What is HIPAA for Schools?

Years ago, parental and student back-to-school concerns could be lighthearted, limited to such pressing issues as to whether to bring lunch from home instead of buying it from the school cafeteria. With the outbreak of COVID-19, concerns about children returning to school are deadly serious. Parents, teachers, and children are worried that school attendance may result in infection with coronavirus. Parents are also concerned that schools will refuse to provide them with information about COVID-19 infections of other students, and that schools might mishandle their own childrens’ protected health information. While COVID-19 is (literally) novel, these issues find resolution in something familiar: the application of the basic principles of HIPAA and FERPA. HIPAA for schools is discussed below.

What is HIPAA for Schools? Clearing Up the Myths

One persistent HIPAA for schools myth is that HIPAA applies to primary and secondary schools, with the same force and effect that it applies to covered entities and business associates. Here’s the truth: generally, HIPAA does not apply to elementary or secondary schools. This is the case for two reasons: (1) Public schools are not covered entities and (2) Those private schools that are covered entities typically maintain PHI only on students in “education records,” which records are subject to FERPA, not HIPAA. FERPA, the Family Educational Rights and Privacy Act, has been around for two decades longer than HIPAA, and is the principal federal law regulating the privacy of student educational records.

But, someone might ask, isn’t HIPAA for schools a real thing? After all, public schools employ nurses, physicians, psychologists, and other providers who provide healthcare and use or disclose PHI, right? Wrong. For a provider to be a covered entity, it must do more than provide treatment. It also must transmit health information electronically in connection with certain HIPAA administrative and financial transactions. These transactions are called HIPAA-covered transactions, and include submission of healthcare claims to a healthcare plan, health plan premium payments, and other activities that schools do not perform.

HIPAA for Schools: But What About PHI?

Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools maintain health information only in records that fall under FERPA as “education records.” HIPAA specifically exempts FERPA education records from the 

definition of PHI. Since most public schools are neither covered entities, nor do they transmit, create, maintain, or receive PHI, these schools do not fall within HIPAA’s sweep.

HIPAA for Schools: So What is FERPA and How Does it Come Into Play?

Under FERPA, an educational agency or institution generally may not disclose personally identifiable information from a student’s education records, unless the parents of the student provide a signed and dated written consent permitting the school to do so. Under FERPA, “education records” are records directly maintained by a school. Such records include health records. Under FERPA, personally identifiable information includes, but is not limited to:

  • A student’s name;
  • The name of a student’s parent or family member;
  • A student’s or student’s family’s address;
  • A personal identifier, such as Social Security number or biometric record;
  • Indirect identifiers, such as date of birth, place of birth, and mother’s maiden name; and
  • Other information that, alone or in combination, is linked or linkable to a specific student.

This “other information” includes health records, since these records contain information linked or linkable to a specific student.

Under FERPA, parental consent, as a prerequisite to disclosure, is not required when the disclosure is in connection with a health or safety emergency, under specified conditions. An educational agency or institution may disclose personally identifiable information from an education record to appropriate parties, including parents of an eligible student, in connection with an emergency, if knowledge of the information is necessary to protect the health or safety of the student or other individuals.

If the school determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. 

The Department of Education offers an example of when personally identifiable information may be disclosed: For example, if a student with COVID-19 is a wrestler and has been in direct and close contact with other students who are on the team or who are in the school and have higher health risks, school officials may determine it necessary to disclose the identity of the student wrestler to the parents of the other students. Parents and students, under this hypothetical scenario, may need to be aware of this information in order to take appropriate precautions or other actions to ensure their own health and safety. School officials should make the determination on a case-by-case basis whether a disclosure of the student’s name is absolutely necessary to protect the health or safety of students or other individuals or whether a general notice is sufficient.

See How It Works