HIPAA vs FERPA
It’s exhausting. This comes up so often in the group and it’s exhausting. Every few weeks, a teacher will say something, or an IEP will be mistakenly sent home with the wrong kid, and so the parent comes to the Facebook group and asks about it. Immediately there are cries of “That’s a HIPAA violation!”
We’ve been so brainwashed by HIPAA, signed so many forms (that we don’t even read) and been told our HIPAA rights so many times…and most don’t even know what it covers. (Hint: not schools)
So, for the last time…say it with me: HIPAA does not apply to schools. Even HHS says so on their website. HIPAA can apply to a school, but the exceptions are so few and far between, the rule to go by is “FERPA is for schools, HIPAA is for medical facilities.”
And yes, if you read this through to the end, they even address the situation if a school bills Medicaid. Still, it’s FERPA, not HIPAA.
Does the HIPAA Privacy Rule apply to an elementary or secondary school?
Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.
- The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. It is expected that most elementary and secondary schools fall into this category.
- The school is a HIPAA covered entity but does not have “protected health information.” Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student.
What is considered an educational record?
Education records are directly related to a student and maintained by an institution or its agent for all enrolled students, including those in elementary or high school.
- Education records may exist in any medium (e.g., electronic or digital files including email, paper documents, fax documents, oral conversations, etc.).
- Education records include such things as personal identifiers and bio-demographic data (such as SSN, date of birth, ethnicity, gender, relationship information)
- Academic records such as test scores, GPA, graded papers, exams, transcripts, advising notes, financial aid information, etc.)
- IEPs, 504 plans and any and all case records associated with those plans, including but not limited to: teachers’ notes and emails, evaluation reports and raw data from assessments, progress monitoring reports, work samples, etc.
What is FERPA?
Here it is, all spelled out. Much of this I pulled directly from their website.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. See: U. S. Department of Education – FERPA. Educational institutions receiving funds under programs administered by the U.S. Secretary of Education are bound by FERPA regulations. Institutions that fail to comply with FERPA may have funds administered by the Secretary of Education withheld.
Parents’ Rights under FERPA
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”
- Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
- Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
- Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- Other schools to which a student is transferring;
- School officials with legitimate educational interest;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; and
- State and local authorities, within a juvenile justice system, pursuant to specific State law.
FERPA and College Students
This is often quite alarming to parents, but once a child is over 18 and enrolled in college, the student controls the information. Yes, even if the parent is paying the tuition! Per FERPA, a parent has no rights to gather any educational records about their child without that child/student’s permission.
- College students must be permitted to inspect their own education records
- Once a student begins attending a college/university, the transfer of the right from the parents having the right to inspect and review a student’s record to the college student.
- School officials may not disclose personally identifiable information about students, nor permit inspection of their records, without written permission from the student, unless such action is covered by exceptions permitted by the Act. A notable exception is disclosing information to school officials determined by the institution to have a legitimate educational interest.
Can a school print my name in a directory?
Short answer, yes! It’s not that long ago that phone books were an important part of our society. Communities published everyone’s name, address and telephone number, and then distributed that book to everyone in the community. For free!
Directory Information is specific information kept about the student that is considered public. This information may be released without the student’s written permission. Directory information includes:
Directory Information Examples:
- Hometown (City, State, 5 digit zip only)
- E-mail address
- Dates of attendance
- Admission or enrollment status
- Campus, school building, grade, teacher(s), college, division, major
- Grade or Class standing (freshman, sophomore, junior, senior)
- Degrees and awards
- Athletic information
From the Dept of Ed:
Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
A student may opt to restrict the release of this directory information by contacting the school office that handles publication and distribution of said directory.
Filing a FERPA Complaint
If you’ve read through FERPA and believe there has been a violation, filing a FERPA complaint is a complaint option for parents.
When HIPAA applies to Schools:
- Health care services are provided to students AND you’re filing a claim for payment electronically. In this case, the records are still education records and are not covered under the Privacy or Security Rules, but the filing of the claim must abide by the rules for Transactions and Code Sets. (in other words, they have to use correct billing codes, but you are only guaranteed privacy rights per FERPA)
- The school is private and not receiving any federal funding AND they bill electronically to be reimbursed. In this case, all the HIPAA rules apply. HIPAA does not apply if electronic billing does not take place.
- Student receives health services in a hospital affiliated with a university subject to FERPA. The hospital records would fall under HIPAA for protection and access.
- Exception: If the hospital runs a health clinic for students on behalf of the university, and there’s no filing of claims, the records would fall under “education” or “treatment records”, both covered by FERPA.
- An institution is a covered entity providing healthcare services to non-students such as staff members, spouses of students, and the public, HIPAA Privacy and Security rules apply to the protection and access of these records.
Again, you can see that looking for a HIPAA violation for school personnel is not a prudent path to take. You likely won’t be successful, and your energy will be wasted.