In December 2019, the United
States Department of Health and Human Services and the United States Department
of Education issued joint guidance on the application of the Family Educational
Rights and Privacy Act(FERPA) and the Health Insurance Portability and
Accountability Act of 1996(HIPAA) to student health records. The newly issued guidance updates the
departments’ most recent joint guidance on the subject, which was last released
in November 2008. The following is a brief
refresher of the intersection of the two laws as they apply to elementary and
secondary schools, and some portions of the guidance that we feel may help you
navigate the intricacies of these laws. For
your reference, the guidance is available here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html
and https://studentprivacy.ed.gov/resources/joint-guidance-application-ferpa-and-hipaa-student-health-records
As
a reminder, most public elementary and secondary schools are not subject to
HIPAA because they are not “covered entities” as that term is defined under
HIPAA. In general, covered entities are
health plans, health care clearinghouses, and health care providers that
transmit health information electronically in covered transactions, such as
billing a health plan electronically for services. Even if a public elementary or secondary
school meets the definition of a covered entity under HIPAA, the health
information contained in student records is likely an “education record” under
FERPA, which is expressly excluded from HIPAA’s privacy rules. Therefore,
FERPA, not HIPAA, will be more likely to govern the disclosure parameters of
student health records in your school. Nevertheless,
the guidance provides clarification on certain instances in which disclosure of
protected health information under HIPAA and education records covered by FERPA
may occur without obtaining the student or parent’s written consent.
The
guidance’s first noteworthy point of clarification is that HIPAA allows health
care providers to disclose protected health information to school nurses and
other school health staff for treatment purposes. For example, if a school nurse is unsure about
the way a student’s medication should be administered, HIPAA allows the
student’s physician or other health care provider to guide the nurse on how the
medication is administered without parental consent. In the same vein, FERPA allows school
officials to verify information contained in a record with a third party. Therefore, if a dean wants to confirm a
doctor’s note excusing a student’s absence, FERPA allows the dean to disclose
the contents of the note with the purported doctor who wrote the note without
parental consent.
FERPA
also allows school nurses and other school officials to disclose information in
a student’s education records to the student’s physician without consent if a
health or safety emergency exists and the physician’s knowledge of the records
is necessary to protect the health or safety of the student or others. For example, if a student’s school health
records confirm that a student has an allergy to a medication used to treat
seizures, and the student is rushed from school to a hospital because of a
seizure, a school official may share with the hospital that the student is
allergic to the particular medication before the student arrives at the
hospital.
Additionally,
HIPAA allows health care providers to disclose protected health information to
anyone if the provider has a good faith belief that: (1) the disclosure is
necessary to prevent or lessen a serious and imminent threat; and (2) the
person to whom the disclosure is made is reasonably able to prevent or lessen
the threat. This open avenue of
communication under HIPAA could be valuable when school threat assessment teams
are assessing a potential student threat. FERPA has a similar exception to
disclosure without consent if the disclosure of personally identifiable
information in an education record is necessary to protect the health or safety
of the student or others.
Finally,
FERPA allows schools to disclose personally identifiable information in
education records to law enforcement officials who are not school
employees if the law enforcement officials: (1) perform a service for which the
school would otherwise use employees (e.g. to ensure safety); (2) are
under the school’s direct control with respect to the use and maintenance of
the education records (e.g. such as through a memorandum of
understanding that establishes data use restrictions and data protection
requirements); (3) are using the information for the purposes for which the
disclosure was made (e.g. to promote safety), and adhering to FERPA’s
limits on re-disclosure of the information; and (4) meet the criteria specified
in the school’s annual notification of FERPA rights for being “school
officials” who have been determined to have “legitimate educational interests”
in the education records.
There
are many other clarifications in the December guidance and, as you know, HIPAA
and FERPA invite many practical complexities concerning information management.
If you have any questions or concerns
regarding the guidance itself, how the guidance may impact the Illinois School
Student Records Act, or any other student records issues, please feel free to
contact your attorney at Hauser, Izzo, Petrarca, Gleason, and Stillman.