On December 19, 2019, the U.S. Department of Health and Human Services and the U.S. Department of Education issued a "Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records" (the Guidance). The Guidance serves as an update to the Guidance that was first issued in November 2008.
Educational institutions and their associated health services and records may be subject to HIPAA or FERPA or both, depending on factors such as whether the institution accepts federal funding, and whether the institution provides healthcare services. Some educational institutions may meet the definition of a HIPAA covered entity if the institution serves as a healthcare provider (such as through an on-site clinic) and transmits health information through certain electronic transactions. However, the HIPAA definition of protected health information carves out records that are protected by FERPA (including education records and what are known as "treatment records"). This means that even if an institution is a covered entity for purposes of HIPAA and must comply with HIPAA's electronic transaction rules, the institution may not be required to comply with HIPAA's Privacy Rule if the institution only has health records that are education or treatment records under FERPA. This potential overlap can lead to confusion for administrators, healthcare providers, students, and their families.
The updated Guidance first reorganizes the information presented so as to more thematically address the issue of whether HIPAA or FERPA applies to specific types of institutions and records. Next, the Guidance presents a newly expanded set of questions regarding whether health records can be shared in various scenarios. Much of this information addresses issues around sharing health records without the student's consent. For example, information is provided regarding:
- Sharing records when a student presents a risk of potential harm to self or others;
- Sharing records regarding a deceased student; and
- Sharing records with various regulatory bodies as may be required by law.
Educational institutions that maintain student health records, particularly those institutions that also provide healthcare services, may wish to review their policies in these areas and ensure that they are up to date.