Jon Tomes

Having had the good fortune to be a HIPAA consultant for several universities, I am quite aware of the confusion that could result from possibly being regulated by both HIPAA and FERPA, the Family Educational Rights and Privacy Act. And even when the college or university is subject to both laws, which law controls in a particular situation?

FERPA, 20 U.S.C. § 1232g; 34 C.F.R. Part 99, protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level, known as eligible students.

• Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies. This is similar to the HIPAA requirement for protected health information (“PHI”).
• Parents or eligible students have the right to request that a school correct records that they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information. This is quite similar to the HIPAA Privacy Rule for correction or amendment, except that HIPAA does not provide for a formal hearing.
• Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 C.F.R. § 99.31):
  • School officials with legitimate educational interest;
  • Other schools to which a student is transferring;
  • Specified officials for audit or evaluation purposes;
  • Appropriate parties in connection with financial aid to a student;
  • Organizations conducting certain studies for or on behalf of the school;
  • Accrediting organizations;
  • To comply with a judicial order or lawfully issued subpoena;
  • Appropriate officials in cases of health and safety emergencies; and
  • State and local authorities, within a juvenile justice system, pursuant to specific state law.

Schools may disclose, without consent, “directory” information, such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. Schools must, however,  tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. Again, this requirement is somewhat similar to the HIPAA Privacy Rule right to request restriction of uses and disclosures.

The issue comes up with regard to student health information, which certainly can be included in student records. For example, if a student has a disability, such as legal blindness, so that they need an accommodation to take examinations, that fact can certainly be documented in student records. But does that health information implicate HIPAA? Maybe.

While FERPA applies to educational entities that receive DOE funds, HIPAA applies to “covered entities” and business associates of covered entities (somewhat simplistically stated as entities that provide a service to covered entities involving individually identifiable health information, such as a transcription, billing, or cloud storage entities). Covered entities are health care providers who transmit one or more of the standard transactions (primarily billing transactions) electronically, health plans, health care clearinghouses, and Medicare prescription drug spondors. A college or university would not seem to automatically fall into any of those categories. But what if they have a student health plan or a clinic? Then, they may fall under HIPAA and already be regulated by FERPA.

Whether a student health clinic or plan is a covered entity is a complicated legal issue beyond the scope of this article. But many, if not most, are. Most that are regulated by HIPAA are because their student health plan qualifies them as a covered entity.

So, if a school’s health services qualify as a covered entity, the question about the interaction of HIPAA and FERPA is complicated by HIPAA’s preemption doctrine. Again, somewhat simplistically, HIPAA preempts (does away with) other laws, such as FERPA, that are inconsistent with HIPAA unless the other law provides more privacy protection than HIPAA does. Finding the answer to that question is not always an easy determination. That’s why the author only somewhat tongue-in-chief calls HIPAA “The Health Lawyers’ Full Employment Act.”

But the current guidance at https://www.hhs.gov/sites/default/files/2019-hipaa-ferpa-joint-guidance-508.pdf., titled, “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records,” at least provides some guidance as to how to address this complicated issue.

The HIPAA Privacy Rule requires covered entities to obtain a consent (an authorization) before sharing health information for purposes other than treatment, payment, or health care operations. The new guidance explains that, in emergencies and situations when an individual’s health is at risk, educational institutions and health care providers may disclose a student’s health information to someone in a position to prevent or lessen harm, including to family, friends, caregivers, and law enforcement. It states, “Healthcare providers may share (protected health information) with anyone as necessary to prevent or lessen a serious and imminent threat to the health or safety of the individual, another person, or the public—consistent with applicable law (which would include FERPA) and the provider’s standards of ethical conduct.”

The update also includes information on when protected health information or personally identifiable information can be shared about a student that poses a danger to himself or herelf or others. Additionally, disclosures of health data to law enforcement and the National Instant Criminal Background Check System are also now included in the guidance.

The Secretary of Education said, about this update, “Confusion on when records can be shared should not stand in the way of protecting students while they are in school. This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.”

If they haven’t done so already, educational institutions need to determine whether they are a covered entity that is required to comply with HIPAA and, if so, ensure that their disclosure policies and training ensure that both are complied with in these complicated, yet dangerous situations. Again, read the entire guidance, above.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMHO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6^th edition, with the accompanying HIPAA Documents Resources Center CD, also 6^th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation, including a release of information policy and a right of access policy. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly, after restarting your heart, if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.