Updated Joint Guidance on the Application of FERPA and HIPAA to Student Health Records
February 20, 2020
The U.S. Departments of Health and Education (collectively, the “Departments”) recently issued a long-awaited update to their “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Student Health Records.” As school administrators and health care professionals struggle to comply with a myriad of global and domestic privacy laws in 2020, the update is a welcomed glimpse into the priorities of these regulatory agencies and their approach to personal information.
FERPA and HIPAA are federal statutes that protect the privacy of individuals’ student education records and health information, respectively. Generally, records that are subject to FERPA are not subject to HIPAA. However, a single institution can be subject to both FERPA and HIPAA. The statutes may intersect for a variety of reasons, but the most common is when schools provide health care to students . The Departments first issued the Joint Guidance in 2008, but left room for interpretation and development. The updated guidance aims to clarify how regulated organizations can achieve a balance between student safety and privacy. The Departments’ timing is especially relevant in light of recent political and education sector efforts to increase the mental health resources available to students.
The 27-page update is fashioned as a Q&A and focuses on which rule applies, as well as what information may be shared in a particular setting or situation. For instance, the document provides:
- significant detail on situations commonly faced by elementary, secondary, or post-secondary schools and outlines when student information may be disclosed without consent, e.g., when parents are concerned about a student’s mental health.
- insight on potential distinguishing factors such as a student’s age, grade level, and mental health.
- guidance on the rare occasions when a private school may be subject to FERPA.
- guidance on certain gray areas, including disclosure of a school official’s “observations” of behavior, as opposed to disclosure of information documented in a student’s record.
Overall, organizations that are handling student records should pay careful attention to their potential status as a “Covered Entity” under HIPAA and should evaluate disclosures on a record-by-record and case-by-case basis. The same record can qualify as a “treatment record” under FERPA, an “education record” under FERPA, or “protected health information” under HIPAA. For this reason, organizations should consider not only the type of information contained in records, but also the type of individual who created a particular record (e.g., a school employee or a healthcare provider not providing care on behalf of a school). This analysis is especially important where health services are offered on school grounds.
The joint guidance provides further clarification that there are legitimate scenarios where the sharing of student health information is permitted and will not be considered a breach.
This Data Security & Privacy Alert is intended to keep readers current on developments in the law, and is not intended to be legal advice. If you have any questions, please contact co-authors: Matthew H. Meade at 412-566-6983 or firstname.lastname@example.org; or Sandra R. Mihok at 412-566-1903 or email@example.com.