HIPAA vs FERPA: The difference between two acts

People’s private information is quickly becoming a best seller on the black market. Data like medical records can be used to assume a person’s identity and potentially ruin their lives. And this isn’t just happening to adults — kids are being targeted too.

In 2018, education organizations experienced 122 data breaches. In one case, an online charter school’s data leak left their database open to the public for eight days. Almost 7 million student records were exposed in the leak, including children’s names and email addresses.

Everyone wants to keep children safe and protect their private information. But how exactly do you safeguard personal data? Multiple federal laws protect personal health records. If your organization deals with this type of data, which laws do you need to follow?

Let’s examine two federal laws, HIPAA and FERPA, to see if they apply to your organization.

FERPA vs HIPAA: What’s the difference?

FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act) are both federal laws that protect sensitive information, but they apply to different areas.

FERPA focuses on safeguarding the privacy of students’ education records and applies to schools, colleges, and universities that receive federal funding. However, HIPAA is designed to protect the privacy and security of individuals’ health information and applies to healthcare providers, insurers, and organizations that handle medical data. While FERPA governs educational records, including health information stored by schools, HIPAA governs medical records and health-related data outside of the educational context.

What is HIPAA, and what does it cover?

The Health Insurance Portability and Accountability Act, or HIPAA, was established in 1996 and most notably includes the Privacy Rule, which establishes a set of national standards intended to protect certain health information. 

However, “most people think HIPAA is only about privacy, but it’s more than that,” says Michael Arrigo, CEO of No World Borders, a company that specializes in healthcare data, regulations, and economics. Arrigo serves as an expert witness in privacy breach litigation involving HIPAA, FERPA, and other privacy standards.

Arrigo notes that HIPAA was actually intended to accomplish three things: improve the portability and accountability of health insurance coverage for employees between jobs; combat waste, fraud, and abuse in health insurance and health care delivery; and promote the use of medical savings accounts. Notably, HIPAA has been updated over the years to include regulatory additions such as the Privacy Rule (2003), Security Rule (2005), Breach Notification Rule (2009), and Omnibus Final Rule (2013).

HIPAA applies to all covered entities, organizations or individuals who electronically transmit health information, and any business associates they use to carry out their healthcare activities and functions.

Covered entities generally fall under one of three categories:

• Healthcare providers. Examples include doctors, clinic staff, psychologists, nursing home staff, and pharmacists.
• Health plans. Examples include health insurance companies, HMOs, and government programs such as Medicare and Medicaid.
• Healthcare clearinghouses. These are entities that process nonstandard health information they receive from another entity into a standardized format; examples include billing services and repricing companies. 

The basics of HIPAA typically require these businesses to

• Protect patient data. HIPAA-covered entities are typically required to  limit access to protected health information (PHI) to the minimum necessary. Access to PHI is generally limited to the patient, those providing care, and people the patient allows to access their PHI, such as family members.
• Keep patient information secure. Online data should generally be protected by  encryption or an equivalent security measure and have appropriate security measures in place. Physical records should be secured when not in use.
• Allow patients to review their records upon request. This means you have to store all patient information in case they request it.

If your business is covered by HIPAA, then you are responsible for complying with its regulations. Fines for HIPAA breaches can reach into the millions of dollars.

What does protected health information (PHI) include?

PHI refers to any data that can be used to identify an individual. Information is individually identifiable if it includes any of the following 18 data points:

• Name
• Address
• Dates (including birth date, admission date, date of death, etc.)
• Telephone number
• Fax number
• Email address
• Social security number
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate/license number
• Vehicle identifiers and serial number
• Device identifiers or serial number
• Web URL
• IP address
• Biometric identifier
• Full-face photographic image
• Any other unique identifying number, characteristic, or code

In which cases may PHI be disclosed?

Arrigo notes that HIPAA doesn’t require entities to keep everything private. “There are instances where it is permissible to share health information without consent.”

Some permissible instances include

• Treatment. Healthcare providers may share health information with other providers or third parties while providing, coordinating, or managing care; consulting with other providers about care; or referring a patient to another provider.
• Payment. Healthcare providers may also share health information to obtain payment or be reimbursed for their services. Health plans may do the same to obtain premiums, fulfill their coverage responsibilities, and provide benefits under the plan. Payment activities may include billing and collection, risk adjustments, and review of healthcare services to justify charges.
• Healthcare operations. Covered entities may share health information as part of certain administrative, financial, legal, and quality improvement activities required to run their businesses and support core functions of treatment and payment. These activities may include evaluating provider and health plan performance, training healthcare professionals, credentialing, and so on.

What are some examples of HIPAA violations?

One example of a HIPAA violation would be if a nurse looked up the medical records of a neighbor upon seeing her arrive at the hospital. If the nurse’s only motivation for doing so was sheer curiosity as to the reason for her visit, this would clearly be an instance of the nurse abusing her station — and a violation of the neighbor’s privacy. Then, say she takes the situation even further and shares that information with some close friends via social media, and the neighbor learns about it. 

“Does this constitute a HIPAA violation? Absolutely,” says Arrigo. “The nurse was not directly involved in the patient’s care, so she had no reasonable justification for investigating her medical record. Then there’s the issue of sharing that information with unauthorized parties. Both the nurse and the hospital — a covered entity under HIPAA — would certainly be subject to litigation by the patient.”

Arrigo adds that the consequences of this violation may vary based on what can be proven in legal proceedings. “If the nurse was proven to have malicious intent, she’d likely be immediately terminated and face punishment by the board of nursing. Without that proof, she may face some other form of disciplinary action.”

Consider another example concerning an insurance company — also a covered entity. The company regularly conducts internal audits of its privacy and security infrastructure, including its computer systems, policies, and procedures. It hires a third party to perform a more extensive, objective audit, which reveals a number of weak points that open the company and its employees to HIPAA violations.

“Though the company and its employees have yet to violate HIPAA directly, not addressing the identified weak points could open them up to liability,” Arrigo explains. “Some entities think they can avoid this situation by simply not conducting audits; however, regular audits are required under HIPAA.”

What is FERPA, and what does it cover?

The Family Educational Rights and Privacy Act, or FERPA, is a federal law that protects the privacy of students’ education records. It applies to schools and postsecondary institutions. It covers both public and private schools. 

FERPA is sometimes referred to as the Buckley Amendment after its principal sponsor Senator James Buckley. The act was originally offered as an amendment to a bill extending the Elementary and Secondary Education Act of 1965. FERPA has been amended 11 times since its enactment to recognize new situations where personally identifiable information, or PII, in education records can be disclosed without parental or student consent.

The act regulates student records, which include medical care given to a student at school. In a sense, FERPA is the “HIPAA” for privacy violations in schools. (HIPAA does apply to children’s medical records, but it doesn’t apply if those records are stored by a school. That’s where FERPA comes into play). FERPA requires that schools:

• Give legal guardians control over a student’s information until the student is 18 or starts their postsecondary education. You must get permission before you share information with an outside party. Even legal guardians of the student need permission once the student is 18.
• Protect all information contained in a student’s record. This includes a student’s grades, education records, disciplinary records, personal information, and medical records.
• Understand who FERPA applies to. FERPA covers both current and previous students of the school. It doesn’t cover others that you may treat at your school.

What are permitted disclosures under FERPA?

There are several instances where a school is allowed to disclose information from a student’s education record without proper consent. A school may disclose to:

• School officials who have legitimate educational interest
• Other schools to which a student is transferring
• Specified officials for audit or evaluation purposes
• Appropriate parties in connection with financial aid to a student
• Organizations conducting certain studies for or on behalf of the school
• Accrediting organizations
• Specified parties to comply with a judicial order or lawfully issued subpoena
• Appropriate officials in cases of health and safety emergencies
• State and local authorities, within a juvenile justice system, under specific state law
• Certain parties or publications general “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance; however, schools must alert parents and eligible students and allow them a reasonable amount of time to opt out of this disclosure

What are some examples of FERPA violations?

FERPA violations aren’t always clear cut. For example, say a student at a prestigious university seeks on-campus counseling to cope with suicidal thoughts. After speaking with the counselor and admitting her ideations, the student later finds out that the counselor informed her parents of what she shared — against her express request to not inform them. Not only did the news reach her parents, but the disclosure was also mentioned in a public article.

“To understand whether the disclosure was a FERPA violation requires answering a number of questions,” says Arrigo. “Was there a duty to protect? If so, was the best way to protect her to notify her parents? Is the university considered a covered entity, in which case HIPAA might apply instead? Such a case requires in-depth analysis to arrive at an appropriate conclusion on whether a violation occurred.”

Arrigo puts forth another university-centered example. In this case, the student — who attends a state university — also seeks help from an on-campus therapist. She informed the therapist that she had been sexually assaulted by another student and was pursuing charges. The therapist then shares this information with university officials.

The disclosure received “widespread criticism because it appeared that the university was protecting itself rather than sharing records because she or the assaulter was a perceived danger to someone,” Arrigo explains. “After all, who on campus staff can request access to a student’s mental health records, and in what circumstances would that apply, aside from the student being a danger to others?”

Like the previous example, Arrigo notes there are similar questions to answer to determine whether FERPA was violated:

• Is the university a HIPAA covered entity?
• Was there imminent harm to others by the counseled student or the assaulter?
• Did law enforcement request the information to apprehend or prosecute the assaulter?

FERPA breaches also carry heavy penalties. Violating FERPA can put your educational organization at risk of losing federal funding. It also brings in bad PR for your school.

How do HIPAA and FERPA intersect?

“One of the key tenets that underscore both HIPAA and FERPA is that you can never share protected information unless it falls under a permissible purpose or legitimate interest,” says Arrigo.

In addition, conducting regular assessments to not only identify weak points — whether in the technology, security measures, or your policies and procedures — may help remediate them. “Otherwise, you risk litigation down the line,” Arrigo explains.

Of course, not every organization has the same resources or capabilities to remedy every issue or vulnerability. “In these cases, you need to develop a priority scheme asking two key questions: Which violation events are the most likely to occur? Which events have the least likelihood of you detecting or identifying them when they occur?”

HIPAA and FERPA compliance takes planning

HIPAA and FERPA are similar, but the legal technicalities involved can trip you up. Thankfully, only one of them will apply to you depending on the situation. Creating policies that handle both HIPAA and FERPA will keep your organization safe no matter what happens. How can you comply with both HIPAA and FERPA?

• Figure out what law will usually apply to you. Are you a HIPAA-covered entity or a school? Once you know how to categorize your patients, you can determine which law applies.
• Research state privacy laws. If your state’s law is stricter than HIPAA or FERPA, then state law supersedes federal law.
• Consult legal counsel. An attorney can help you craft policies that comply with HIPAA and FERPA.
• Create policies for your organization. Having a standard way to handle patient information prevents mistakes from happening.
• Train your staff on features that help with FERPA or HIPAA compliance. Employees should know how to handle data and what release forms need to be signed before information is disclosed.
• If your organization is a school, keep in mind that FERPA doesn’t apply to nonstudents. If you treat individuals who aren’t students, then HIPAA applies to their information.

HIPAA and FERPA are both important safeguards when it comes to protecting information and people. Following these laws protects both your patients and your organization.

HIPAA and FERPA keep your organization and patients safe

Hackers are always looking for private information. Thankfully, federal law can provide a solid basis for guarding your patient data. By knowing HIPAA, FERPA, and how to follow them, you can keep your patients and your business safe.

However, there’s more to legal compliance. If your business needs to follow HIPAA standards, then you also have to use HIPAA-friendly forms. At Jotform, our online forms are easy for patients to use and keep their data secure.