How does HIPAA Impact Educational Institutions & Schools?


HIPAA carries a big impact for healthcare providers, health plans, healthcare clearinghouses, and business associates of those HIPAA-governed bodies entities but how does HIPAA impact schools and educational institutions?

Previously we looked into how HIPAA applies to schools and how the Health Insurance Portability and Accountability Act intersects with the Family Educational Rights and Privacy Act (FERPA).

Does HIPAA Impact to Schools & Education Institutions?

In most ways, HIPAA does not impact schools and educational institutions as they are not HIPAA covered bodies, but in some instances a school can be a covered entity if healthcare services are provided to students. In such instances, HIPAA may still not a governing factor as any student health information collected would be included in the students’ education records and education records are not included in the HIPAA Privacy Rule as they are covered by FERPA.

A growing number of schools are providing healthcare services for their students. Medical workers are hired by some schools, some have on-site health clinics, and they often dispense medications and supply vaccines. When healthcare services are supplied, health information will be collected, stored, maintained, and shared. Even if a school hires nurses, psychologists, or physicians, schools are not usually classified as covered bodies because they do not operate healthcare transactions electronically for which the Department of Health and Human Services has implemented standards. Most schools are included in this category and are not covered bodies so HIPAA does not apply.

Some schools appoint a healthcare provider that carries out transactions electronically for which the HHS has created standards. In this instance, the school would be classed as a HIPAA covered group. The HIPAA Transactions and Code Sets and Identifier Rules would have to be adhered to when electronic transactions are completed, but it would not be a requirement to adhere with the HIPAA Privacy Rule if healthcare data is held in education records, which are covered by FERPA. If health information is held in education records, it is not classified as protected health information and is therefore not included under the HIPAA Privacy Rule. The school would however have to data privacy requirement of FERPA.

One occasion where the HIPAA Privacy Rule would apply is when a healthcare specialist supplies medical services such as vaccinations at the school but is not employed by the school. In this instance, the healthcare professional would be required to comply with HIPAA, the records would be included in HIPAA while they are held by the healthcare professional, and that individual would be required to confirm authorization before the health information is shared with the school. When those records are joined to the student’s education records by the school, FERPA would apply rather than HIPAA.

FERPA, HIPAA, Private Schools & Educational Institutions

FERPA applies to all educational bodies that receive direct funding through programs administered by the U.S. Department of Education. FERPA therefore applies to public schools, but private schools are not normally governed by FERPA as they do not receive federal funding direct from the Department for Education. If the private school is not included in FERPA, it may or may not be covered by HIPAA depending on whether it completes electronic transactions for which the HHS has created standards. If it does, it would be required to comply with HIPAA although if not, neither HIPAA nor FERPA would be applicable.

More Information on this

To help clear up any confusion in relation to sharing health information under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights updated their joint guidance in December 2019. The updated guidance is available here..