On December 19, 2019, the US Department of Education (DOE) and the US Department of Health and Human Services (HHS) released joint guidance updating and expanding prior guidance from November 2008 regarding the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to student health records.
The 2019 guidance includes updated FAQs that provide additional information on how FERPA and HIPAA apply to student health records. FERPA protects the privacy of student “education records,” which, generally speaking, include student health records maintained by educational agencies or institutions. FERPA applies to educational agencies and institutions that receive federal funds under any program administered by the DOE. HIPAA protects the confidentiality of “protected health information” (PHI) and applies to health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain covered transactions such as health care claims being submitted to a health plan.
The joint guidance states that “[i]n a few limited circumstances, an educational agency or institution subject to FERPA can also be subject to HIPAA.” Schools that meet the definition of a HIPAA “covered entity” have to comply with the HIPAA Transactions and Code Sets Rules, but don’t need to comply with the HIPAA Privacy Rule if the school’s health records meet the definition of “education records” or “treatment records” under FERPA. This is because the HIPAA Privacy Rule specifically excludes education and treatment records from the definition of PHI. Schools that are covered entities and bill health plans electronically for care provided to students but aren’t subject to FERPA (such as private schools that don’t receive funding from the DOE) must still comply with the HIPAA rules.
The DOE is preparing a notice of proposed rulemaking (NPR) to amend the FERPA regulations to add a provision indicating that if a student is placed in a private school for the provision of Individualized Education Program (IEP) services on behalf of a school or school district subject to FERPA, then the education records of the placed student maintained by the private school are subject to both FERPA and the confidentiality requirements under the Individuals With Disabilities Education Act (IDEA), not the HIPAA Privacy Rule. The HHS will provide an opportunity for public comment on this proposed amendment once the NPR is published.
Under both FERPA and HIPAA, disclosures of records typically require written consent unless an exception applies. The updated FAQs included in the joint guidance provide clarity on when it is permissible to share student health information without written consent. The FAQs describe:
- Permitted disclosures of information to parents of an individual (without consent from the individual) under FERPA and HIPAA
- Permitted disclosures of information to parents of an individual under FERPA and HIPAA when the individual has a mental health condition or substance-use disorder
- Permitted disclosures of information in connection with a health or safety emergency
- Permitted disclosures under FERPA and HIPAA to allow a parent access to their deceased child’s records
- Permitted disclosures of personally identifiable information (PII) from a student’s education records to the educational agency’s or institution’s law enforcement officials under FERPA
- Permitted disclosures of information to a protection and advocacy system under FERPA and HIPAA
New material in the joint guidance primarily focuses on when health care providers covered by HIPAA and educational agencies or institutions regulated by FERPA can disclosure information without consent during “emergency” situations. The guidance includes more detailed examples and references to exceptions to the written consent requirement under FERPA and HIPAA, including the HIPAA caregiver exception (45 CFR § 164.510(b)), the HIPAA health or safety threat exception (45 CFR § 164.512(j)), and FERPA’s health or safety exception (34 CFR § 99.36(c)), among others.
Institutions should review their policies and procedures to ensure they are consistent with the updated guidance and applicable state confidentiality laws.
If you have any questions regarding the content of this legal alert, please contact Brittany Lawrence, counsel and Higher Education Team member, at blawrence@barclaydamon.com; Bridget Steele, associate and Health Care and Health & Human Services Providers Teams member, at bsteele@barclaydamon.com; or another member of Barclay Damon’s Higher Education, Health Care, or Health & Human Services Providers Teams.