The U.S. Department of Education and the U.S. Department of Health and Human Services recently issued an update to their Joint Guidance on the Applicability of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to Student Records. The updated Joint Guidance clarifies when Protected Health Information (PHI) or Personally Identifiable Information (PII) in an education record can be shared.
The Guidance makes the following key points of interest to public elementary and secondary schools.
- HIPAA Rules do not cover records that are protected by FERPA.
- HIPAA Rules generally do not apply to elementary or secondary schools because school nurses, school physicians, and school psychologists do not engage in any HIPAA covered transactions, such as billing a health plan electronically for their services. An elementary or secondary school could be a covered entity under HIPAA, however, if it bills Medicaid electronically for services provided to a student under the IDEA.
- Under FERPA, elementary and secondary schools can disclose to parents medical information about their child without the student’s consent if the student is claimed as a dependent under the Internal Revenue Code.
- Under FERPA, an elementary and secondary school may disclose information from the student’s educational record in connection with a health or safety emergency and the disclosure is necessary to protect the health and safety of the student or others.
- FERPA does not preclude a school official from sharing information based on the official’s personal knowledge or observation (as compared to information contained in a student’s educational record).
This guidance is helpful in explaining the applicability of FERPA and the intersection of HIPAA and FERPA. The Joint Guidance can be obtained here.
If you have any questions on the Guidance, please feel free to contact a member of the Public Education Group.