Newly Updated Joint Guidance on the Application of FERPA and HIPAA To Student Health Records

Holland & Knight LLP
Contact

Holland & Knight LLP

On December 19, 2019, the U.S. Department of Health and Human Services and the U.S. Department of Education issued a "Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records" (the Guidance). The Guidance serves as an update to the Guidance that was first issued in November 2008.

Educational institutions and their associated health services and records may be subject to HIPAA or FERPA or both, depending on factors such as whether the institution accepts federal funding, and whether the institution provides healthcare services. Some educational institutions may meet the definition of a HIPAA covered entity if the institution serves as a healthcare provider (such as through an on-site clinic) and transmits health information through certain electronic transactions. However, the HIPAA definition of protected health information carves out records that are protected by FERPA (including education records and what are known as "treatment records"). This means that even if an institution is a covered entity for purposes of HIPAA and must comply with HIPAA's electronic transaction rules, the institution may not be required to comply with HIPAA's Privacy Rule if the institution only has health records that are education or treatment records under FERPA. This potential overlap can lead to confusion for administrators, healthcare providers, students, and their families.

The updated Guidance first reorganizes the information presented so as to more thematically address the issue of whether HIPAA or FERPA applies to specific types of institutions and records. Next, the Guidance presents a newly expanded set of questions regarding whether health records can be shared in various scenarios.  Much of this information addresses issues around sharing health records without the student's consent. For example, information is provided regarding:

  • Sharing records when a student presents a risk of potential harm to self or others;
  • Sharing records regarding a deceased student; and
  • Sharing records with various regulatory bodies as may be required by law.

Educational institutions that maintain student health records, particularly those institutions that also provide healthcare services, may wish to review their policies in these areas and ensure that they are up to date.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Holland & Knight LLP

Written by:

Holland & Knight LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Holland & Knight LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide