In recent decades, public health agencies and public schools have worked hand in glove, sharing health information about students in order to better understand the broader picture of teens’ overall health. In addition, schools have increasingly sought to give their students more and better health services. Seeing as schools may keep or request sensitive health information from the students or parents, it’s natural to wonder what laws cover the security and privacy of these documents.
These days, there are two major privacy laws – HIPAA and FERPA – that may or may not cover a student’s health records. Naturally, whether they do or don’t depends on your particular situation. That said, this article will attempt to wade the convoluted mire, illuminating you as to the differences between FERPA vs. HIPAA. Keep reading to discover more!
What is FERPA?
The 1974 Family Educational Rights and Privacy Act [FERPA] is a federal law that was created to protect the privacy of student educational and health records. It set out to limit access to records by public entities such as:
- Future employers
- Foreign governments
- Secondary educational institutions
According to the National Association of College Employers:
FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. Disclosure also includes the provision of access to the educational institution’s career center database of student resumes.
FERPA applies to any educational institution that receives funding from the U.S. Department of Education. That covers the vast majority of public schools and public school districts as well as most private and public postsecondary establishments, such as Law or Medical Schools. However, FERPA does not apply to private and religious schools at the elementary and secondary levels that aren’t government funded.
Broadly speaking, FERPA accomplishes two things:
- Prohibits any educational institution that is subject to its jurisdiction from disclosing educational records containing personally identifiable information [PII] without the student or their parent’s consent.
- Gives parents and eligible students – those over 18-years-old – the ability to review their educational records and request changes or corrections if they believe them to be wrong or misleading. Per the Department of Education, the basic rights granted to students via FERPA include:
- The right to inspect and review the student’s education records maintained by the school;
- The right to request that a school amend the student’s education records;
- The right to consent in writing to the disclosure of personally identifiable information from the student’s education record, except under certain permitted situation; and
- The right to file a complaint with the Family Policy Compliance Office (FPCO) regarding an alleged violation under FERPA.
Permitted Disclosures under FERPA
You should be aware that there are some exceptions to FERPA’s rules. Such exceptions are known as permitted disclosures, which allow information to be shared without individual authorization of a parent or a student over the age of 18. According to the CDC, examples of permitted disclosure include:
- Accrediting organizations
- Appropriate officials in cases of health and safety emergencies
- Appropriate parties in connection with financial aid to a student
- Organizations conducting certain studies for or on behalf of the school
- School officials
- Schools to which a student is transferring
- Specified officials for audit or evaluation purposes
- State and local authorities, within a juvenile justice system, pursuant to specific State law
- To comply with a judicial order or lawfully issued subpoena
What is HIPAA?
As it was originally envisioned, the Clinton administration saw HIPAA as their opportunity to update the American healthcare system in accordance with the digital age. At the time, most private health records were stored physically, and the American government wanted to transition towards electronic record keeping. In response to the changing times, HIPAA sought to accomplish three tasks:
- Encourage medical entities to transfer all of their health records to a digital format for easy storage, sharing, and dissemination of electronic health records (EHR) amongst healthcare entities.
- Create controls to protect electronic health records, individuals’ privacy, and prevent fraud.
- Ensure that workers who had preexisting conditions or who were in between jobs could obtain private health insurance coverage.
HIPAA was composed of five primary titles:
- Created guidelines to guarantee coverage for workers who had preexisting conditions or who had lost or changed jobs.
- Directed DHHS to set forth a standardized practice for processing, safeguarding, and sharing electronic health care transactions and patient data.
- Outlined general medical care standards and tax-related provisions for deductions.
- Detailed provisions for individuals with preexisting conditions.
- Described provisions for the treatment of individuals who had lost citizenship due to income tax issues.
Today, HIPAA applies specifically to two parties:
- Covered entities – Any healthcare provider who electronically sends protected health information [PHI]. This includes healthcare clearinghouses, health plans, and health care providers.
- Business associates – Any company that acts on behalf of the covered entity and that may have access to such PHI. This includes tangential businesses responsible for tasks such as data analysis, utilization review, consulting, and billing.
Amendments to HIPAA
Over the years, the government sought ways to encourage compliance with HIPAA and ensure the privacy and security of PHI. Steps they took included adding the following:
Despite these efforts, there were still glaring issues that were not fixed until the release of the Health Information Technology for Economic and Clinical Health [HITECH] Act in 2009. This act empowered HHS’ Office for Civil Rights [OCR], giving it more authority to demand compliance and recommend penalties for breaches of HIPAA.
Today, HIPAA provides you, the patient, with 8 specific rights:
- Right to a Notice of Privacy Practices
- Right to complain to the Secretary of Health
- Right to inspect and copy your record
- Right to mandate some disclosure restrictions if you pay out of pocket
- Right to receive an accounting of disclosures
- Right to request amendment
- Right to request confidential communication
- Right to request use and disclosure restrictions
Permitted Disclosures Under HIPAA
Similarly to FERPA, there are some instances in which a patient needn’t be notified as to the disclosure of their health records. Per the CDC, permitted disclosures include:
- Incident to an otherwise permitted use and disclosure
- Limited dataset for the purposes of research, public health, or healthcare operations
- Public interest and benefit activities (e.g., public health activities, victims of abuse or neglect, decedents, research, law enforcement purposes, serious threat to health and safety)
- To the individual
- Treatment, payment, and healthcare operations
- Uses and disclosures with the opportunity to agree or object by asking the individual or giving an opportunity to agree or object
In addition, according to the Department of Education, disclosure is allowed if:
The covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat. This may include, depending on the circumstances, disclosure to law enforcement, family members, the target of the threat, or others who the covered entity has a good faith belief can mitigate the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct.
FERPA vs. HIPAA: What You Need to Know
Now that you have a better grasp as to how each of these privacy laws applies individually, we can dive into the nitty-gritty of FERPA vs. HIPAA.
Is there an Overlap between FERPA and HIPAA?
Although both acts were designed to provide better protection to individuals in regard to their private health information, they typically operate in separate spheres. That said, there are some instances where you will see some overlap between the two. Examples of this include the following:
- If a public school provides a student with healthcare services and then files a claim for an electronic payment, the educational records are not covered by HIPAA, but the claim must be filed in accordance with FERPA. On the other hand, if a private school files a claim for electronic payment, FERPA doesn’t apply while HIPAA rules do.
- According to HHS, “FERPA applies to most public and private postsecondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity.”
- If a student receives treatment at a hospital affiliated with an institution that is subject to FERPA, the records would still fall under HIPAA’s protection. However, if there are no claims filed, such health records would then be considered education or treatment records, which are covered by FERPA.
- Some institutions can be categorized as covered entities if they provide health care services to non-students. In such cases, HIPAA protects access to such health records.
What Private Information is Safeguarded?
Although HIPAA and FERPA cover an individual’s privacy, they do not cover the exact same subjects.
FERPA protects public school student’s information as follows:
- Personally identifiable information – Names, address, Social Security Number, date of birth.
- Education record – School records that are directly related to the student and kept by the educational institution.
- Health records – Immunizations, checkups, or notes and records kept by the school nurse fall under the umbrella of “educational record.”
It should be noted that schools can disclose “directory information” about students without their consent. This usually includes general information such as:
- Phone number
- Dates of attendance
- Honors and awards
- Date and place of birth
However, schools are required to inform parents about directory information and provide them with ample opportunity to request that such information is not disclosed.
HIPAA safeguards a patient’s protected health information. According to the HIPAA journal, this includes any of the following information:
- Account numbers
- All geographical identifiers smaller than a state
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
- Biometric identifiers, including finger, retinal, and voiceprints
- Certificate/license numbers
- Dates (other than year) directly related to an individual
- Device identifiers and serial numbers;
- Email addresses
- Fax numbers
- Full face photographic images and any comparable images
- Health insurance beneficiary numbers
- Internet Protocol address numbers
- Medical record numbers
- Phone Numbers
- Social Security numbers
- Vehicle identifiers
- Web Uniform Resource Locators
You should be aware of the fact that educational records that are covered by FERPA are specifically omitted from the HIPAA definition of PHI.
Penalties for Violating FERPA and HIPAA
Naturally, there are consequences to violating the rules of either of privacy act.
If there are concerns that an educational institution violated FERPA, a complaint must be filed with the Family Policy Compliance Office. From there, the office will investigate the complaint. If they find the school is guilty of violations penalties can include:
- Temporary suspension of access
- Possible prosecution under criminal codes
- Dismissal or Termination
- The institution loses federal funding
HIPAA created a tiered penalty system that factors the covered entity’s awareness of the violations, in addition to their response upon discovery.
- Tier 1 – The entity did not knowingly violate HIPAA and would not have done so had it done its due diligence.
- Results in a penalty ranging from $100 to $50,000 in fines per violation with an annual maximum of $1,500,000.
- Tier 2 – The entity was aware or should have been aware of the violation, particularly had it done its due diligence.
- Results in a penalty ranging from $1000 to $50,000 in fines per violation with an annual maximum of $1,500,000.
- Tier 3 – The entity willfully ignored the rules of HIPAA but then corrected any issues within 30 days of their discovery.
- Results in a penalty ranging from $10,000 to $50,000 in fines per violation with an annual maximum of $1,500,000.
- Tier 4 – The entity willfully neglected the rules of HIPAA and then made no corrective actions.
- Results in a penalty of $50,000 in fines per violation with an annual maximum of $1,500,000.
Staying Compliant with Both HIPAA and FERPA
If you walk the narrow road between both privacy acts, there are steps you can take to ensure the privacy of any sensitive information. This includes adding security measures such as data encryption, VPN, and dual-authentication. Furthermore, it’s essential that you take the time to educate and train your staff about the importance of abiding by both HIPAA and FERPA.
At RSI Security, we provide expert data security and guidance so that you can achieve compliance regardless of the security standards your business needs to meet. Together, we can help you navigate this quagmire and ensure that your business is doing its best to protect the private information of students, patients, and customers.
George, C. National Association of Colleges and Employers. FERPA Primer: The Basics and Beyond. (2015). https://www.naceweb.org/public-policy-and-legal/legal-issues/ferpa-primer-the-basics-and-beyond/
U.S. Department of Education. Family Educational Rights and Privacy Act (FERPA).
CDC. HIPAA vs. FERPA infographic. https://www.cdc.gov/phlp/docs/hipaa-ferpa-infographic-508.pdf
Privacy Rights Clearinghouse. Your medical Information and your Rights. https://www.privacyrights.org/consumer-guides/your-medical-information-and-your-rights-california-medical-privacy-series
U.S. Department of Health and Human Services. Joint Guidance on the Application of the FERPA and Privacy Act. (2008). https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf
Health and Human Services. Does FERPA or HIPAA apply to records on students at health clinics run by postsecondary institutions? https://www.hhs.gov/hipaa/for-professionals/faq/518/does-ferpa-or-hipaa-apply-to-records-on-students-at-health-clinics/index.html
HIPAA Journal. What is Protected Health Information. (2018). https://www.hipaajournal.com/what-is-protected-health-information/