In most cases, HIPAA compliance is not applicable to education institutions as they are not deemed HIPAA covered entities, but in some instances a school can be classified as a covered entity if healthcare services are given to students. At such times, HIPAA may still not apply because any student health information obtained would be included in the students’ education records and education records are not governed by the HIPAA Privacy Rule as they are governed by FERPA.
More and more educational institutions are providing healthcare services to their students. Medical staff are hired by some schools, some conduct on-site health clinics, and they often dispense medications and provide vaccines. When healthcare services are available, health information will be gathered, saved, managed and shared. Even if a school hires nurses, psychologists, or physicians, schools are not usually classified as HIPAA covered entities because they do not conduct healthcare transactions electronically for which the Department of Health and Human Services has implemented standards. Most schools are included in this category and are not covered entities so HIPAA does not apply.
Some schools hire a healthcare provider that completes transactions electronically for which the HHS has established standards. In this instance, the school would be deemed a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules would have to be adhered to when electronic transactions are completed, but it would not be a requirement to adhere with the HIPAA Privacy Rule if healthcare data is held in education records, which are governed by FERPA. If health information is held in education records, it is not deemed to be protected health information and is therefore not governed by the HIPAA Privacy Rule. The school would however have to ensure that it is adhering with FERPA privacy requirements.
One instance where the HIPAA Privacy Rule would apply is when a healthcare worker provides medical services such as vaccinations at the school but is not working for the school. In this situation, the healthcare worker would be required to adhere with HIPAA, the records would be covered by HIPAA while they are held by the healthcare worker, and that individual would be required to obtain authorization before the health information is sent to the school. When those records are added to the student’s education records by the educational institution, FERPA would apply rather than HIPAA.
FERPA governs data management at all educational institutions that receive direct funding through programs managed by the Department of Education. FERPA therefore applies to public schools, but private schools are not normally covered by FERPA as they are not funded at a federal level by the Department for Education. If the private school is not covered by FERPA, it may or may not be covered by HIPAA, depending on whether it carries out electronic transactions for which the HHS has implemented standards. If it does, it would have to comply with HIPAA although if not, neither HIPAA nor FERPA would be applicable.
To assist with explaining disclosures of health information under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights updated their joint guidance in December 2019. The updated guidance can be viewed at this link.