Does HIPAA apply to schools and educational institutions?

Schools have a lot of information to manage. There’s plenty of data they have to collect and store for legal reasons — such as student records, financial accounts, and employee credentials. 

However, there’s also information that doesn’t fall into a neat legal category. For instance, if a student is examined by an onsite doctor or receives a vaccination from a school nurse, is that health data protected by HIPAA or FERPA? Let’s discover whether HIPAA applies to student health information and learn how schools can keep their students’ health information compliant. 

When are schools subject to HIPAA’s data-protection requirements? 

HIPAA protects personal health information (PHI) held by a covered entity. But when it comes to schools and educational institutions, another personal data law supersedes HIPAA — the Family Educational Rights and Privacy Act (FERPA).  

HIPAA and FERPA both protect personal data, but they protect different types of data. While HIPAA protects only PHI, FERPA protects all information held in a student’s record. From grades to disciplinary action, any information stored in a student record falls under FERPA.

Even though HIPAA protects health data, it doesn’t apply to health data stored in a student record. This means that most schools aren’t subject to HIPAA’s data privacy requirements. However, there are special cases where FERPA doesn’t apply to a school or its students’ records.      

FERPA applies only to schools that receive federal funding — so FERPA doesn’t shield private schools from HIPAA’s data-protection requirements. Although HIPAA doesn’t cover every private school, these institutions are more likely to be subject to HIPAA.  

Also, keep in mind that FERPA only protects student information; it doesn’t cover your employees’ information. Therefore, if your school’s health services provide care to your employees or other non-students, that data is likely protected by HIPAA. 

This explanation can make HIPAA compliance seem fairly simple. If you’re under FERPA, you don’t deal with HIPAA. Otherwise, you follow HIPAA’s data-protection requirements. That’s not the end of your HIPAA compliance, though. Whether or not you’re subject to HIPAA’s data-protection requirements, your school could be subject to HIPAA’s other requirements.    

If your school is a covered entity, you may also be subject to HIPAA’s coding regulations

Everything we’ve discussed so far has to do with HIPAA’s personal data protection regulation. However, there are other HIPAA requirements that FERPA doesn’t supersede — namely, HIPAA’s electronic transaction and code requirements.

These regulations apply to organizations deemed covered entities. To be considered a covered entity, you must complete healthcare transactions electronically — for instance, billing a health plan for treatment you’ve given a student would make your school a covered entity.  

In addition, to be a covered entity, your school must employ the organization or people providing treatment. A pharmacist who provides vaccinations on school grounds but isn’t your employee doesn’t make your school a HIPAA-covered entity. 

Public schools and universities are subject to FERPA’s data regulations, and that impacts how HIPAA is applied. This means that schools have to meet specific requirements to be HIPAA compliant. 

How do schools follow HIPAA regulations?

A teacher uses video conferencing to help a student.

Each situation is different, and you may fall under different laws depending on your circumstances. In general, if your school is under FERPA but is still a HIPAA-covered entity, then you follow FERPA for your student’s health information and HIPAA for electronic transactions. How do you do that?   

  • Consult a legal expert to see which laws apply in your case. You may discover that you don’t count as a HIPAA-covered entity or that the healthcare services you provide require you to follow certain legal regulations.   
  • If you are a covered entity, comply with the HIPAA transactions, code sets, and identifier rules. These rules require you to use HIPAA’s standard format for coding electronic claims, and they simplify healthcare transactions.  
  • Follow FERPA’s information regulations. This includes restricting access to your students’ educational records, notifying them if you will include them in your school directory, and allowing them to opt out. 
  • If you are subject to HIPAA’s privacy rule, protect any information that’s considered PHI. This includes using secure channels that encrypt data to receive and send PHI. For instance, JotForm’s HIPAA-compliant online forms automatically encrypt sensitive data so patients can safely send their PHI to healthcare providers.   

Your school handles a lot of sensitive information, and it can be difficult to keep track of the proper ways to make this data legally compliant. But if you know when HIPAA applies to your school — and when it doesn’t — you’ll be able to handle your students’ health data securely and legally.       

School’s out, but HIPAA’s in

Your educational institution needs important personal information to perform essential functions, but you also have to protect this data. By following the right federal law for your situation, you’ll keep your students’ data and your organization safe. 

However, it can be a challenge to get the information you need from students and faculty. At JotForm, we can help you collect the sensitive information your school requires. From creating admission forms to course evaluations, you can tailor our secure online forms to whatever your organization needs. We also offer discounts for educational institutions. Contact us today to learn more.

Teacher, sister, mother and ass-kicker. Experienced teacher with a digital twist. Outside the classroom? She lives on the dojo.

Send Comment:

JotForm Avatar

Comments:

Podo CommentBe the first to comment.