More than eleven years have passed since the U.S. Department of Health and Human Services (HHS), the agency responsible for the privacy of protected health information under HIPAA, and the U.S. Department of Education (DOE), the agency responsible for the privacy of student records under FERPA, issued joint guidance on the interplay between HIPAA and FERPA.
New joint guidance issued earlier this month (the “2019 Update”) provides updates and helpful clarifications as to when and how HIPAA and FERPA apply. The following 6 topics caught my attention:
- Emergency Situations. A new section on when disclosures may be made in emergency situations under HIPAA paraphrases a 2014 HHS Bulletin and FAQ issued, respectively, following the Ebola outbreak and questions about disclosure standards in the wake of the shooting at the Pulse Nightclub in Orlando (see here for my 2016 post on this topic). It also incorporates DOE guidance and regulatory preamble statements concerning disclosure of FERPA-protected information in the event of a health or safety emergency.
- School-Employed Health Care Providers. The 2019 Update also includes a clarified description of when a school that employs a health care provider and conducts covered transactions electronically is subject to the FERPA privacy standards instead of the HIPAA privacy standards. The prior guidance stated that even when a school is a covered entity under HIPAA, it might not have protected health information. The 2019 Update more helpfully states that compliance with “the HIPAA Rules” is not required where the school’s only health records are considered “education records” or “treatment records” under FERPA (note that the 2019 Update would be even more helpful if it added the word “Privacy” between “HIPAA” and “Rules”, since such the school would still be subject to the HIPAA “Transactions Rule” when submitting claims electronically).
- University-Affiliated Hospitals and Clinics. Records maintained by a hospital affiliated with a university that is subject to FERPA are generally subject to HIPAA because the hospital provides health services to individuals regardless of whether they are students of the university. On the other hand, if the hospital runs a separate student health clinic, those clinic records are subject to FERPA as either “education records” or “treatment records”.
- Disclosure for Treatment, Payment and “Legitimate Educational Interests” Purposes. Under FERPA, “treatment records” (see 34 C.F.R. 99.3) must be made, maintained, and used only in connection with treatment. They can be disclosed to treating health care professionals who are not part of or acting on behalf of the school, if used solely for treatment. However, if the records are used for billing, they are “education records” and, unless another FERPA exception applies, cannot be disclosed without the prior written consent of the parent or eligible student (meaning a student who reaches the age of 18 or attends a postsecondary institution). However, schools can share information, including health and medical information, from a student’s education record without prior written consent with teachers and other school officials if they have “legitimate educational interests” in the information pursuant to FERPA regulations and the school’s annual notification of FERPA rights. On the other hand, HIPAA allows protected health information to be disclosed to a health plan for payment purposes without the individual’s prior written consent, and for other purposes as permitted under the HIPAA regulations and in accordance with the covered entity’s notice of privacy practices.
- Disclosure to Parents. Under FERPA, a physician at a university-operated health clinic may disclose information form the education records of an eligible student without the student’s consent: (i) if the student is claimed as a dependent for federal tax purposes; (ii) in connection with a health or safety emergency if disclosure is needed to protect the student or other persons; or (iii) if the eligible student is under the age of 21 disclosing that the student has committed a disciplinary violation related to the use or possession of alcohol or a controlled substance. FERPA also allows an educational agency or institution to disclose education records of a deceased eligible student to the parent or other third party “at its discretion or consistent with State law.” The privacy rights of a non-eligible student rest with the parent(s), but once the “parents are deceased, the records are no longer protected by FERPA.” On the other hand, HIPAA generally allows covered entities to disclose protected health information about a minor child to the child’s parent or personal representative when consistent with State law. However, if the minor is permitted to receive treatment without a parent’s consent under State law, HIPAA only permits parental disclosure in limited situations, like when the minor presents serious danger to self or others. With respect to deceased students, HIPAA defers to applicable State law to determine who can make disclosure decisions following death.
- Disclosure to the National Instance Criminal Background Check System (NCIS). While HIPAA generally does not permit a school-based health care provider to report a student to NCIS (see here for Fox partner Bill Maruca’s post on this topic), FERPA generally permits the records of a law enforcement unit of an educational agency or institution to be reported to NCIS without prior written consent.
These 6 topics and the related clarifications reveal two sobering realities. First, in this age of mass shootings and public health emergencies, there’s a risk that efforts to comply with privacy laws will get in the way of effective emergency response. Second, the inconsistencies and complexity of various U.S. privacy laws are likely to mean continued confusion, despite the best efforts of HHS, DOE, and other state and federal agencies to provide clarification.