Comparison of FERPA and HIPAA in California School-Based Health Systems
Compiled by Sunny Saran and Suzanne Patterson
Physical and mental health programs are a critical component of the student support services needed for every child to succeed in school. These programs also provide an exciting opportunity to increase heath care access for youth and improve care coordination and collaboration among community, public and private health care providers and schools. School-based health services, including school health centers (SBHCs), can be operated and funded in a variety of ways. Some are operated by a large hospital, a community organization, or a local government agency; others are operated by the school district or local education agency, and still others, by some combination of the above.
When developing school-based health programs, there are several legal considerations that the health provider(s) and education agency should address early on. One of the most important is determining which confidentiality laws control access to the educational records, and disclosure of the school-based health program’s health care information. One of the first questions to address is whether the program’s information is subject to HIPAA or FERPA. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Family Educational Rights and Privacy Act (FERPA) are both federal laws that protect privacy and limit how certain personal information can be shared. FERPA limits disclosure of information in education records maintained by most schools, and HIPAA limits disclosure of health information maintained by most health care providers. When health care providers work on school campuses, HIPAA or FERPA may apply to the provider’s records, depending on a number of variables.
In addition, California has state laws that protect the confidentiality of information held by schools and health providers that also may affect how and when information can be shared. Whether HIPAA or FERPA applies and how those interact with state confidentiality laws will impact school-based health service operations in large and small ways – from determining how school staff and health providers collaborate; to shaping policies about how to deal with suicide threats and other emergencies; to determining the content of consent forms and other paperwork used by health services providers.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule protects the privacy of patient health information. The individuals and agencies that must follow the HIPAA Privacy Rule include health plans, health care clearinghouses, and health care providers who transmit health information in electronic form. The definition of health care providers under HIPAA includes both individual providers such as physicians, clinical social workers, and other medical and mental health practitioners, as well as hospitals, clinics and other organizations. HIPAA Privacy Rule prevents covered health care providers from disclosing Protected Health Information (PHI).
Protected Health Information does not include information subject to FERPA.
Family Educational Rights and Privacy Act (FERPA) protects Personal Identifiable Information (PII) that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty. Schools must have written consent from the parent or eligible student to release any PII information in the student record. Schools are required to document all individuals and organizations that have requested or obtained a student’s education records.
Health records of students under age 18 maintained by a school nurse are part of the education record, as are immunization records housed in student education files and FERPA applies.
In addition, the health records of students 18 and older are not always education records subject to FERPA.
Generally, FERPA prohibits educational agencies from releasing any personally identifiable information in the education record unless the agencies have written permission for the release. In most cases, a parent must sign that release. When students are 18 years old or older, they usually sign their own release forms.
When a school provides healthcare through a school clinic, the school is considered a health care provider under HIPAA and a covered entity. A school that conducts any covered health care transactions, is a covered entity.
If FERPA applies, HIPAA does not, and FERPA and HIPAA can never apply to the same information at the same time. However, state medical confidentiality law does not have this same exception. Therefore, state confidentiality law can apply to health information held in an education record subject to FERPA.
Use of Data for Research Purposes
With FERPA, the primary method of data privacy protection is disclosure avoidance or limitation. Individual-level data may be released publicly for research purposes, once they have been anonymized through the creation of a unique foreign key identifier.
HIPAA regulates the use of student data from education records for research purposes.
Is Your School-Based Health Program Subject to HIPAA or FERPA?
Whether the records of a school health program or provider are subject to HIPAA or FERPA will depend in part on whether the program or provider can be considered an educational agency or the agent of one, and this will depend on a number of factors. Joint Guidance issued by the U.S. Department of Education (DOE) and the U.S. Department of Health and Human Services (DHHS) provides some case examples that suggest factors these agencies would use to determine which laws apply.
HIPAA applies when if the center is funded, administered and operated by or on behalf of a public or private health, social services, or another non-educational agency or individual.
A school health program’s records are subject to FERPA if the program is funded, administered and operated by or on behalf of a school or educational institution.
If the health care provider is not employed by a school such as a school nurse that provides services to students under contract with the school. These records are education records under FERPA, just as they would be if the school maintained the records directly.
Parent’s Right to Access Records
Parents have a right to access all records subject to FERPA regarding their minor child. By contrast, parents do not have a right to access all medical records subject to HIPAA and California medical confidentiality law regarding their minor child.
Under California state law, parents cannot access those records if
- A provider determines that parent access would have a detrimental effect on the provider’s professional relationship with the minor patient or the minor’s physical safety or psychological well-being.
- If the records relate to health care for which the minor consented or could have consented on his or her own. In this case, parents must have the minor’s permission in order to inspect medical records.
In California, minor consent services include pregnancy related care, STD testing, treatment and preventive care, drug and alcohol abuse counseling, and mental health counseling, among others.
FERPA allows school employees to disclose records subject to FERPA to teachers and other school officials without need of a release, as long as that school official has a legitimate educational interest in the information.
No similar exception exists in HIPAA; a health provider whose records are subject to HIPAA cannot disclose information to a teacher without a signed authorization to release.
By contrast, HIPAA and California medical confidentiality law allow health providers to disclose protected health information for treatment purposes to a provider in another agency or clinic who is working with the same client: FERPA does not contain a similar exception.
Disclosing and Exchanging Information under FERPA & HIPAA
If a school health program’s records are subject to HIPAA, the program must meet all the requirements of HIPAA. This includes making sure the clinic has a Notice of Privacy Practices and HIPAA-compliant release forms, among many other things.
HIPAA and California law permit health care providers to disclose protected health information to other health care providers for treatment purposes. HIPAA defines treatment broadly in this context to include coordination or management of health care, consultation and referral as well as direct treatment.
Once disclosed to the school nurse, if the school nurse places the information in the pupil file, FERPA likely will apply when determining access to the information in the file, not HIPAA.
The information can be released if the parent provides written consent. If there is no written consent, the school can release information in some circumstances. FERPA permits disclosure of information in the education record to school officials with a legitimate educational interest in the information.
If the school health program operates under FERPA, program providers may share health information in the education record with the teacher to the extent that the teacher has a legitimate educational interest in the information disclosed.
An educational agency or institution may not disclose education records without prior written consent merely because it has entered into a contract or agreement with an outside party. The agency or institution must be able to show that:
- The outside party provides a service for the agency or institution that it would otherwise provide for itself using employees;
- The outside party would have legitimate educational interests’ in the information disclosed if the service were performed by employees; and
- The outside party is under the direct control of the educational agency.
A school health program operating under FERPA may not promise students that their parents will not have access to their health records.
If the program operates under HIPAA, a school health program is prohibited to share protected health information with a teacher, absent authorization. Under California medical confidentiality law, the student must provide the authorization if the information to be disclosed is about a minor consent service. The parent or guardian must provide the authorization in most other cases.
Disclosure of information in the education file about a student’s chronic conditions, such as asthma or diabetes, to a school-based provider operating under HIPAA is not permitted without parent consent.