Home » School Nurse Best Practice Manual » HIPPA & FERPA

HIPPA & FERPA

Privacy in the School Setting
HIPPA & FERPA

 

HIPPA

 The Health Insurance Portability and Accountability Act (HIPAA) addresses the use and disclosure of individuals’ health information, called “protected health information” by organizations called “covered entities,” as well as standards for individuals to understand and control how their health information is used. A major goal of HIPAA is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public’s health and well-being. The HIPAA Privacy Rule governs the release of protected health information by physicians and other healthcare providers [1]. The HIPAA Privacy Rule allows covered healthcare providers to disclose protected health information about students to school nurses, physicians, or other healthcare providers for treatment purposes, without the authorization of the student or student’s parent (See 45 CFR § 164.506). For example, a student’s primary care physician may discuss the student’s medication and other healthcare needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school. Generally, the HIPAA Privacy Rule does not apply to public elementary and secondary schools [2]. At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic that receives funds under any program administered by the U.S. Department of Education, are “education records” subject to the Family Educational Rights and Privacy Act (FERPA).

FERPA

FERPA is a federal law that protects the privacy of students’ education records (See 20 U.S.C. § 1232g; 34 CFR Part 99). FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes virtually all public schools and many private schools. [1] Assumes physicians and healthcare providers conduct certain electronic transactions such as processing claims. [2] In most cases, the HIPAA Privacy Rule does not apply an elementary or secondary school because the school either; (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore is not subject to the HIPAA Privacy Rule.

Generally, under FERPA, school nurses are not allowed to disclose education records without parent consent. School nurses may disclose educational records without parent consent if the circumstance meets one of the exceptions to FERPA’s general consent requirements which include:

• School officials, including teachers, that the school or district has determined to have "legitimate educational interests."

• In an emergency "if knowledge of the information is necessary to protect the health or safety of the student or other individuals" (See 34 CFR §§ 99.31(a)(1) and 99.36).

• Instances of abuse or neglect.

• Mandatory reporting of communicable diseases classified as immediate or within 24 hours.

• Information that is required by a school to which the student is transferring.

• Certain legal situations including subpoenas or investigations of criminal offenses.

Parents have a right under FERPA to inspect and review these health and medical records because they are “education records” under FERPA (See 34 CFR §§ 99.10 – 99.12). In addition, these records may not be shared with third parties without written parental consent unless the disclosure meets one of the exceptions to FERPA’s general consent requirement. Thus, under HIPAA, providers may discuss a student’s health issues with the school nurse; but the school nurse, under FERPA, must obtain parent permission before discussing the student’s health information with the provider. 

RECOMMENDATIONS

  • To facilitate open communication between schools and providers, parents and/or guardians of students with health conditions are encouraged to sign medical releases for both the school nurse and the provider.
     
  • Schools should establish policies that address appropriate communication between school staff, parents, and outside entities. Those who oversee the healthcare of children attending school should establish a mechanism for regular and timely communication between all appropriately designated parties. While maintaining the confidentiality of student health information, email, text messaging, and phone contact should be easily accessible between these parties.
     
  • A written individual healthcare plan should be in place for all children who have treatment orders prescribed for actual or potential implementation during the school day or at extracurricular activities. This health plan should be reviewed with all parties on at least an annual basis.
     
  • Changes to the health plan should be communicated in an expedited manner, whether from caregiver or health provider. Implementation of new medication or treatment orders should commence within one school day of the orders being sent to the school.
     
  • Feedback from each involved partner (school nurse, parent/guardian, and healthcare provider) should be welcomed and documented in the school and provider health record.

FERPA FAQ'S

  1. What laws and rules regulate confidentiality of health information in public schools?

FERPA, HIPAA, and the confidentiality required by one's nursing license all may contribute to the constraints placed on public school nurses.

  1. What is FERPA?

The Family Educational Rights and Privacy Act is a federal law that outlines who has access to education records. It applies to all schools that receive federal funds from any program administered by the U.S. Department of Education.

  1. Does FERPA apply to school health records?

Yes. Student health records maintained by school employees are considered part of the education record.

  1. What about HIPAA?

How does that affect school health services? The Health Insurance Portability and Accountability Act is another federal law that dictates how health records are to be handled. A school is subject to HIPAA only if it provides medical care and electronically transmits health information as part of a "covered transaction" (e.g., billing) (45 CFR §160.103). For most schools, HIPAA will only be an issue when you communicate with a student's medical provider. While you are not regulated by HIPAA, almost all medical practitioners you deal with are covered by HIPAA. They cannot disclose protected medical information without authorization except for treatment purposes, payment, and operational purposes. Since "treatment purposes" is one of the exceptions, a practitioner may relay or clarify treatment orders to individuals involved in the treatment of that patient (e.g., school nurse) without obtaining authorization. Some medical offices may not have a thorough understanding of HIPAA. While it is entirely legal for them to clarify treatment plans, etc., without authorization, many offices may still refuse to do so. You might consider sharing the above mentioned summary from the U.S. Department of Health on this matter with the provider. Remember though, that while a practitioner, under HIPAA, can discuss treatment orders with a school nurse without obtaining authorization; the school nurse, under FERPA, must obtain parent consent in order to discuss student health concerns with the practitioner.

  1. What is "Directory Information"?

FERPA defines "directory information" as information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy, if disclosed. Typically, "directory information" includes information such as name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports, and dates of attendance. A school may disclose "directory information" to third parties without consent if it has given public notice of the types of information which it has designated as "directory information," the parent or eligible student has the right to restrict the disclosure of such information, and the period of time within which a parent or eligible student has to notify the school in writing that he or she does not want any or all of those types of information designated as "directory information” has been published. The means of notification could include publication in various sources, including a newsletter, in a local newspaper, or in the student handbook. The school could also include the "directory information" notification as part of the general notification of rights under FERPA. The school does not have to notify a parent or eligible student individually (34 CFR § 99.37).

  1. Since most school health records are covered by FERPA, who can access this information without parental consent?

​Eligible students and parents of minor students have a right to see their records. (Eligible students are those that are at least 18 or those who are attending a postsecondary institution (34 C.F.R §99.3)). In general, parental consent is required for others to access information in students' health records. Below are some of the circumstances where consent is not required (See 20 USC. §1232g (b)-(j) and 34 C.F.R §99.31).

  • School officials, including teachers, that the school or district has determined to have "legitimate educational interests" (defined below).
  • In an emergency "if knowledge of the information is necessary to protect the health or safety of the student or other individuals" (See 34 C.F.R. §99.36(a)).
  • Instances of abuse or neglect.
  • Mandatory reporting of communicable diseases (please see below for exceptions).
  • Information that is required by a school to which the student is transferring.
  • Certain legal situations including subpoenas or investigations of criminal offenses.
  1. What is "legitimate educational interest"?

School officials can have access to only the education records necessary to carry out their job function. "In general, legitimate educational interest refers to the right of certain school officials to access student information and records for the purpose of (a) serving the student; (b) protecting the health, safety, and learning of this student and others; (c) maintaining operations of the school district; (d) obtaining payment for educational programs and services; and (e) other purposes as specified in federal and state law." Source: Schwab NC, Rubin M, Maire JA, Gelfman MHB, Bergren MD, Mazyck D, Hine B. (2005). Protecting and Disclosing Student Health Information: How to Develop School District Policies and Procedures. Kent, OH: American School Health Association. 8. Can a list of students' health issues be distributed to teachers or other staff? A school-wide health concerns distribution list violates FERPA and is not best practice. If school staff members need to be informed of a student's condition, that student requires an ECP (Emergency Care Plan) listing symptoms to be alert for and the required response to those symptoms. It is recommended that parents, as a part of the IHP (Individual Health Plan), participate in deciding who on staff requires identifiable health information for the child's safety. Staff members who are trusted with personally identifiable health information should receive training regarding their responsibility to safeguard that information. Nurses can ensure that confidentiality is respected by revealing only necessary health concerns and only to those individuals whose knowledge may affect the student's health. For example, individuals who have no contact with a particular student have no need to know that student's medical or mental health issues. Using the IHP as the vehicle to determine what information should be shared with specific staff members is not only more discrete but has the additional benefit of delivering more practical information to school employees that generally have limited medical knowledge. The best approach to handling this potential problem is to work with your school administration to draft medical information policies that are consistent with the requirements of both FERPA and the Montana Board of Nursing.

  1. If a school nurse maintains personal notes, are they part of the educational record and thus subject to FERPA?

No, but only if all of the following criteria are met:

  • the notes are kept only as a memory aid;
  • they remain in the sole possession of the writer;
  • they are shared with no one except a temporary substitute RN; and
  • they are not used to replace or avoid normal documentation.

      In general, personal notes are not recommended. Information related to health office visits should be documented in the student's individual record.
      Source: Schwab NC, Rubin M, Maire JA, Gelfman MHB, Bergren MD, Mazyck D, Hine B. (2005), Protecting and Disclosing Student Health Information:
      How to Develop School District Policies and Procedures, Kent, OH: American School Health Association.

  1. When can schools share health information with other agencies within their state?

The Family Policy Compliance Office of the U.S. Department of Education responded to this issue in a letter to University of New Mexico.

  • Abuse or neglect: School employees are required to report suspected abuse or neglect. FERPA does not override that responsibility.
  • Certain reportable diseases: Some communicable diseases require emergent reporting while other diseases represent a less imminent public health threat. For example, the Indiana State Department of Health has a Communicable Disease Rule that states the timeline for reporting certain medical conditions (410 IAC 1-2.3-47). If reporting must occur immediately or within 24 hours, the Family Policy Compliance Office of the U.S. Department of Education has determined that indicates "imminent danger." As such, those illnesses may be reported without obtaining consent. The diseases on the 72 Hour List do not pose imminent danger, so school officials must obtain consent before disclosing this information.
  • Concern that a student may hurt self or others: if someone is in imminent danger, no consent is required.
  • De-identified data: It is permissible to share health related data that does not contain information that makes the student's identity readily traceable. For example, the information released applies to at least 10 other students that could fit into the same group.
  1. What about immunization records?

This issue was discussed by the Family Policy Compliance Office of the U.S. Department of Education in a letter to the Department of Education in Alabama. Based on that response, we offer the following guidance. You can share immunization records with parents or with a school where the student is transferring without obtaining consent. However, before providing immunization records to an outside medical office or state Department of Health, you must get written consent. You can share deidentified data such as total number of students that are up-to-date, total number that require additional immunizations and total number that are exempt without obtaining consent. Please consult your school's attorney if further clarification is needed.

  1. What if I am concerned that a student might hurt themselves or someone else but I have no evidence?

If the school evaluates the information available at the time and feels that there is an "articulable and significant threat to the health or safety of students or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals." It is not necessary to first collect evidence before contacting those that can intervene to protect the student or others (34 C.F.R §99.36 (c)).

  1. Can school personnel talk to a student's healthcare provider without consent?

Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record to outside parties, including providers. However, a school nurse may call a student's healthcare provider to clarify facts surrounding a student's condition or treatment plan. The physician's office may relay or clarify treatment orders to individuals involved in the treatment of that patient (e.g. school nurse) without obtaining authorization. The medical office may be hesitant to discuss any details without first getting signed authorization. Remember that both you and the healthcare provider are working in the best interests of the child. Respectful communication should allow both sides to find an acceptable plan so that you can obtain the necessary information. For further guidance regarding FERPA and HIPAA, please click here.

  1. One major misconception about FERPA

FERPA does not protect the confidentiality of information in general. FERPA prohibits the improper disclosure of information contained in the education record. FERPA does not apply to one's opinions or observations unless it is entered into the record. However, you must consider that the confidentiality of facts learned in the course of your nursing duties may be required by the virtue of your nursing license.