July 25, 2014

Understanding the Privacy Rights of HIPAA & FERPA in Schools

Public school districts regularly receive medical information concerning its students and employees. Inevitably, questions arise about what medical information the school district can request or share with staff, parents and other affected individuals. This article is meant to answer some of these questions.

The Health Insurance Portability and Accountability Act ("HIPAA") provides protection for personal health information held by covered entities. A covered entity under HIPAA is either: (1) a health plan, (2) a healthcare clearinghouse, or a (3) healthcare provider that transmits health information electronically in connection with certain administrative and financial transactions.

Schools are obviously not a covered entity health plan or healthcare clearinghouse. However, many school districts employ nurses, physicians, psychologists, or other healthcare providers who serve students and staff. Would the employment of these healthcare providers qualify a school district as a covered entity "healthcare provider" under HIPAA? The answer to this question depends on whether the school district: (1) furnishes, bills or receives payment for healthcare in the normal course of its business, and (2) transmits these covered transactions electronically.

For example, if a public high school employs a healthcare provider that bills Medicaid electronically for services required for a student under IDEA, the school would be considered a HIPAA-covered entity. The school district would be required to comply with HIPAA transactions, code sets and identifier rules with respect to such transactions. However, because most school districts maintain a student's health information in an "education record" that is covered by FERPA, HIPAA's privacy rules would exclude such information from HIPAA's coverage.

Thus, if a healthcare provider serves students under contract with or otherwise under the direct control of a public school covered by FERPA, any student health records created or maintained by this person are considered education records under FERPA, and not personal health information under HIPAA. This is the case regardless of whether the healthcare is provided to students on school grounds or offsite. Therefore, the school district in the above example would be required to comply with FERPA's privacy requirements with respect to this student's health information, including the requirements to obtain parental or student consent (if 18) in order to disclose Medicaid billing information about a service provided to this student.

HIPAA's privacy rules allow covered healthcare providers to disclose personal health information about students to school nurses, physicians, and other healthcare providers employed by a school district for treatment purposes, without the authorization of the student or the student's parent. For example, a student's primary care physician may discuss the student's medication and other healthcare needs with the school nurse, who would administer the student's medication and provide care to the student while the student is at school.

On occasion, outside parties who are not employed by or otherwise acting on behalf of a school district provide healthcare services directly to students while on school grounds. A recent example was the swine flu vaccinations provided to students last year at various school districts through health and social service agencies. In these circumstances, any health records created or maintained by these agencies are not "education records" subject to FERPA because the healthcare provider is not acting on behalf of the school. Therefore, a school would need to comply with FERPA and obtain parental or student (if 18) consent if the school wishes to disclose any personally identifiable student information from education records to these third-party healthcare providers.

For school district employees, HIPAA's privacy rules do not protect employment records, even if the information in those records is health-related. For example, if an employee submits medical records for the purpose of FMLA certification, these records are employment records for which HIPAA's privacy rules do not apply. Likewise, HIPAA's privacy rules do not prevent a school district from asking an employee to produce a doctor’s note or other information about an employee's health, if such information is needed to administer sick leave, workers’ compensation, wellness programs, or health insurance.

Although HIPAA's privacy rules do not apply to an employee's medical records in the possession of a school district, Ohio's Public Records Act ("PRA") generally exempts employee medical records from mandatory disclosure. To be exempt under the PRA, the medical records must pertain to a patient’s medical history, diagnosis, prognosis, or medical condition, and be generated and maintained in the process of medical treatment. Hospital admission or discharge records are not considered medical records exempt under the PRA. Likewise, reports generated for reasons other than medical diagnosis or treatment, such as for employment or litigation purposes, are not “medical records” exempt from disclosure under the PRA.

Other state and federal statutes, such as the ADA or FMLA, may have a bearing on how school districts are to maintain medical information.

© 2013 Dinsmore & Shohl LLP. All rights reserved.

About the Author

Our Cincinnati office occupies eight floors in the First Financial Center located in the downtown central business district of the city. Clients range from public and private corporations and charitable organizations to local and state governments and financial institutions as well as individuals. International, national, and locally recognized cases are handled by our firm.

Cincinnati is a diverse metropolitan area comprised of 13 counties and the corner of three states—Ohio, Kentucky, and Indiana. Almost two million people call Greater Cincinnati home. It includes all the...


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.