Back To CourseFERPA Training for Educators
3 chapters | 17 lessons
Yolanda holds a CELTA Cambridge, a Juris Doctorate, and a Master of Public Administration. She is a published author of fiction in Spanish.
When you visit your doctor for any health issue, you know that your health records remain confidential. If this were not the case, a pharmaceutical company could bombard you with offers, your employer might look at you differently, etc. For similar reasons, the Family Educational Rights and Privacy Act (FERPA) ensures the confidentiality of personal data that a school has about its students, including health records. If a student is under 18 years of age, a school can only release data with a parent or legal guardian's authorization . When a student becomes 18 years of age, the school must get his or her authorization to release data.
Now that you understand the basic principle of privacy for health records under FERPA, let's learn about a similar law: the Health Insurance Portability and Accountability Act (HIPAA). This law contains a Privacy Rule that prohibits the release of protected health information (PHI) to third parties without authorization of the patient or their representative.
As you can see, both FERPA and HIPAA concern the privacy of health related information.
However, the two laws often cause misunderstandings. The reason is that schools which receive funding from the federal Department of Education must adhere to both FERPA rules and HIPAA rules regarding privacy if they are covered entities, i.e. schools. Let's explore a practical case.
Imagine that a school has a health clinic that attends to the needs of students as part of its normal activities. John faints one day because of low blood sugar, while Lisa shows up with horrible cramps, and Tom, a student who has asthma, has an attack and does not have his inhaler. The school takes care of these cases and keeps a treatment record of each student. In principle, such records cannot be released to third parties (as FERPA protects the right to privacy, as discussed above). Also, given that the school attends to the medical needs of students, its clinic is considered a health provider under HIPAA and, thus, the HIPAA Privacy Rule applies as well. There is no conflict here.
But let's now imagine that the health clinic operates through a contract with an insurance company which, therefore, is the provider of health services for the school. The school gets ready to submit a reimbursement claim for the medical supplies used in treating John, Lisa, and Tom. To do so, the school needs to provide, in electronic format, the information about what happened with John, Lisa, and Tom to the insurance company.
The moment the school's clinic performs this electronic transaction, this clinic is a covered entity according to HIPAA. This is when the conflict begins because, on the one hand, FERPA prohibits the disclosure of health related information to third parties without written consent. However, HIPAA also protects the privacy of information, and this act allows covered entities to release information when electronic transactions are performed.
You might think this is a contradiction in the system that is confusing for school staff members. However, HIPAA does NOT contradict itself; in fact, it actually reinforces FERPA. HIPAA lists certain health documentation that is not included as protected by its Privacy Rule simply because FERPA already protects it. This is the case regarding education records.
This legal scenario means that school staff members must protect the education records for John, Lisa, and Tom because FERPA mandates that they do so. Medical records are part of education records. However, FERPA has determined that treatment records are not part of the education records. These treatment records can only be released to individuals who provide treatment. So, in our example this means that the treatment records for John, Lisa, and Tom can be given to the treatment provider which, in this case, is the health insurance company.
Now, let's imagine that the school has a health clinic that works with funding from the U.S. Department of Education and, thus, adheres to FERPA at all times. In this case, no electronic transaction with anyone else is needed. Thus, the concept of covered entity under HIPAA does not apply. Moreover, the confusion about whether it is okay to release treatment records to others does not even begin.
The table below provides an overview of the privacy rules and the aspect of sharing health records as per both laws.
|protects privacy of student education records, including health data||protects privacy of health related data|
|privacy rule applies to all school staff||privacy rule applies to school health providers|
|applies to schools that receive funding from the Department of Education||applies to health providers that qualify as covered entities as per its definitions|
|allows schools to release treatment records if needed||allows covered entities to release treatment records only to treatment providers|
Now, take a look at this table for an overview of the cases for schools:
|School IS a covered entity as per HIPAA||School is NOT a covered entity as per HIPAA|
|because the school does electronic transactions with a health company||because the school simply provides healthcare to students as part of its regular operation|
|school can release treatment records to providers||HIPAA does not apply|
|school would release treatment records in the context of electronic transactions||school would not have electronic transactions with third parties|
Both FERPA and HIPAA protect the right of people have to privacy over their health records. When a school provides regular healthcare to students without the aid of a third party, the school simply adheres to FERPA's mandate to protect the health records of students. If a school performs an electronic transaction with a health provider who is a third party, such school becomes a covered entity under HIPAA, which allows entities to release health information in the context of those transactions. Both FERPA and HIPAA deem that treatment records of a student can be released only to treatment providers without consent.
To unlock this lesson you must be a Study.com Member.
Create your account
Already a member? Log InBack
Did you know… We have over 160 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.
To learn more, visit our Earning Credit Page
Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.
Back To CourseFERPA Training for Educators
3 chapters | 17 lessons
Next LessonTransferring School Disciplinary Records under FERPA