It comes as no surprise that virtually every postsecondary administrator is familiar with the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). After all, FERPA, the primary federal law that protects student education records, applies to any institution, public or private, that receives funds under any program administered by the U.S. Department of Education. As such, it covers the vast majority of postsecondary institutions (because, among other things, they participate in the federal financial aid programs).
In our experience, administrators are often less familiar with (and less comfortable with) the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), the set of regulations that were promulgated pursuant to the Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 300gg, 29 U.S.C § 1181 et seq., and 42 USC 1320d et seq.). We find that there frequently is a lack of clarity regarding whether the HIPAA Privacy Rule even applies to an educational institution or its records. And, in fact, it does not apply to all organizations that handle health information. With this in mind, we’ve endeavored here to offer some guidance on when the Rule applies, and when it does not, and to point institutions towards additional guidance that may be helpful.
Determining whether you’re covered
As a general matter, the HIPAA Privacy Rule protects confidentiality of health information and imposes various restrictions on the use and disclosure of such information. However, the Office of Civil Rights, the governmental agency that enforces the HIPAA Privacy Rule, has clarified that the HIPAA Privacy Rule generally does not apply to institutions of higher education. As a matter of law, the Rule applies only to “covered entities,” which includes health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions. Covered transactions, in turn, are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan (see 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R).
Though many postsecondary institutions employ nurses and other health care providers, they are not “covered entities” because they generally do not engage in any of the covered transactions, such as billing health plans electronically for their services. Further, even if an institution is a covered entity, most still are not subject to the HIPAA Privacy Rule because the student health information they maintain is kept as part of their “education records” or “treatment records,” as those terms are defined under FERPA. And the HIPAA Privacy Rule expressly excludes student health information from its coverage if the information is already protected under FERPA, on the basis that the institution already must maintain the information in a manner consistent with FERPA’s privacy requirements.
One important wrinkle for institutions to keep in mind arises when an institution provides health services to students and non-students alike. Though the health information of the school’s students typically would be excluded from the HIPAA Privacy Rule because it is already covered by FERPA, the individually identifiable health information of the non-student patients would not be excluded, and as such, would be covered by the HIPAA Privacy Rule. For example, a university that operates an on-campus health clinic that serves students, staff, and the public must comply with FERPA with respect to the health records of its students and with the HIPAA Privacy Rule with respect to the health records of its staff and the public.
Additional guidance
For further discussion regarding the relationship between FERPA and HIPAA and how these two laws apply to records maintained on students, see the Department’s "Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records." Published in November 2008, this document provides helpful discussion of the relationship between the two privacy laws. Institutions also should review the draft Dear Colleague Letter published by the Department in August 2015, which discusses the protection of student medical records.
Finally, if you determine that your institution is indeed covered by HIPAA, we strongly encourage you to follow our Health Law Checkup blog, which covers HIPAA-related issues on a regular basis. Just last month, we discussed new guidance issued by the Office of Civil Rights relating to the right of individuals under the HIPAA Privacy Rule to access their protected health information. In the guidance, the Office of Civil Rights indicated that based on its enforcement experience, many individuals are having difficulties obtaining such access even as technology evolves.
Milada Goturi is a partner in Thompson Coburn's Health Law Practice Group. She can be reached at (202) 585-6951 or mgoturi@thompsoncoburn.com. Aaron Lacey is a partner in Thompson Coburn’s Higher Education practice, and editorial director of REGucation. You can find Aaron on Twitter (@HigherEdCounsel) and LinkedIn, and reach him at (314) 552-6405 or alacey@thompsoncoburn.com.