HIPAA vs FERPA: Which do you have to follow?

People’s private information is quickly becoming a best seller on the black market. Data like medical records can be used to assume a person’s identity and potentially ruin their lives. And this isn’t just happening to adults — kids are being targeted too.

In 2018, education organizations experienced 122 data breaches. In one case, an online charter school’s data leak left their database open to the public for eight days. Almost 7 million student records were exposed in the leak, including children’s names and email addresses.

Everyone wants to keep children safe and protect their private information. But how exactly do you safeguard personal data? Multiple federal laws protect personal health data. If your organization deals with this type of data, which laws do you need to follow?

Let’s examine two federal laws, HIPAA and FERPA, to see if they apply to your organization.

HIPAA vs FERPA: What’s the difference?

HIPAA and FERPA are both federal laws that regulate how data can be disclosed. Although they differ in technical ways, each one requires that organizations protect private information and give the (adult) person control over their own records.

Even though HIPAA and FERPA are similar, they don’t apply to the same businesses.

What does HIPAA cover?

HIPAA, or the Health Insurance Portability and Accountability Act, covers businesses that focus on healthcare information. These include healthcare providers, health plans, and healthcare data clearinghouses. HIPAA deals with all personally identifiable information about a patient stored by an organization. The basics of HIPAA require these businesses to

  • Protect patient data. HIPAA-covered entities need to limit access to personal health information (PHI). The only individuals with access should be the patient, those providing care, and people the patient allows to access their PHI, such as family members.
  • Keep patient information secure. Online data should be encrypted and have appropriate security measures in place. Physical records should be locked away when not in use.
  • Allow patients to review their records upon request. This means you have to store all patient information in case they request it.

If your business is covered by HIPAA, then you need to comply with its regulations. Fines for HIPAA breaches can reach into the millions of dollars.

HIPAA does apply to children’s medical records, but it doesn’t apply if those records are stored by a school. That’s where FERPA comes into play.

What is FERPA, and what does it cover?

FERPA, or the Family Educational Rights and Privacy Act, applies to schools and postsecondary institutions. It covers both public and private schools. FERPA regulates student records, which include medical care given to a student at school. FERPA requires that schools

  • Give legal guardians control over a student’s information until the student is 18 or starts their postsecondary education. You must get permission before you share information with an outside party. Even legal guardians of the student need permission once the student is 18.
  • Protect all information contained in a student’s record. This includes a student’s grades, disciplinary records, personal information, and medical records.
  • Understand who FERPA applies to. FERPA covers both current and previous students of the school. It doesn’t cover others that you may treat at your school.

FERPA breaches also carry heavy penalties. Violating FERPA can put your educational organization at risk of losing federal funding. It also brings in bad PR for your school.

At a business meeting, a group of employees learns how they can legally comply with privacy laws

HIPAA and FERPA compliance takes planning

HIPAA and FERPA are similar, but the legal technicalities involved can trip you up. Thankfully, only one of them will apply to you depending on the situation. Creating policies that handle both HIPAA and FERPA will keep your organization safe no matter what happens. How can you comply with both HIPAA and FERPA?

  • Figure out what law will usually apply to you. Are you a HIPAA-covered entity or a school? Once you know how to categorize your patients, you can determine which law applies.
  • Research state privacy laws. If your state’s law is stricter than HIPAA or FERPA, then state law supersedes federal law.
  • Consult legal counsel. An attorney can help you craft policies that comply with HIPAA and FERPA.
  • Create policies for your organization. Having a standard way to handle patient information prevents mistakes from happening.
  • Train your staff on FERPA or HIPAA compliance. Employees should know how to handle data and what release forms need to be signed before information is disclosed.
  • If your organization is a school, keep in mind that FERPA doesn’t apply to nonstudents. If you treat individuals who aren’t students, then HIPAA applies to their information.

HIPAA and FERPA are both important safeguards when it comes to protecting information and people. Following these laws protects both your patients and your organization.

HIPAA and FERPA keep your organization and patients safe

Hackers are always looking for private information. Thankfully, federal law can provide a solid basis for guarding your patient data. By knowing HIPAA, FERPA, and how to follow them, you can keep your patients and your business safe. 
However, there’s more to legal compliance. If your business needs to follow HIPAA standards, then you also have to use HIPAA-compliant forms. At JotForm, our online forms are easy for patients to use and keep their data secure.

Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA.

Send Comment:

JotForm Avatar

Comments:

Podo CommentBe the first to comment.