Agencies Update Guidance On HIPAA Health Care & FERPA/IDEA Educational Privacy Rule Interplay

Public and private educational institutions, their administration, students and parents and health care providers, health plans, and others dealing with student health and safety concerns will want to review updated joint guidance published by the Office for Civil Rights at the U.S. Department of Health and Human Services and the U.S. Department of Education about their shared understanding about the interaction and application of the  educational privacy and records access rights of the Family Educational Rights and Privacy Act (FERPA), the educational disability privacy and confidentiality rules of the  Individuals with Disabilities Education Act (IDEA) and the health information privacy and protections Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to records maintained on students.

The newly released 2019 Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records (“Guidance”) updates and expands on prior joint guidance jointly published by the agencies in 2008.  Intended to help school administrators, health care professionals, families, and others understand how FERPA, the IDEA and HIPAA apply to education and health records maintained about students, the Guidance updates and expands upon prior guidance in place since November, 2008.   In keeping with the Trump Administrator’s broader prioritization of addressing school and other mental health and safety concerns, the Guidance also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially those related to emergency health or safety situations.

FERPA & HIPAA Generally

The previous and new Guidance addresses the intersection and interrelationship between FERPA’s rules on the confidentiality and access rights for “educational records” applicable to educational institutions and the HIPAA confidentiality, security, and access and other requirements applicable to the use, access, protection and disclosure of ‘protected health information” by health care providers, health plans, health care clearinghouses and their business associates.  Individuals with Disabilities Education Act (IDEA), also are covered as education records under both FERPA and IDEA. IDEA includes confidentiality provisions that are similar to, but broader than, FERPA to protect the privacy of PII in the early intervention or education records of children referred to the IDEA. See 20 U.S.C. §1417(c) and for children ages 3 through 21 the IDEA Part B regulations at 34 CFR §§ 300.610­ 300.626 and for children with disabilities under the age of three the IDEA Part C regulations at 34 CFR §§ 303.400 – 303.416.  Since educational records covered by FERPA and the IDEA often include various diagnostic, medical or other records that in the hands of a health care provider, health plan, or health care clearinghouse generally are protected health information and schools provide certain diagnosis, screening, care and other services through nurses or other professional medical staff that would be considered health care providers in other contexts, confusion about how the two sets of rules interplay are common.

HIPAA Privacy Rule May Apply To Private Schools Under Certain Circumstances

Generally, the agencies continue their position that public schools generally are not subject to HIPAA.  However, the new Guidance clarifies that private schools may be subject to HIPAA in certain situations.  In this respect, the Guidance states that in most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either:

  • Is not a HIPAA covered entity; or
  • Is a HIPAA covered entity but maintains health information only on students in records that are “education records” under FERPA and, therefore, not PHI covered by the HIPAA Privacy Rule.

However, the Guidance now clarifies that a private school that are exempt from FERPA because they don’t receive any federal funds could be required under certain circumstances to comply with the HIPAA transaction requirements and HIPAA Privacy, Security, Breach Notification and Enforcement Rules if the school for example employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity).

Likewise, the Guidance clarifies that when a student is placed in a private school for the provision of Individualized Education Program (IEP) services on behalf of a school or school district subject to FERPA, the education records of the privately placed student maintained by the private school are subject both to FERPA and to the confidentiality requirements under the IDEA, which incorporate the provisions of FERPA, and not the HIPAA Privacy Rule. The Guidance also states that the U.S. Department of Education is in the process of preparing a Notice of Proposed Rulemaking to amend the FERPA regulations to add this provision and will provide an opportunity for the public to comment on this proposed amendment.

Other Additions & Clarifications

While generally continuing their original position of treating at least public educational institutions as subject to FERPA and the IDEA, but exempt from HIPAA in most circumstances, the new Guidance also clarifies and on their original interpretations regarding the interactions and workings of FERPA and the IDEA with HIPAA in various other respects.  As part of these changes, the new Guidance incorporates additional frequently asked questions and answers addressing when a student’s health information can be shared without the written consent of the parent or eligible student under FERPA, or without written authorization under the HIPAA Privacy Rule.  New clarifications and examples address:

  • When can protected health information (PHI) or personally identifiable information from an education record (PII) be shared with the parent of an adult student?
  • What options do family members of an adult student have under HIPAA if they are concerned about the student’s mental health and the student does not agree to disclosures of their PHI?
  • Does HIPAA allow a covered health care provider to disclose PHI about a minor with a mental health condition or substance use disorder to the minor’s parents?
  • When can PHI or PII be shared about a student who presents a danger to self or others?
  • Under FERPA, can an educational agency or institution disclose, without prior written consent, PII from a student’s education records, including health records, to the educational agency’s or institution’s law enforcement officials?
  • Does FERPA permit an educational agency or institution to disclose, without prior written consent, PII from a student’s education records to the National Instant Criminal Background Check System (NICS)?

While the agencies state the new Guidance is intended “to help address potential confusion on the part of school administrators, health care professionals, and others on how FERPA and HIPAA apply to records maintained on students, like the predecessor 2008 guidance, the new Guidance states it “does not have the force and effect of law and is not meant to bind the public in any way. Instead, it is intended only to provide clarity to the public regarding existing requirements under the law or agency policies.” “Confusion on when records can be shared should not stand in the way of protecting students while they are in school,” said U.S. Secretary of Education Betsy DeVos.  “This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.”

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, public and private primary, secondary, and other educational institutions, and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has recurrently worked extensively with public school districts and public and private primary and secondary schools, colleges and universities, academic medical, and other educational institutions, insured and self-insured health plans; domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, employers; and federal and state legislative, regulatory, investigatory and enforcement bodies and agencies on health care, education, and other data privacy, security, use, protection and disclosure; disability and other educational rights; workforce, and a host of other risk management and compliance concerns.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: