DoE and OCR Issues Updated Guidance on Sharing Student Health Records As Per FERPA and HIPAA

The Department of Education and the Department of Health and Human Services’ Office for Civil Rights made updates to the guidance on the sharing of student health records as per the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).

The original guidance document was first introduced in November 2008 to assist school administrators and healthcare specialists know the application of FERPA and HIPAA to student educational and medical documents. The guidance consists of a number of Q&As that cover both laws. More questions and answers were included to clear up possible areas of confusion regarding how to apply HIPAA and FERPA to student documents, including when it is allowed to share student data under FERPA and the HIPAA Privacy Rule with no need to first obtain written consent.

HIPAA covers healthcare providers, healthcare clearinghouses, health plans, and business associates of covered entities. HIPAA does not generally apply to schools, given that medical information gathered by an educational institution would often be considered as educational information under FERPA. The HIPAA Privacy Rule excludes educational information as per the definition of protected health information (PHI), however, there are cases where HIPAA and FERPA intersect.

The HIPAA Privacy Rule demands obtaining consent prior to sharing health information for purposes other than treatment, payment, or healthcare operations. The guidance points out that in emergencies and circumstances when a person’s health is in danger, educational establishments and healthcare providers may share a student’s health records to a person capable to stop or minimize harm, including to family members, friends, health caregivers, and authorities.

The guidance claims that healthcare providers can disclose PHI with anybody as required to avoid or reduce a serious and impending threat to the wellness or safety of n individual, another person, or the public – in line with applicable regulation (for instance state statutes, regulations or case law) and the provider’s specifications of ethical conduct. It is additionally permissible to share psychotherapy notes and data concerning mental health problems and substance abuse conditions in specific circumstances. The update specifies the circumstances when these disclosures are allowed.

OCR Director Roger Severino stated that this revised resource empowers school officers, healthcare providers, and mental health experts by dispelling the misconception that HIPAA does not allow the sharing of health data in emergency situations.

The update likewise consists of details on when PHI or personally identifiable information can be shared without endangering a student or others. Furthermore, disclosures of health information to law enforcement and the National Instant Criminal Background Check System are integrated into the guidance now.

U.S. Secretary of Education Betsy DeVos states that confusion on when data could be shared must not hinder the protection of students while they are in school. This update can provide necessary clarity and help make certain that students obtain the assistance they need, and school officials have the facts needed to protect the students.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at