The Department of Education and the Department of Health and Human Services’ Office for Civil Rights made updates to the guidance on the sharing of student health records as per the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).
The original guidance document was first introduced in November 2008 to assist school administrators and healthcare specialists know the application of FERPA and HIPAA to student educational and medical documents. The guidance consists of a number of Q&As that cover both laws. More questions and answers were included to clear up possible areas of confusion regarding how to apply HIPAA and FERPA to student documents, including when it is allowed to share student data under FERPA and the HIPAA Privacy Rule with no need to first obtain written consent.
HIPAA covers healthcare providers, healthcare clearinghouses, health plans, and business associates of covered entities. HIPAA does not generally apply to schools, given that medical information gathered by an educational institution would often be considered as educational information under FERPA. The HIPAA Privacy Rule excludes educational information as per the definition of protected health information (PHI), however, there are cases where HIPAA and FERPA intersect.
The HIPAA Privacy Rule demands obtaining consent prior to sharing health information for purposes other than treatment, payment, or healthcare operations. The guidance points out that in emergencies and circumstances when a person’s health is in danger, educational establishments and healthcare providers may share a student’s health records to a person capable to stop or minimize harm, including to family members, friends, health caregivers, and authorities.
The guidance claims that healthcare providers can disclose PHI with anybody as required to avoid or reduce a serious and impending threat to the wellness or safety of n individual, another person, or the public – in line with applicable regulation (for instance state statutes, regulations or case law) and the provider’s specifications of ethical conduct. It is additionally permissible to share psychotherapy notes and data concerning mental health problems and substance abuse conditions in specific circumstances. The update specifies the circumstances when these disclosures are allowed.
OCR Director Roger Severino stated that this revised resource empowers school officers, healthcare providers, and mental health experts by dispelling the misconception that HIPAA does not allow the sharing of health data in emergency situations.
The update likewise consists of details on when PHI or personally identifiable information can be shared without endangering a student or others. Furthermore, disclosures of health information to law enforcement and the National Instant Criminal Background Check System are integrated into the guidance now.
U.S. Secretary of Education Betsy DeVos states that confusion on when data could be shared must not hinder the protection of students while they are in school. This update can provide necessary clarity and help make certain that students obtain the assistance they need, and school officials have the facts needed to protect the students.