By: Brittany Flaherty Theis
The U.S. Department of Health and Human Services and U.S. Department of Education have issued a December 2019 update to their “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records” (the “Joint Guidance”). The Joint Guidance explains the relationship between FERPA and the HIPAA Privacy Rules by providing general information about the laws and answering commonly asked questions regarding both. Please note from the outset that the Joint Guidance does not have the force or effect of law.
The Joint Guidance starts by providing an overview of FERPA, which protects the privacy of students’ “education records,” followed by an overview of HIPAA and the HIPAA Privacy Rule, which, in this context, protects the privacy and security of “individually identifiable health information.” The Joint Guidance states the following regarding where FERPA and HIPAA may intersect:
“In a few limited circumstances, an educational agency or institution subject to FERPA can also be subject to HIPAA. For instance, a school that provides health care to students in the normal course of business, such as through its health clinic, is also a ‘health care provider’ under HIPAA. If a school that is a ‘health care provider’ transmits any PHI electronically in connection with a transaction for which HHS has adopted a transaction standard, it is then a covered entity under HIPAA. As a covered entity, the school’s health care transactions must comply with the HIPAA Transactions and Code Sets Rule (or Transactions Rule).
However, many schools that meet the definition of a HIPAA covered entity do not have to comply with the requirements of the HIPAA Rules because the school’s only health records are considered ‘education records’ or ‘treatment records’ under FERPA. The HIPAA Privacy Rule specifically excludes from its coverage those records that are protected by FERPA by excluding such records from the definition of ‘protected health information.'”
This description of the potential interplay between FERPA and HIPAA is followed by the question most relevant to Whitt Law’s school district clients: Does the HIPAA Privacy Rule apply to an elementary or secondary school? The answer to which is – generally, no. This is because an elementary school or secondary school is either: (1) not typically a covered entity under HIPAA (health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions); or (2) is a covered entity but maintains health information only on records that qualify as “education records” under FERPA and, therefore, are not covered by HIPAA. More information is provided in the Joint Guidance.
Other questions addressed within the Joint Guidance that are currently getting significant attention by the media and by school districts as they evaluate emergency response and threat assessment plans include:
- Where FERPA applies, when can a school disclose an eligible student’s personally identifiable information (“PII”) from education records to his or her parent if the eligible student has not provided written consent?
- Does HIPAA allow a health care provider to disclose PHI about a minor child with a mental health condition and/or substance use disorder to the parents of the minor?
- Does FERPA permit a school to disclose PII from the education records of a student, who is under the age of 18 years and is not attending a postsecondary institution, with a mental health condition and/or substance use disorder to the parents of the student?
- What options do family members of an adult patient with mental illness have under HIPAA if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider subject to HIPAA share information with the family?
- What options do the parents of an eligible student with mental illness have under FERPA if they are concerned about the student’s mental health and the eligible student refuses to provide consent to permit a school subject to FERPA to share PII from education records with the family?
- Under FERPA, can an educational agency or institution disclose, without prior written consent, PII from a student’s education records, including health records, to the educational agency’s or institution’s law enforcement officials?
The updated Joint Guidance is intended to assist educational agencies and institutions who have the responsibility of making the initial, case-by-case determination of whether a release of information satisfies the legal requirements of FERPA and HIPAA, if applicable.
Please note that the Joint Guidance addresses the impact of FERPA and HIPAA on the handling of student health records. It does not address the interplay of state laws regarding student records with FERPA and HIPAA. For questions related to student records or for information regarding the implications of the Joint Guidance for school districts in Illinois, where school districts are also subject to the Illinois School Student Records Act (105 ILCS 10), please contact Whitt Law Senior Attorneys Brittany Flaherty Theis or Brian R. Bare.
This blog/website is made available for educational purposes only. It is not intended to provide specific legal advice to your individual circumstances or legal questions. You acknowledge that your reading of this blog site does not establish an attorney-client relationship between you and the blog/website host or the law firm, or any of the attorneys with whom the host is affiliated. This blog/website should not be used as a substitute for seeking competent legal advice from a licensed professional attorney in your state. Readers of this information should not act upon any information contained on this website without seeking professional counsel.