Can we settle down about HIPAA now?

Last month the Department of Education and Department of Health and Human Services issued a 25-page document offering “Joint Guidance” on the application of FERPA and HIPAA to student health records.  This Guidance should ease some concerns about how HIPAA impacts public schools.  In a section that addresses the intersection of these two laws the Guidance says “In a few limited circumstances, an educational agency or institution subject to FERPA can also be subject to HIPAA.”

Only in “a few limited circumstances”?  Yes. Here’s why.

The privacy rules regarding HIPAA only apply to “covered entities,” such as “health care providers.” As a general rule, K-12 schools are not “health care providers.”  The Guidance specifically says that the employment of nurses, psychologists and other health care providers does not make the school a “health care provider” for purposes of HIPAA.  If you are not a “health care provider” you are not a “covered entity” under HIPAA, and so you don’t have to comply with it. But read on. 

The school would be a “covered entity” under HIPAA if it employs “a health care provider that bills Medicaid electronically for services provided to a student under IDEA.”  Many Texas school districts  do this, thus making them “covered entities” under HIPAA.  But read on.

Even though the Medicaid billing brings the school into the status of a “covered entity” it is not required to comply with HIPAA privacy standards if the health information it maintains is contained in “education records,” which is usually the case.  But read on. 

The reason you don’t have to comply with HIPAA privacy standards is because those education records are already covered by FERPA.  So there are confidentiality rules and regulations, but they come from FERPA, not HIPAA.

Tomorrow we will tell you what this new Guidance tells us about dealing with sensitive information in a time of crisis.  Want to read this stuff for yourself?  Be my guest:

2019 HIPAA FERPA Joint Guidance


Tomorrow: We have a threat. Who can we tell?