The Department of Education and the Department of Health and Human Services’ Office for Civil Rights made revisions to the guidance on the sharing of student health records according to the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).
The initial guidance document was first published in November 2008 to support school facilitators and healthcare experts to learn the use of FERPA and HIPAA to student academic and healthcare data. The guidance comprises of a couple of Q&As addressing the two rules. Additional Q&As were incorporated to clear up likely areas of misunderstandings concerning how to implement HIPAA and FERPA to student data, including the time it is all right to show student information under FERPA and the HIPAA Privacy Rule with no demand to first get written permission.
HIPAA is applicable to healthcare companies, healthcare clearinghouses, business associates of covered entities and health plans. HIPAA doesn’t typically apply to schools, because medical data obtained by an educational establishment would frequently be categorized as educational data under FERPA. The HIPAA Privacy Rule does not include educational data according to the definition of protected health information (PHI), although there are circumstances where HIPAA and FERPA meet.
The HIPAA Privacy Rule demands getting permission before the sharing of health data for reasons besides treatment, paying bills, or healthcare procedures. The guidance makes clear that in emergencies and cases when a person’s well being is at stake, educational organizations and healthcare companies may make known a student’s health data to somebody able to avert or relieve harm, which includes relatives, friends, health caregivers, and police officers.
The guidance says that healthcare providers could disclose PHI with any person as needed to avert or lower a serious and upcoming threat to the well being or safety of a person, another individual, or the public – in accordance with applicable legislation (including state statutes, case law or regulations) and the provider’s criteria of ethical conduct. It is furthermore allowable to disclose psychotherapy notes and details with regards to mental health concerns and substance abuse issues on particular occasions. The update identifies the occasions when these disclosures are authorized.
OCR Director Roger Severino mentioned that this current resource empowers school administrators, healthcare companies, and mental health specialists by dispelling the belief that HIPAA forbids the disclosure of health records in emergency cases.
The update furthermore comprises data on when PHI or personally identifiable information could be disclosed without risking a student or other people. In addition, the sharing of health records to law enforcement and the National Instant Criminal Background Check System is incorporated in the guidance now.
U.S. Secretary of Education Betsy DeVos says that misunderstandings on when information may be shared should never stop the protection of students while they’re in school. This updated guidance could give the required clarity and help make sure that students receive the support they need, and school managements have the details necessary to safeguard the students.