Exceptional Delaware wrote about the possibility of a state day treatment center being located in public schools which raised an interesting question – How much does HIPAA apply to school-based mental health and what falls under FERPA instead?
HIPAA, in case you are not aware, stands for the Health Insurance Portability and Accountability Act of 1996. When it passed it elevated privacy standards for health insurance companies, health care providers and some third parties.
FERPA most of us I’m sure are aware is the Family Educational Rights and Privacy Act that governs privacy standards surrounding a student’s education standards. Regulations implementing FERPA has changed under the Obama administration that have caused great concern for those of us who care about student privacy, but more on that in a second.
I won’t get into the weeds on what is going on in the state because, well, I don’t completely understand it (I’m not sure they do either). Mental health treatment programs in public schools is not a foreign concept or unique to Delaware when you consider many school districts themselves employ school psychologists and school social workers. Also the idea of third parties establishing programs in schools is nothing new as well.
So how does HIPAA apply to a school?
The U.S. Department of Health and Human Services state on their website that “most schools and school districts” do not have to follow HIPAA.
They delve further into this issue on another webpage that answers the question: “Does the HIPAA privacy rule apply to an elementary or secondary school?”
Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.
The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFRPart 162, Subparts K–R. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. It is expected that most elementary and secondary schools fall into this category.
The school is a HIPAA covered entity but does not have “protected health information.” Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student.
FERPA in 2011 changed the regulations to include additional parties to be able to receive a student’s medical records.
(6)(i) The disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to:
(A) Develop, validate, or administer predictive tests;
(B) Administer student aid programs; or
(C) Improve instruction.
This falls under several groups that can receive personally identifiable information without parental or student consent.
This should be a cause for concern for those of us who care about student privacy.