HIPAA is the Health Insurance Portability and Accountability Act, enacted, in part, to “improve the efficiency and effectiveness of the health care system through the establishment of national standards and requirements for electronic health care transactions and to protect the privacy and security of individually identifiable health information.”* HIPAA is often mentioned alongside FERPA, the Family Educational Rights and Privacy Act, which protects student education records. While both seek to protect records and individuals, they differ in the way, and to whom, they apply. It is possible your school is not subject to FERPA or HIPAA, but you need to be aware of the regulations, and strive to provide the utmost security for your students’ records at all times.
To determine if your school is covered by HIPAA, it is important first to determine how FERPA applies. In order to be subject to FERPA, the school must receive funds directly from a Department of Education program, meaning most public schools fall under FERPA. Schools that do not receive funds from the U.S. Department of Education are not subject to FERPA. This generally includes private, independent, and religious schools.
On occasion FERPA will extend to a private school, but it is under special conditions. For example, if a student from a public school is placed in a private school for a reason such as a disability, and the private school is providing services on behalf of the public school district, then that student’s records are still subject to FERPA, while the records of all the other students at the private school are not subject to FERPA.
HIPAA applies only to institutions deemed “covered entities” which means “health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions.”* A “health care provider” includes any entity that “furnishes, bills, or is paid for health care in the normal course of business.”* If a private, independent, or religious school, which is not covered by FERPA, falls under the category of a covered entity, then HIPAA applies to the school. For example, if a private school (not subject to FERPA) employees a doctor who does bill for services electronically, then the school must comply with HIPAA.
Again, the exception to this is a student placed by a public school into a private school. That student’s records are covered by FERPA, while the remaining students’ health records at the private school are subject to HIPAA. This is because HIPAA “specifically excludes from its coverage those records that are protected by FERPA.”*
It can be confusing where the laws intersect and which law applies when. These charts, as well as these articles, can be helpful in determining what applies to your school.
Magnus Health specializes in helping schools navigate student health records while remaining FERPA and HIPAA compliant, and has partnered with Senior Systems to offer custom reporting. This partnership allows Senior System schools to export student lists in CSV format, ready for immediate import to their Magnus account. The partnership is designed to save school administrators time by streamlining the account creation process.
*Except where noted, all quotes were gathered from the Joint Guidance on the Application of the Family Educational Rights and Privacy ACT (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records (PDF).
Senior Systems would like to thank Magnus Health for their collaboration and partnership.
