From: Jennings Aske, J.D.
Re: FERPA and HIPAA
Date: October 30, 2003
Is a school health program or its staff covered by the HIPAA Privacy, Security or Transaction Rules 1 if it transmits any information electronically in connection with a HIPAA standard transaction? Many questions have been raised regarding the interplay of the Health Insurance Portability and Accountability Act (HIPAA) 2 and the Family Educational Rights and Privacy Act (FERPA) 3 . Based on an analysis of available materials, and until the U.S. Department of Health and Human Services (HHS) provides guidance to the contrary, the Massachusetts Department of Public Health (DPH) concludes:
- School health programs and staff at FERPA-covered schools do not have to comply with any of the Privacy or Security Rule's requirements in relation to any health information in education records protected by FERPA even if they transmit any information electronically in connection with a standard transaction.
- Non-FERPA school health programs and staff engaging in a standard transaction are covered entities for purposes of the Privacy and Security Rules, and must comply with their requirements for protecting health information.
- Both FERPA-covered and non-FERPA covered school health programs and staff that transmit any information electronically in connection with a standard transaction must comply with the requirements of the Transaction Rule.
- A school nurse's personal notes containing health information are not subject to any regulation, including the HIPAA Privacy Rule, so long as they are solely used by the nurse who created and maintains the record or their substitute. Any other use or disclosure turns the record into an education record subject to the requirements of FERPA.
Do school health programs and their staff have to comply with the Transaction Rule?
The answer depends on whether health care providers, including school health programs and staff, transmit any health information in electronic form in connection with a HIPAA standard transaction, making them a covered entity under HIPAA. Covered entities must comply with the requirements of the Transaction Rule, including the use of specified data elements and transaction codes, when engaging in a standard transaction. 4
There are eight standard transactions under HIPAA, including the billing of third-party payers such as a health plan. Thus, school health programs that transmit any health information in electronic form when billing an insurer (or in connection with any other standard transaction) are covered entities and will have to comply with the requirements of the Transaction Rule when engaging in a standard transaction. School health program staff that are unsure of their potential coverage under the Transaction Rule should speak with school officials or counsel regarding this issue.
One important aspect of the Transaction Rule is that it does not apply to health care providers when billing by paper; nor does the Transaction Rule require providers to switch to electronic billing.
Finally, it should be emphasized that most school nurses will probably never transmit any health information in electronic form in connection with a standard transaction and thus will not have to follow HIPAA's Transaction requirements.
Do school health programs that must comply with the Transaction Rule also have to comply with the HIPAA Privacy and Security Rules?
The following analysis describes the process for determining a health care provider's coverage and responsibilities under the Privacy and Security Rules:
- Providers are considered covered entities and must comply with these rules when they transmit any health information in electronic form in connection with a [standard] transaction. 5
- The rules' "standards, requirements, and implementation specifications . . . apply to covered entities with respect to protected health information (PHI)." 6
However, not all records containing health information are considered PHI. The Privacy and Security Rules specifically exclude from the definition of PHI any individually identifiable health information in education records protected by FERPA. 7 Therefore, education records as defined by FERPA are not subject to the requirements of the Privacy and Security Rules.
Which entities are covered by FERPA?
FERPA applies to educational agencies or institutions that receive federal funds under any program administered by the Secretary of Education (FERPA-covered). 8 Educational agencies or institutions that do not receive federal funds (non-FERPA) are not subject to FERPA's requirements.
What does FERPA require?
FERPA-covered schools must allow parents the right to inspect and review their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of information from the records. Thus, FERPA establishes a series of privacy protections and access requirements, similar to the Privacy Rule. FERPA's protections also apply to the oral disclosure of information contained in an education record. 9
What are education records?
FERPA defines "educational records" as "those records, files, documents, and other materials" that:
- "Contain information directly related to a student;" and
- "Are maintained by an educational agency or institution or by a person acting for such agency or institution." 10
Are medical and billing information, including claims for Medicaid reimbursement, considered education records?
Claims for Medicaid reimbursement transmitted electronically are standard transactions, which typically would subject the health care provider to requirements of the Privacy and Security Rules in relation to the health information associated with the claim. However, the Department concludes that FERPA-covered schools should continue to follow FERPA's requirements regarding these records, rather than those of the Privacy and Security Rule.
Several years before HIPAA's implementation date, the US Department of Education stated that medical records maintained by schools were to be treated as educational records protected by FERPA, even when the records contained claims for Medicaid reimbursement:
[A]ny records relating to a minor student's health, such as medical or psychological records, which are maintained by an educational agency or institution or a party acting for the agency or institution are "education records" under FERPA. 11
There has been no indication from HHS or the Department of Education that these records are no longer to be treated as education records as defined by FERPA. Also, the commentary to the Final Privacy Rule makes clear that HHS did not want to disturb FERPA's protection of these records:
We exclud[ed] education records from the definition of protected health information because Congress expressly provided privacy protections for these records and explained how these records should be treated in FERPA. 12
HIPAA's Effect on Nurses' Personal Notes
Many school nurses maintain in their sole possession personal notes containing individually identifiable health information. Under FERPA, these personal notes are not considered education records so long as they are not revealed to anyone but a temporary substitute. 13 This allows the nurse to utilize and maintain these notes without following FERPA's requirements. However, the moment the notes are disclosed to anyone but a temporary substitute they become subject to FERPA's requirements.
Because the Privacy Rule is silent on the issue, it raises the question of the effect of HIPAA on personal notes. Complicating the analysis is the fact that a similar record under FERPA called a "treatment record" 14 is explicitly excepted from the Privacy Rule's requirements. 15 Helpful in addressing HHS' silence on this issue is the commentary to the final Privacy Rule which addressed the effect of HIPAA on treatment records:
With regard to [treatment records], we considered requiring health care providers engaged in HIPAA transactions to comply with the privacy regulation up to the point these records were used or disclosed for purposes other than treatment. At that point, the records would be converted from protected health information into education records. This conversion would occur any time a student sought to exercise his/her access rights. The provider, then, would need to treat the record in accordance with FERPA's requirements and be relieved from its obligations under the privacy regulation. We chose not to adopt this approach because it would be unduly burdensome to require providers to comply with two different, yet similar, sets of regulations and inconsistent with the policy in FERPA that these records be exempt from regulation to the extent the records were used only to treat the student. 16
While the Privacy rule is silent, the same logic should apply to personal notes. Applying the Rule's requirements to personal notes would subject the nurse to two sets of regulations, the same "unduly burdensome" approach that HHS explicitly avoided regarding treatment records.
Finally, HHS makes clear throughout the commentary that it did not have the "authority to disturb the scheme [Congress] had devised for records maintained by educational institutions and agencies under FERPA." 17 Therefore, the Department concludes in the light of HHS' silence on the issue, that a nurse's personal notes should be exempt from the Privacy Rule, consistent with Congress' mandate under FERPA that personal notes and treatment records are exempt from any regulation so long as they are not revealed to anyone but a temporary substitute.
1 The Privacy Rule is codified at 45 C.F.R. §§ 160 &164.
2 PL 104-191, Aug. 21, 1996.
3 20 U.S.C. § 1232g.
4 The current standard transactions are:
- Health claims and equivalent encounter information.
- Enrollment and disenrollment in a health plan.
- Eligibility for a health plan.
- Health care payment and remittance advice.
- Health plan premium payments.
- Health claim status.
- Referral certification and authorization.
- Coordination of benefits
See 45 C.F.R. § 160.102. The Transaction rule is codified at 45 C.F.R. §§ 160 &162.
5 45 C.F.R. § 160.102(a)(3).
6 45 C.F.R. § 164.500(a) (emphasis added). The Security rule only applies to electronic protected health information. See 45 C.F.R. §§ 160.103 & 164.306.
7 45 C.F.R. § 164.501. Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
8 20 U.S.C. § 1232g(a)(1). School health programs and staff that are unsure of their FERPA coverage should speak with school officials and counsel regarding this issue.
9 Under U.S. DOE regulations, "disclosure" means "to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic means. 34 C.F.R § 99.3 (emphasis added).
10 20 U.S.C. § 1232g(a)(4)(a).
11 Letter to Dr. John T. Benson, Superintendent of Public Instruction, Wisconsin Dept. of Public Instruction, from U.S. Dept. of Education, dated July 22, 1997.
12 65 Fed. Reg. 82595
13 20 U.S.C. 1232g(a)4(B)(i).
14 "Treatment records" are records (1) of students who are 18 years or older or are attending post-secondary educational institutions, (2) maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity, (3) that are made, maintained, or used only in connection with the provision of treatment to the student, and (4) that are not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student. 20 U.S.C. 1232g(a)4(B)(iv).
15 PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, and those records described at 20 U.S.C. 1232g(a)4(B)(iv). 45 C.F.R. § 164.501.
16 65 Fed. Reg. 82483 (emphasis added).
17 "We do not believe Congress intended to amend or preempt FERPA when it enacted HIPAA." Id.
This information is provided by the School Health Services within the Department of Public Health.