPAA nor FERPA would apply.
To help clear up confusion over disclosures of health information under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights updated their joint guidance in December 2019. The updated guidance is available on this link.