Understanding the Privacy Rights of HIPAA & FERPA in Schools
Public school districts regularly receive medical information concerning its students and employees. Inevitably, questions arise about what medical information the school district can request or share with staff, parents and other affected individuals. This article is meant to answer some of these questions.
The Health Insurance Portability and Accountability Act ("HIPAA") provides protection for personal health information held by covered entities. A covered entity under HIPAA is either: (1) a health plan, (2) a healthcare clearinghouse, or a (3) healthcare provider that transmits health information electronically in connection with certain administrative and financial transactions.
Schools are obviously not a covered entity health plan or healthcare clearinghouse. However, many school districts employ nurses, physicians, psychologists, or other healthcare providers who serve students and staff. Would the employment of these healthcare providers qualify a school district as a covered entity "healthcare provider" under HIPAA? The answer to this question depends on whether the school district: (1) furnishes, bills or receives payment for healthcare in the normal course of its business, and (2) transmits these covered transactions electronically.
For example, if a public high school employs a healthcare provider that bills Medicaid electronically for services required for a student under IDEA, the school would be considered a HIPAA-covered entity. The school district would be required to comply with HIPAA transactions, code sets and identifier rules with respect to such transactions. However, because most school districts maintain a student's health information in an "education record" that is covered by FERPA, HIPAA's privacy rules would exclude such information from HIPAA's coverage.
Thus, if a healthcare provider serves students under contract with or otherwise under the direct control of a public school covered by FERPA, any student health records created or maintained by this person are considered education records under FERPA, and not personal health information under HIPAA. This is the case regardless of whether the healthcare is provided to students on school grounds or offsite. Therefore, the school district in the above example would be required to comply with FERPA's privacy requirements with respect to this student's health information, including the requirements to obtain parental or student consent (if 18) in order to disclose Medicaid billing information about a service provided to this student.
HIPAA's privacy rules allow covered healthcare providers to disclose personal health information about students to school nurses, physicians, and other healthcare providers employed by a school district for treatment purposes, without the authorization of the student or the student's parent. For example, a student's primary care physician may discuss the student's medication and other healthcare needs with the school nurse, who would administer the student's medication and provide care to the student while the student is at school.
On occasion, outside parties who are not employed by or otherwise acting on behalf of a school district provide healthcare services directly to students while on school grounds. A recent example was the swine flu vaccinations provided to students last year at various school districts through health and social service agencies. In these circumstances, any health records created or maintained by these agencies are not "education records" subject to FERPA because the healthcare provider is not acting on behalf of the school. Therefore, a school would need to comply with FERPA and obtain parental or student (if 18) consent if the school wishes to disclose any personally identifiable student information from education records to these third-party healthcare providers.
For school district employees, HIPAA's privacy rules do not protect employment records, even if the information in those records is health-related. For example, if an employee submits medical records for the purpose of FMLA certification, these records are employment records for which HIPAA's privacy rules do not apply. Likewise, HIPAA's privacy rules do not prevent a school district from asking an employee to produce a doctor’s note or other information about an employee's health, if such information is needed to administer sick leave, workers’ compensation, wellness programs, or health insurance.
Although HIPAA's privacy rules do not apply to an employee's medical records in the possession of a school district, Ohio's Public Records Act ("PRA") generally exempts employee medical records from mandatory disclosure. To be exempt under the PRA, the medical records must pertain to a patient’s medical history, diagnosis, prognosis, or medical condition, and be generated and maintained in the process of medical treatment. Hospital admission or discharge records are not considered medical records exempt under the PRA. Likewise, reports generated for reasons other than medical diagnosis or treatment, such as for employment or litigation purposes, are not “medical records” exempt from disclosure under the PRA.
Other state and federal statutes, such as the ADA or FMLA, may have a bearing on how school districts are to maintain medical information.