ED and HHS Issue Updated Joint Guidance Regarding Student Health Records Privacy
On December 19, 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education (ED) issued an updated version of its “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records” (the Joint Guidance, available here). Educational institutions at both the K-12 and postsecondary level can be subject to FERPA or HIPAA, and in certain circumstances, both. The Joint Guidance, which was first issued in November 2008 and has not been previously updated, seeks to assist educational institution administrators, health care professionals, and others in navigating what can be a complex intersection between FERPA and HIPAA as applied to health-related records maintained on students. It also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially when those disclosures are related to emergency health or safety situations.
FERPA applies to all educational agencies and institutions (e.g., schools, colleges and universities) that receive federal funds under any program administered by ED. Moreover, if an educational agency or institution receives federal funds under one or more programs administered by ED, FERPA applies to the recipient, and to the student “education records” it maintains, as a whole. The term “education records” is defined broadly to mean, with certain exceptions, those records that are: (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. For instance, a student’s health records, including immunization records, maintained by an educational agency or institution (such as by an elementary or secondary school nurse) would generally constitute education records subject to FERPA.
An educational agency or institution subject to FERPA may not disclose the education records, or personally identifiable information (PII) from education records, of a student without the prior written consent of either a parent (generally, if the student is a minor) or the “eligible student” (generally, if the student is at least 18 years of age or enrolled in a postsecondary instruction), unless one of several limited exceptions applies. FERPA also provides a parent or eligible student, as applicable in the circumstances, with the right to inspect and review the student’s education records, and further to request corrections to education records that are inaccurate or misleading. Additionally, records that educational agencies and institutions maintain on children with disabilities, including records of children referred under the Individuals with Disabilities Education Act (IDEA), are subject to confidentiality provisions that are similar to, but broader than, FERPA to protect the privacy of PII in the early intervention or education records of children referred under the IDEA. The IDEA regulations contain additional exceptions and generally incorporate FERPA exceptions to the prior consent requirements.
An educational institution subject to FERPA that provides health care to students in the normal course of business, such as through a school nurse or health clinic, is also a “health care provider” under HIPAA. If that educational institution further transmits any PHI electronically in connection with a transaction for which HHS has adopted a standard, it is then also a “covered entity” under HIPAA. Under the HIPAA Privacy Rule as promulgated by HHS, covered entities must protect individuals’ health records and other personal health information that they maintain or transmit, known as protected health information (PHI), by requiring appropriate safeguards to protect privacy, and setting limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The HIPAA Privacy Rule, however, specifically excludes from its coverage those records that are protected by FERPA by excluding such records from the definition of PHI. The intent of this exclusion is to avoid applicability of both FERPA and HIPAA to any individual record, and thus to subject a specific student health record to just one of those legal regimes, not both.
Further confusing matters for educational institutions is the fact that FERPA does not include so-called “treatment records” within the scope of education records subject to FERPA requirements. Treatment records are defined by FERPA as records made or maintained by a recognized medical professional or paraprofessional acting in that capacity, even where the medical professional or paraprofessional is employed by the educational institution, if the records (1) are made, maintained, and used only in connection with the provision of treatment to the student, and (2) are not available to anyone other than persons providing such treatment. Provided that a student record meets these parameters, an institution may not need to apply FERPA protections to the record, but instead may need to apply HIPAA protections to it. If, however, such a record is appropriately shared with others within an institution (such as for an academic accommodation in light of a medical condition), then the record as separately maintained by the institution for non-treatment purposes would be subject to FERPA. Thus, when an educational institution finds itself generally subject to both FERPA and HIPAA, it becomes critical to determine which set of legal requirements (including which set of disclosure rules) applies to a student health record in each circumstance in which the record is used or maintained.
The Joint Guidance contains a number of frequently asked questions and answers addressing various factual circumstances, with the goal of clarifying when a student’s health information can be shared without the written consent of the parent or eligible student under FERPA, or without written authorization under the HIPAA Privacy Rule. Please do not hesitate to contact the author, or your usual Faegre Drinker contact, if you have questions concerning the Joint Guidance or any related matter.