In December 2019, the United States Department of Health and Human Services and the United States Department of Education issued joint guidance on the application of the Family Educational Rights and Privacy Act(FERPA) and the Health Insurance Portability and Accountability Act of 1996(HIPAA) to student health records. The newly issued guidance updates the departments’ most recent joint guidance on the subject, which was last released in November 2008. The following is a brief refresher of the intersection of the two laws as they apply to elementary and secondary schools, and some portions of the guidance that we feel may help you navigate the intricacies of these laws. For your reference, the guidance is available here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html and https://studentprivacy.ed.gov/resources/joint-guidance-application-ferpa-and-hipaa-student-health-records
As a reminder, most public elementary and secondary schools are not subject to HIPAA because they are not “covered entities” as that term is defined under HIPAA. In general, covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in covered transactions, such as billing a health plan electronically for services. Even if a public elementary or secondary school meets the definition of a covered entity under HIPAA, the health information contained in student records is likely an “education record” under FERPA, which is expressly excluded from HIPAA’s privacy rules. Therefore, FERPA, not HIPAA, will be more likely to govern the disclosure parameters of student health records in your school. Nevertheless, the guidance provides clarification on certain instances in which disclosure of protected health information under HIPAA and education records covered by FERPA may occur without obtaining the student or parent’s written consent.
The guidance’s first noteworthy point of clarification is that HIPAA allows health care providers to disclose protected health information to school nurses and other school health staff for treatment purposes. For example, if a school nurse is unsure about the way a student’s medication should be administered, HIPAA allows the student’s physician or other health care provider to guide the nurse on how the medication is administered without parental consent. In the same vein, FERPA allows school officials to verify information contained in a record with a third party. Therefore, if a dean wants to confirm a doctor’s note excusing a student’s absence, FERPA allows the dean to disclose the contents of the note with the purported doctor who wrote the note without parental consent.
FERPA also allows school nurses and other school officials to disclose information in a student’s education records to the student’s physician without consent if a health or safety emergency exists and the physician’s knowledge of the records is necessary to protect the health or safety of the student or others. For example, if a student’s school health records confirm that a student has an allergy to a medication used to treat seizures, and the student is rushed from school to a hospital because of a seizure, a school official may share with the hospital that the student is allergic to the particular medication before the student arrives at the hospital.
Additionally, HIPAA allows health care providers to disclose protected health information to anyone if the provider has a good faith belief that: (1) the disclosure is necessary to prevent or lessen a serious and imminent threat; and (2) the person to whom the disclosure is made is reasonably able to prevent or lessen the threat. This open avenue of communication under HIPAA could be valuable when school threat assessment teams are assessing a potential student threat. FERPA has a similar exception to disclosure without consent if the disclosure of personally identifiable information in an education record is necessary to protect the health or safety of the student or others.
Finally, FERPA allows schools to disclose personally identifiable information in education records to law enforcement officials who are not school employees if the law enforcement officials: (1) perform a service for which the school would otherwise use employees (e.g. to ensure safety); (2) are under the school’s direct control with respect to the use and maintenance of the education records (e.g. such as through a memorandum of understanding that establishes data use restrictions and data protection requirements); (3) are using the information for the purposes for which the disclosure was made (e.g. to promote safety), and adhering to FERPA’s limits on re-disclosure of the information; and (4) meet the criteria specified in the school’s annual notification of FERPA rights for being “school officials” who have been determined to have “legitimate educational interests” in the education records.
There are many other clarifications in the December guidance and, as you know, HIPAA and FERPA invite many practical complexities concerning information management. If you have any questions or concerns regarding the guidance itself, how the guidance may impact the Illinois School Student Records Act, or any other student records issues, please feel free to contact your attorney at Hauser, Izzo, Petrarca, Gleason, and Stillman.