Are Schools Covered by the HIPAA?

HIPAA is applicable to healthcare organizations, healthcare clearinghouses, health plans, and business associates of covered entities but is HIPAA applied to schools as well? This post will take a look at the application of HIPAA to schools and how it relates to the Family Educational Rights and Privacy Act (FERPA).

Is HIPAA Applicable to Schools?

Basically, HIPAA isn’t applicable to schools considering that they aren’t HIPAA covered entities, nevertheless, in certain instances a school may be a covered entity in the event that students receive healthcare services. In these circumstances, HIPAA may still not be applicable because any student health details obtained would be listed in the students’ school records and school records are not covered by the HIPAA Privacy Rule yet are protected by FERPA.

A growing number of schools are giving healthcare services to their learners. Medical specialists are employed by a number of schools, several have on-site health centers, and they usually give medicines and provide vaccinations. When providing healthcare services, health data are obtained, recorded, retained, and transmitted. Although a school employs nursing staff, doctors or psychologists, schools aren’t typically classified as covered entities for the reason that they don’t do healthcare transactions digitally for which the Department of Health and Human Services (HHS) has required criteria. Nearly all schools are under this classification as not covered entities hence HIPAA is not applicable.

A number of schools work with a healthcare company that performs digital transactions for which the HHS has required standards. In such cases, the school will be classified as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules ought to be followed when there are digital transactions, but it isn’t required to comply with the HIPAA Privacy Rule in case healthcare information is kept in school records, which are protected by FERPA. In case health data is saved in school records, it’s not classified as protected health information (PHI) and is thus not protected by the HIPAA Privacy Rule. Nevertheless, the school must adhere to FERPA privacy requirements.

One case where the HIPAA Privacy Rule will be applicable is when a healthcare expert delivers medical services like vaccines at the school though he isn’t hired by the school. In this case, the healthcare specialist should abide by the HIPAA, the HIPAA would cover the information while it is retained by the healthcare specialist, and that person ought to acquire authorization prior to the disclosure of health data to the school. If that information is included in the student’s school records, FERPA would apply in lieu of HIPAA.

HIPAA, FERPA and Private Schools

FERPA is applicable to all schools that obtain direct funding by means of programs governed by the Department of Education. FERPA for that reason is applicable to public schools. Private schools aren’t generally covered by FERPA because they get no federal funding from the Department for Education. In case the private school isn’t protected by FERPA, it may or may not be protected by HIPAA based on whether or not it performs digital transactions for which there are criteria mandated by the HHS. In case it does, it should follow HIPAA but if not, the HIPAA and FERPA wouldn’t be applicable.

More Information

To help make clear concerns concerning health data disclosures under FERPA and HIPAA, the HHS’ Office for Civil Rights and the U.S. Department of Education created updates to their combined guidance in December 2019. The revised guidance can be accessed on this page.