Everything You've Always Wanted To Know About HIPAA And
FERPA
Author: Kristine Dunne

Consider this question. Say the mother of a 22-year old student
that you have treated requests to see her daughter's medical
records. The Bursar's office confirms that the student is listed
as a dependent for tax purposes. There seems to be no urgent
reason for such a release and the student does not wish to give
her mother access. How would you protect the privacy of her
information?

Situations such as this one that require knowledge of privacy
laws to resolve successfully are all too common in the average
student health center, yet the acronyms HIPAA and FERPA tend to
strike fear into the hearts of the staunchest of college health
professionals. So much has been written anecdotally on the
subject of how complicated and unspecific these laws are that
some may be surprised to find that according to legal
professionals, the intersections between the laws are generally
clear-cut. This article aims to explain which laws apply to you
and what you can do to avoid the headaches that ensue from a
conflict between your principles as a care provider and the law.


Six golden rules of privacy law

* FERPA never applies to non-students
* FERPA only applies when the student's medical records are
released
* HIPAA doesn't apply to records covered by FERPA or to student
"treatment records"
* Even if you treat non-students, you're not bound by HIPAA
unless you perform electronic transactions.
* Student health and counseling centers that do perform
electronic transactions for non-students only have to abide by
HIPAA for those transactions.
* State laws are applicable whether or not other federal laws
apply

This is how these rules break down.

RULE 1: FERPA never applies to non-students

RULE 2: FERPA only applies when the student's medical records
are released

The Family Educational Rights and Privacy Act (FERPA) is the
older of the two federal privacy laws. Enacted in 1974, one
aspect of its governance is the privacy of educational records.
There is a popular myth circulating that student medical records
fall under the FERPA's umbrella term "educational records". In
fact, FERPA specifically excludes the treatment records of
students in higher education from its definition of educational
records (see USC 20, 1232g for a complete definition). It also
excludes employees of an educational institution if they are not
students. FERPA does come into play, but only if the records are
released to someone outside the health center, whether that is
the student, their parents, their professors, or another health
provider outside the university, at which point they become
"educational records" rather than treatment records.

It is important to note that it is not the request for the
release that brings FERPA into effect. Many student health
professionals believe that if a request to see the records is
made that is in accordance with FERPA guidelines, they have to
release them or be in violation of FERPA. Not so, says Kristine
Dunne, BA, EdM, JD, an associate at the Washington, D.C. office
of law firm Arent Fox, LLC.

"It's the release of the records that triggers FERPA," she
explains. "There are no rights extended under FERPA to those
medical records until such time as they have been made available
to someone other than the treating health professionals, at
which point the FERPA protections of student records kick in."

Applying this to the example at the beginning of the article,
if state law doesn't require you to release the student's
unreleased medical records to her mother, you are under no legal
obligation to do so without a court order. Similarly, even if
you think a professor may have a "legitimate educational
interest" in requesting a student's unreleased medical records,
you still don't have to release them.

FERPA is just one part of the puzzle, however. The Health
Insurance Portability and Accountability Act (HIPAA) of 1996 is
another relevant law that seeks to be the national privacy
standard in health care. It was updated in 2003 to take into
account the trend toward automation and electronic
record-keeping. These privacy guidelines have been well
publicized and generally uphold the kind of patient
confidentiality that most health care providers are comfortable
with and there has therefore been a widespread trend in health
centers to apply these standards to student medical records,
even if they are not legally required. It is important to
realize, however, that while its principles of privacy and
confidentiality are excellent, in most cases, compliance is not
required by law.

RULE 3: HIPAA doesn't apply to records covered by FERPA or to
student medical records which are made, maintained, or used only
in connection with the provision of treatment to the student,
and are not available to anyone other than persons providing
such treatment.

RULE 4: Even if you treat non-students, you're not bound by
HIPAA unless you transmit health care information in electronic
form in connection with the submission of claims for payment.

HIPAA's definition of protected health information (PHI)
specifically excludes education records covered by FERPA and the
treatment records of students in higher education as defined
above. Dunne explains that the goal of this exclusion is
simplification.

"If student medical records were subject to HIPAA, there would
be two completely different schemes – up until the health center
released the record, it would be governed by HIPAA, and when it
had been released it would be governed by FERPA," she says.

This was apparently considered unworkable by Congress, hence
the blanket exception that HIPAA makes for any kind of student
medical records. However, many student health and counseling
centers also treat non-students, and this is where it starts to
get a little bit trickier. To be considered a "covered entity"
(i.e., bound by HIPAA), your health center must electronically
transmit health information in connection with a "HIPAA
transaction". More detailed information on what constitutes a
HIPAA transaction can be found in this primer released by The
American Council on Education, but essentially it is any
administrative or financial task carried out in the course of
health care that transmits PHI. If you don't perform electronic
transactions, you don't have to comply with HIPAA.

RULE 5: Student health and counseling centers that do perform
electronic transactions for non-students only have to abide by
HIPAA for those transactions.

Usually, every transaction of "covered entities" has to be
bound by HIPAA standards, even if they are not all electronic
transactions. However, because of the intersection with FERPA,
these health centers are able to be bound by HIPAA just for the
non-student transactions.

RULE 6: State laws are applicable whether or not other federal
laws apply

With all the fuss about HIPAA and FERPA, don't forget about
your state's laws concerning privacy. In some cases, state laws
are the only ones that will apply to student medical records,
but even where HIPAA or FERPA apply, state law is still
relevant. Despite the fact that HIPAA is a federal law, it bows
to state law in those cases where state law is more stringent.
Arent Fox Associate Richard Liner, BA, JD, MPH, elaborates:

"HIPAA has an enormous pre-emption problem because it sets a
floor and not a ceiling for health care privacy. Congress only
established a minimum for protecting patient information. If a
state's laws or regulations are more stringent than HIPAA in
their protection of patient health information, then covered
entities must follow state requirements."

This may conjure up ideas of conflicting laws, but Arent Fox
counsels that generally, state laws are more specific and will
very rarely conflict directly with HIPAA or FERPA. If more than
one law is applicable, generally the more stringent requirements
will apply. When in doubt, consult counsel before taking action.


Knowing the theory is one thing, but applying it can be a lot
more complicated. FERPA requires the student to give written,
dated permission before his or her student records information
is released – even to other health care providers outside the
university, which is a source of frustration for many. But the
same information can be released, unauthorized, to school
officials who have a "legitimate educational interest".
Similarly, FERPA allows unauthorized disclosure in an emergency,
if it is "necessary to protect the health or safety of the
student or other persons". Dunne counsels to rely on common
sense to interpret these terms, and to consult counsel early in
the process. No law can specifically cover every eventuality;
the burden of responsibility and interpretation must, through
necessity, rest on the care provider.

This responsibility weighs all the more heavy because schools
are concerned about penalties for breaching FERPA. If the Family
Policy Compliance Office (FPCO) found a pattern of violations of
FERPA with no obvious attempts to follow the guidelines, it
could result in a removal of federal funding. However, it is
important to know that individuals cannot be prosecuted for a
FERPA breach and individual students cannot sue for damages for
such a breach. Schools should carefully develop, implement and
maintain compliance oversight with regard to these important
privacy laws in order to prevent unlawful release of student
records. Likewise, if your school treats non-students, files
electronic claims and is bound by HIPAA for those transactions,
you should make sure that HIPAA protections are implemented,
even though a HIPAA violation may not – for now – result in a
fine being imposed. Liner explains:

"In the vast majority of cases where there's found to be a
violation of HIPAA, there is what's called an `administrative
resolution', which generally means the mistake wasn't
intentional and the organization voluntarily agrees to take
appropriate remedial action."

No civil fines for violations of HIPAA have been imposed so
far, although Liner warns that is likely to soon change.

Although information on the triumvirate of privacy laws has
always been available to those who know where to look for it,
there is also a wealth of partial and incorrect information
available on the Internet that has muddied the waters for those
health professionals attempting to do a little research on the
laws that apply to them. Dunne and Liner counsel that you should
speak to a professional who knows the law in your state and the
ins and outs of FERPA and HIPAA if you are worried about
misinterpretation of the law. Even if you know the basics, state
laws vary greatly and knowing the details of how the three laws
intersect will allow you the greatest leeway to interpret them
in a way that is consistent with your ethics.

"It is complicated," sympathizes Liner. "Talk to the privacy
officer within the university, if there is one. There are also a
few government Web sites that are really good in terms of
user-friendly guidance to help people navigate through the more
basic pitfalls." For instance, the Office of Civil Rights, the
enforcement agency for the HIPAA privacy standards, offers
tremendously helpful information and FAQs on its Web site.

"Consult with your legal counsel to ensure you're interpreting
and applying the law correctly," adds Dunne. "And be clear to
those who use student health center services, especially
students, about the laws that apply."


About The Author: Kristine Dunne, BA, EdM, JD and Richard
Liner, BA, JD, MPH, Associates of the Washington, D.C. office of
law firm Arent Fox, LLC. This article appeared previously in
NuesoftXpress ( http://www.nuesoftxpress.com )