FERPA vs. HIPAA
What to Do When Faced with a FERPA Request for Educational Records That Includes Nursing Notes
Family Educational Rights and Privacy Acts (FERPA) is a federal statute that protects the privacy of students’ education records. “Education records” are defined by the statute as “those records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution.” See, 34 C.F.R. §99.3; 20 U.S.C. §1232g(a)(4). FERPA applies to all educational agencies or institutions (i.e. school districts) that receive federal funding through the U.S. Department of Education. See, 34 C.F.R. §99.1; 20 U.S.C. §1232g.
Health Insurance Portability and Accountability Act (HIPPA), on the other hand, is a federal statute that applies only to covered entities that engage in covered transactions, as defined by the statute, and protects the privacy of “individually identifiable health information.”
A “covered entity” is defined as: “(1) a health plan; (2) a health care clearinghouse; or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” See, 45 C.F.R. §160.103. School districts are generally considered health care providers for purposes of HIPAA because of the provision of health services through a school nurse or health clinic. However, in order for HIPAA to apply to a school district, the school district, as a health care provider, must also engage in a covered transaction. HIPAA defines “transaction” as:
…the transmission of information between two parties
to carry out financial or administrative activities related to health care.
It includes the following types of information transmissions:
1. Health care claims or equivalent encounter information.
2. Health care payment and remittance advice.
3. Coordination of benefits.
4. Health care claim status.
5. Enrollment and disenrollment in a health plan.
6. Eligibility for a health plan.
7. Health plan premium payments.
8. Referral certification and authorization.
9. First report of injury.
10. Health claims attachments.
11. Other transactions that the Secretary may prescribe by regulation.
See, 45 C.F.R. §160.103.
A “covered transaction” includes, for example, a school district’s electronic submission of health care invoices for reimbursement to the school district.
Only those health records that include “individually identifiable health information” are protected by HIPAA. “Individually identifiable health information” is defined as:
…information that is a subset of health information,
including demographic information collected from an individual, and:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
i. That identifies the individual; or
ii. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. See, 45 C.F.R. §160.103.
HIPAA specifically excludes the following individually identifiable health information from its protection:
i. Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
ii. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
iii. Employment records held by a covered entity in its role as employer. See, 45 C.F.R. §160.103(2).
The school nurse or third party provider of services, as an employee or contractor of the district, is an agent of the district. Additionally, because student health records are created or maintained by the school nurse as a result of the student’s enrollment in the district and corresponding educational programming, the records created and maintained as a result of the provision of school nurse services become “educational records” pursuant to FERPA. Those records, therefore, are specifically excluded from the definition of “protected health information” pursuant to HIPAA. See, 45 C.F.R. §160.103(2). As a result, these records should be provided in a response to a request for records made pursuant to FERPA and doing so is not a violation of HIPAA.
Clients who have questions regarding issues discussed in this article, or any education law matter, should feel free to call us at 215-345-9111.