Is HIPAA Applicable to Schools?

HIPAA is applicable to healthcare companies, health plans, healthcare clearinghouses, and business associates of entities but is HIPAA applicable to schools also? This post will explore the application of HIPAA to schools and how it intersects with the Family Educational Rights and Privacy Act (FERPA).

Is HIPAA Applicable to Schools?

In general, HIPAA doesn’t apply to schools since they are not HIPAA covered entities, however, in particular cases a school can be a covered entity when students are provided healthcare services. In such instances, HIPAA may still not be applicable since any student health data gathered would be contained in the students’ education records and education records are exempt from the HIPAA Privacy Rule but are covered by FERPA.

Increasingly more schools are providing healthcare services to their students. Medical experts are employed by certain schools, a few have on-site health clinics, and they frequently distribute medications and administer vaccines. When giving healthcare services, health information is gathered, stored, maintained, and transmitted. Even though a school employs nurses, physicians or psychologists, schools are not generally categorized as covered entities since they do not perform healthcare transactions electronically for which the Department of Health and Human Services has used standards. The majority of schools fall under this category as not covered entities therefore HIPAA does not apply.

Several schools hire a healthcare organization that conducts electronic transactions for which the HHS has implemented standards. In this instance, the school is categorized as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules should be followed when there are electronic transactions, but it wouldn’t be mandatory to comply with the HIPAA Privacy Rule when healthcare data is saved in education records, which are covered by FERPA. When health information is kept in education records, it isn’t categorized as protected health information (PHI) and is consequently not covered by the HIPAA Privacy Rule. However, the school would need to comply with FERPA privacy requirements.

One circumstance where the HIPAA Privacy Rule would be applicable is when a healthcare specialist gives medical services such as vaccinations at the school yet he is not employed by the school. In this scenario, the healthcare expert must comply with HIPAA, the HIPAA would cover the data while it is kept by the healthcare expert, and that individual should get authorization before the disclosure of health information to the school. When those data are added to the student’s education records, FERPA would apply instead of HIPAA.

FERPA, HIPAA, and Private Schools

FERPA covers all educational institutions that get direct funding via programs administered by the Department of Education. FERPA consequently covers public schools. Private schools are not usually covered by FERPA since they receive no federal funding from the Department for Education. When the private school isn’t covered by FERPA, it may or may not be covered by HIPAA subject to whether or not it executes electronic transactions for which there are standards required by the HHS. If it does, it must adhere to HIPAA although if not, the HIPAA and FERPA would not apply.

Additional Information

To help clarify issues regarding health information disclosures under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights made updates to their shared guidance in December 2019. The modified guidance is accessible on this link.