Ensuring the health and wellbeing of students requires seamless coordination between school and community health care providers. Schools often serve as the first point of contact for student health services, making collaboration essential for comprehensive care. However, navigating privacy laws like the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) can be challenging. One critical question is: Does HIPAA excludes information considered education records under FERPA law?
In this guide, we will answer all of these questions so that schools and healthcare providers have a better understanding of these two federal laws.
Overview of Federal Privacy Protections: FERPA and HIPAA
FERPA and HIPAA are two critical federal laws that govern the privacy and security of student education and health records. While both laws aim to protect individual privacy, their scopes differ, particularly when it comes to school settings.
A common question arises: Does HIPAA exclude information considered education records under FERPA law? To answer this, it is essential to understand the distinctions between these two laws and the specific situations where one may apply over the other.
FERPA
FERPA applies to educational institutions and agencies that receive federal funding, including most public schools. FERPA governs the privacy of student education records, which include academic and health records maintained by the school.
HIPAA
HIPAA, on the other hand, applies to health care providers, health plans, and other entities that handle health information electronically. HIPAA protects individuals’ health information, known as Protected Health Information (PHI), and sets strict rules for how this information can be shared. Importantly, HIPAA excludes information considered education records under FERPA law, meaning that if a record is protected by FERPA, it is not subject to HIPAA’s privacy rules. This exclusion underscores the importance of understanding the contexts in which FERPA applies.
HIPAA and FERPA: Education Records Exclusions Explained
When considering the question, Does HIPAA exclude information considered education records under FERPA law? The answer lies in the definition and scope of both laws. FERPA is the primary law governing the privacy of education records in schools, including health records maintained by the school. Since these records are protected under FERPA, HIPAA’s privacy protections do not apply to them. This means that any information that qualifies as an education record under FERPA is automatically excluded from HIPAA’s definition of Protected Health Information (PHI).
This distinction is crucial for schools and health care providers. School nurses and administrators must follow FERPA regulations when handling student records, while community health care providers working with students in school-based health centers may need to comply with both FERPA and HIPAA, depending on the situation. For instance, if a community health provider operates independently from the school, HIPAA may apply to the health records they maintain, but FERPA will govern any records maintained by the school.
FERPA Overview
Definition and Scope of FERPA
FERPA is a federal law that protects the privacy of student education records. It applies to all educational agencies and institutions that receive federal funding, which includes most public and private schools. FERPA defines “education records” broadly to include any records directly related to a student and maintained by the school or an entity acting on its behalf. This includes academic records, disciplinary records, and health records maintained by the school nurse or other school staff.
Because FERPA applies to educational records, many student health records maintained by schools are protected under FERPA rather than HIPAA. Therefore, when asking, Does HIPAA exclude information considered education records under FERPA law? The answer is yes—FERPA-covered records are not subject to HIPAA’s privacy rules.
Protection of Educational Records and Personally Identifiable Information (PII)
FERPA protects the privacy of educational records by restricting the disclosure of Personally Identifiable Information (PII) from those records. PII includes information such as the student’s name, address, social security number, and health information contained in education records. Schools must obtain written consent from parents or eligible students (students who are 18 years or older) before disclosing PII from education records, except in certain circumstances.
HIPAA Overview
Definition and Scope of HIPAA Privacy Rule
HIPAA’s Privacy Rule applies to health care providers, health plans, and other entities that handle health information electronically. It is designed to protect the privacy of individuals’ health information, known as Protected Health Information (PHI). PHI includes any information that can be used to identify an individual and that relates to their health, treatment, or payment for health care services. However, it is important to note that HIPAA excludes information considered education records under FERPA law. This means that if a student’s health information is part of their education record, HIPAA’s protections do not apply to that information.
Intersection of FERPA and HIPAA
Determining Applicable Law
FERPA generally applies to student health records maintained by the school, while HIPAA applies to records maintained by health care providers and entities covered by HIPAA. In school-based health centers operated by community health providers, both FERPA and HIPAA may apply, depending on the nature of the records.
Information Sharing Between School and Community Providers
When HIPAA excludes information considered education records under FERPA law is critical for health care providers working in school settings. When student health records are protected under FERPA, school officials must follow FERPA’s rules for sharing information, which typically require written consent. However, FERPA does allow for exceptions in certain cases, such as emergencies.
Under HIPAA, health care providers must generally obtain written authorization to disclose PHI, though there are exceptions for treatment purposes and emergencies. Knowing whether HIPAA or FERPA governs the disclosure of student records is essential to ensuring compliance with federal privacy laws.
Detailed Analysis of FERPA’s Scope and Applications
Understanding FERPA’s scope and applicability is crucial for schools and health care providers. This section provides an in-depth analysis of FERPA, focusing on the entities it covers, the definition of “educational records,” and the rules governing disclosure.
Entities Covered by FERPA
FERPA applies to educational institutions and agencies that receive federal funding. This includes public schools, school districts, and postsecondary institutions. FERPA also applies to any entity acting on behalf of an educational institution, such as a third-party vendor handling student records.
Private and religious schools that do not receive federal funds are generally exempt from FERPA. Therefore, understanding whether a school is covered by FERPA is essential for determining how student records should be handled.
Definition of “Educational Records”
FERPA defines “educational records” broadly. These records include any materials that contain information directly related to a student and are maintained by an educational agency or institution. Educational records are not limited to academic records; they also include health records, disciplinary records, and special education records.
Directly Related to a Student
To qualify as an educational record under FERPA, the information must be directly related to a student. This includes any records, files, documents, or other materials that contain personally identifiable information (PII) about a student. Examples include grades, test scores, and health records maintained by the school.
Maintained by Educational Agency or Institution
Educational records must be maintained by an educational agency, institution, or a party acting on their behalf. This could include records stored electronically, in physical files, or even notes maintained by school personnel if those notes are shared with others or used to make decisions about the student.
Disclosure Rules
FERPA restricts the disclosure of student records without written consent, with certain exceptions. Schools must be cautious when sharing information and ensure that they are complying with FERPA’s rules.
Elementary and Secondary School Level
At the elementary and secondary school levels, FERPA grants parents the right to access their child’s educational records. Schools must allow parents to inspect and review records within a reasonable time frame upon request.
Parental Rights to Inspect and Review Records
Parents have the right to inspect and review their child’s educational records. Schools are required to provide access to these records and, if requested, provide copies for a reasonable fee.
Legitimate Educational Interests and Emergency Exceptions
FERPA allows schools to disclose records without consent to school officials who have a legitimate educational interest in the information. Additionally, in emergency situations where the health or safety of a student is at risk, schools may disclose information to appropriate parties without obtaining prior consent.
Postsecondary Institutions
In postsecondary institutions, FERPA rights transfer from the parents to the student once the student turns 18 or attends a school beyond the high school level. At this point, the student becomes an “eligible student” under FERPA.
Eligible Student’s Written Consent Requirement
Once a student becomes an eligible student, they must provide written consent before the school can disclose their educational records to third parties, including their parents, unless an exception applies.
Treatment Records vs. Educational Records
An important distinction under FERPA is the difference between treatment records and educational records. Treatment records, such as those created by a health care provider for treatment purposes, are not considered educational records under FERPA if they are maintained separately and are used solely for treatment. However, if these records are shared with the school and become part of the student’s educational record, they then fall under FERPA’s protections.
Analysis of HIPAA Scope and Applications
HIPAA’s Privacy Rule governs how health care providers and other covered entities handle Protected Health Information (PHI). This section provides a detailed analysis of HIPAA, focusing on the entities it covers, the definition of PHI, and the rules governing disclosure.
Entities Covered by HIPAA
HIPAA applies to health care providers, health plans, and other entities that transmit health information electronically. This includes hospitals, clinics, private practices, and school-based health centers that operate independently from the school. Community health care providers who collaborate with schools must determine whether their records are subject to HIPAA or FERPA, as HIPAA excludes information considered education records under FERPA law.
Definition of PHI
HIPAA defines Protected Health Information (PHI) as any individually identifiable health information that is transmitted or maintained by a covered entity. PHI includes a wide range of health information that can be used to identify an individual.
Individually Identifiable Health Information
PHI includes any health information that can be linked to an individual, such as names, addresses, dates of birth, and medical records. This information is protected under HIPAA and can only be disclosed under specific circumstances.
Disclosure Rules
HIPAA establishes strict rules for when and how PHI can be disclosed. Generally, written consent is required for the disclosure of PHI, but there are exceptions.
Written Consent Requirement
In most cases, HIPAA requires covered entities to obtain written consent from the individual (or their legal representative) before disclosing their PHI. This ensures that the individual has control over who can access their health information.
Exceptions for De-Identified Information and Treatment Purposes
HIPAA allows the disclosure of de-identified information without consent, as de-identified data cannot be traced back to an individual. Additionally, HIPAA permits the sharing of PHI for treatment purposes without the need for written consent. This exception allows health care providers to coordinate care without unnecessary delays.
Emergency and Imminent Threat Exceptions
In emergency situations or when there is an imminent threat to the health or safety of an individual or the public, HIPAA allows the disclosure of PHI without consent. This ensures that health care providers can respond quickly in critical situations.
Case Studies of HIPAA and FERPA Applications
Scenario 1: Sharing Information in a School Emergency
A student experiences a severe allergic reaction at school and is rushed to the hospital. The school nurse needs to share the student’s health information with the hospital staff to ensure the student receives appropriate treatment. Under FERPA’s emergency exception, the school nurse can share the necessary information without obtaining written consent from the parent. Likewise, the hospital staff can share information with the school nurse under HIPAA’s treatment purposes exception to ensure the student’s care is coordinated upon their return to school.
In this scenario, HIPAA excludes information considered education records under FERPA law, so FERPA’s rules apply to the school nurse’s actions.
Scenario 2: Collaboration Between School Nurses and Community Health Providers
A school nurse is working with a community mental health provider to support a student with behavioral health challenges. The school nurse needs to share information about the student’s behavior and treatment plan with the community provider. Under HIPAA, the community provider can share PHI with the school nurse for treatment purposes without needing to obtain written authorization from the parent. However, under FERPA, the school nurse may need to obtain written consent from the parent to share information from the student’s education record with the community provider.
This scenario demonstrates how understanding when HIPAA excludes information considered education records under FERPA law is essential to ensure proper information sharing.
Summary Comparison of FERPA and HIPAA
To summarize, FERPA and HIPAA both play critical roles in protecting the privacy of student records, but they apply in different contexts.
Type of Comparison |
HIPAA |
FERPA |
Applicability and Scope |
Applies to health plans and health care providers transmitting health information electronically, covering PHI. Importantly, HIPAA excludes information considered education records under FERPA law. | Applies to educational institutions and agencies receiving federal funding, covering educational records, including health records maintained by the school. |
Information Covered |
Protected Health Information (PHI), including individually identifiable health information. | Educational records, including Personally Identifiable Information (PII). |
Conditions for Sharing Information |
Generally requires written authorization, with exceptions for treatment purposes, emergencies, and imminent threats. | Generally requires written consent, with exceptions for emergencies and legitimate educational interests. |
Conclusion
Compliance with FERPA and HIPAA is essential for school and community health care providers who are working together to support the health and wellbeing of children and youth. By navigating these laws effectively, providers can ensure that they are sharing information appropriately while protecting the privacy of students’ educational and health records.
Knowing the answer to the question, Does HIPAA excludes information considered education records under FERPA law?, is critical for ensuring proper compliance. Ongoing coordination and collaboration between school and community health care providers are key to providing comprehensive care that addresses all aspects of a student’s health.