What you need to know about HIPAA and FERPA for Higher Education.
Understand the basics of HIPAA and FERPA specifically as it relates to higher education institutions.
Many institutions of higher education maintain medical information related to employees and students in a host of locations, including human resources files and student records.
College and university administrators unfamiliar with the nuances of HIPAA often believe the law imposes more obligations than it actually does.
Let’s walk through the differences between HIPAA and FERPA and where and when HIPAA applies in the higher education setting.
What is HIPAA (45 CFR Part 160 and Subparts A and E of Part 164)?
The Health Insurance Portability & Accountability Act imposes certain data privacy and data security requirements with respect to medical information and creates national standards to protect individuals' personal health information (PHI) and gives patients/clients increased access to their healthcare records.
Entities subject to the HIPAA Administrative Simplification Rules, known as “covered entities,” are health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions.
“Health care providers” include institutional providers of health or medical services, such as hospitals, as well as non-institutional providers, such as physicians, dentists, and other practitioners, along with any other person or organization that furnishes, bills, or is paid for health care in the normal course of business.
Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan.
What is FERPA (20 U.S.C. § 1232g; 34 CFR Part 99)?
The Family Educational Rights & Privacy Act (FERPA) is a federal law that protects the privacy of students’ “education records,” including “treatment records.” In most college health settings, FERPA applies to care provided to students at student health and counseling services.
FERPA does not allow the disclosure of personally identifiable information from education records, without a parent or eligible student’s written consent, unless the disclosure qualifies under one or more consent exceptions.
An “eligible student” is a student who is at least 18 years of age or who attends a postsecondary institution at any age.
The term “education records” is broadly defined to mean those records that are:
- directly related to a student, and
- maintained by an educational agency or institution or by a party acting for the agency of institution.
Where FERPA and HIPAA May Intersect
When a college or university provides health care to students and the general public in the normal course of business, such as through its health clinic, it is a “health care provider” as defined by HIPAA.
If that college or university also conducts any covered transactions electronically in connection with that health care, it is then a covered entity under HIPAA.
However, in this case any records regarding students would be covered under FERPA as either maintained “education records” or “treatment records,” both of which are excluded from coverage under the HIPAA Privacy Rule.
The records related to any member of the public, however, would need to be protected under HIPAA standards.
What about if the institution of higher education provides health insurance to its employees?
Human resources professionals who work in higher education sometimes mistakenly believe that all medical records held by an institution are subject to HIPAA’s privacy rule because the institution offers health insurance to its employees; and, in doing so, is considered a HIPAA covered “health plan.” This is not the case.
Under HIPAA, health plans are considered to be separate legal entities from the institution that sponsors the plan.
This means that HIPAA’s privacy rule would apply if an employee, for instance, was providing documentation in support of an insurance claim but not to the documentation provided to their employer in support of an ADA accommodation request.
What does all of this mean in relation to student records?
As a matter of law, HIPAA applies only to “covered entities,” which includes health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions.
Postsecondary institutions generally do not engage in any of the covered transactions, such as billing health plans electronically for their services. Even if an institution is a covered entity, most still are not subject to the HIPAA Privacy Rule because the student health information they maintain is kept as part of a student’s “education records” or “treatment records,” as those terms are defined under FERPA.
HIPAA Privacy Rule expressly excludes student health information from its coverage if the information is already protected under FERPA. (See, DOE/HHS Guidance and Jan. 2013 revisions to HIPAA regulations).
What does all of this mean to college or university employees?
Since HIPAA only applies to covered entities, there is no violation of HIPAA if Human Resources, a supervisor, an office mate, or a colleague asks if you have been vaccinated against COVID-19 (or any other vaccination, for that matter). In fact, there is nothing in HIPAA that would bar an employer from asking for proof that one’s vaccination status is accurate.
In a December guidance, the Equal Employment Opportunity Commission, which enforces federal workplace anti-discrimination laws, essentially confirmed that “there’s no indication that there’s any federal law that would be violated by the employer asking questions about vaccination status.
That being said, while there is no prohibition against asking or requiring proof of vaccinations, you should seek guidance from your institution’s office of Human Resources if you have any questions in this regard because it is easy to get into dangerous territory.
Does HIPAA prohibit an institution from asking an employee or student for medical information?
No. HIPAA does not regulate the ability of institutions to request medical information from their employees and students for legitimate business reasons.
An example of how this would play out is if an employee refuses to provide a doctor’s note that her supervisor has requested in order to support a claimed sick day by saying that HIPAA prohibits the supervisor from asking for that, the employee is wrong.
Similarly, HIPAA in no way protects a student from having to provide medical documentation to substantiate absences or to provide the basis for a request for accommodations under the Americans With Disabilities Act (ADA) or Section 504 of the Rehabilitation Act.