Understand Where FERPA Regulations/HIPAA Laws Might Intersect

FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act) differ in terms of the kind of information they aim to protect and this can create some confusion, i.e. regarding the application of HIPAA Privacy Rule regulations for educational bodies that adhere to FERPA standards. While HIPAA aims to protect a patient's information, FERPA is limited to protecting only a student's health information.


When HIPAA is Applicable to Schools
However, a school does act like a healthcare provider when it provides healthcare services to its students. Here, if the school needs to conduct any transactions in the electronic mode, it functions similar to the activities performed by the covered entities as described in HIPAA's Privacy Rule standards. Hence, the school is then covered under HIPAA regulations. In such cases, the school should ensure that it is compatible with the HIPAA Administrative Simplification Rules for Transactions and Code Sets and Identifiers. These HIPAA standards are aimed at maintaining the integrity of healthcare-related transactions.

When HIPAA is Not Applicable to Schools
Understandably, this is not applicable to all schools. For instance, if the records maintained by the school are merely "education records" (also called "treatment records"), they need to be compatible with FERPA and not the HIPAA Privacy Rule standards. Thus, such schools are not required to comply with HIPAA Privacy Rule because they are maintaining "education records" (as defined by FERPA) and not PHI or Protected Health Information (as defined by HIPAA).

Some Exceptions
Among post-secondary institutions, a slight variation comes to the interpretation of FERPA's "education records". Here, the psychological treatment and other medical records of students are not covered as a part of "education records", i.e. if such records are shared for the sole purpose of treating the student, i.e. when disclosing such records is central to providing the appropriate treatment.

Such exceptions to FERPA are also applicable to HIPAA Privacy Rule and the HIPAA Security Rule. This is because Security Rule regulations apply to all the subsets of information included in the Privacy Rule (i.e. related to electronic form of PHI).

More information about HIPAA Privacy Rule can be browsed at:
http://www.hhs.gov/ocr/hipaa/
Read about the exceptions to the definition of Protected Health Information in HIPAA Privacy Rule at 45 CFR § 160.103 mentioned in paragraph (2)(i) and (2)(ii).
More information on HIPAA Administrative Simplification Rules can be browsed at: http://www.cms.hhs.gov/HIPAAGenInfo/