Frequently Asked Questions
How does the HIPAA Privacy Rule apply to schools?
Q. Can a school or school system be a covered
entity under HIPAA?
Yes. A school or school system is a covered entity
if it (or any member of its workforce) is a health
plan, a health care clearinghouse, or a health care
provider that transmits health information electronically
in connection with a HIPAA transaction.
Q. Is a school that is covered by FERPA exempt
from HIPAA?
No. A school that is covered by FERPA may also be
a covered entity under HIPAA, if it is a health plan,
a health care clearinghouse, or a health care provider
that transmits health information electronically in
connection with a HIPAA transaction.
Q. Following up on the previous question: If
a school covered by FERPA can also be covered by HIPAA,
what does the FERPA exemption in the HIPAA regulations
mean?
There is no FERPA exemption to the HIPAA regulations.
Rather, there is an exception to the definition of
protected health information for education records
that are covered by FERP This means that, in a school
that is covered by both FERPA and HIPAA, the HIPAA
requirements regarding protected health information
do not apply to education records covered by FERP
(Note, however, that the HIPAA requirements regarding
protected health information do apply to any individually
identifiable health information in the school that
is not an education record under FERP)
Q. Can a school (or school system) that is
a covered entity designate itself a hybrid entity? If
it can and does, what are the implications?
Yes, a school or school system can be a hybrid entity,
because schools carry out many functions that are
not covered functions. A school or school system that
determines it is a hybrid entity must designate its
health care component(s). Only the health care component(s)
are required to comply with the privacy rule. A hybrid
entity must ensure that the health care component(s)
does not disclose PHI to any other component in any
way that would not be permitted by the privacy rule
if the two components were separate legal entities.
Further, the hybrid entity must ensure that any workforce
member who performs duties for both the health care
component(s) and other components does not use or
disclose PHI in the performance of duties for the
other components in any way that violates the privacy
rule.
Q. Are school nurses covered entities?
A school nurse may be a covered entity, if the nurse
is (1) a health care provider (2) who transmits health
information electronically in connection with a HIPAA
transaction. The nurse must meet both parts of this
test to meet HIPAA’s definition of covered entity.
If the nurse is a health care provider but does not
transmit health information electronically in connection
with a HIPAA transaction, the nurse does not meet
the definition. A school nurse may also be covered
by HIPAA if the nurse is a member of the workforce
of a covered entity.
This question is often asked about others who provide
health care in the schools, such as physical or occupational
therapists. The same analysis would apply. If the
health care provider transmits health information
in connection with a HIPAA transaction, the provider
meets HIPAA’s definition of covered entity.
Q. Suppose a school nurse is employed by a
local health department, rather than the school. The
nurse provides health care in the school but there are
no electronic HIPAA transactions associated with that
care. The school is not a covered entity, but the health
department is. Are the school nurse’s activities
in the school nevertheless subject to HIPAA, since she
is an employee of a covered entity?
It is unclear whether a nurse in this situation is
a member of the workforce of the health department,
the school, or both. In the absence of guidance from
HHS on this issue, it is probably safest to assume
that a school nurse in this situation might bring
her employer’s HIPAA obligations into the school.
Health departments that employ school nurses could
avoid this result by designating themselves hybrid
entities and excluding the school nursing program
from the health care component.
Q. The definition of PHI excludes both education
records covered by FERPA, and records described at 20
U.S.C. 1232g(a)(4)(B)(iv) (treatment records of older
students that are disclosed only to another health care
provider at the student’s request). Given those
exclusions, could a school that is a covered entity,
but also subject to FERPA, ever have any information
that meets the definition of PHI?
Yes. Individually identifiable health information
that does not fit within one of the exclusions (or
the exclusion for employment records) would meet the
definition of PHI for a school that is a covered entity.
For example, FERPA’s definition of “education
record” specifically excludes sole possession
notes—that is, notes made by a member of the
school’s staff that are not accessible or revealed
to any other person except a substitute. If a staff
member’s sole possession notes included individually
identifiable health information, the notes would be
PHI, since they are not part of an education record
covered by FERP Oral communications of individually
identifiable health information that are not included
in an education record covered by FERPA would also
be PHI.
Q. In a school that is a covered entity, are
a school nurse’s sole possession notes subject
to HIPAA or FERPA?
If the nurse’s notes are not accessible or
revealed to any other person except a substitute,
they are specifically excepted from the definition
of “education record” in FERP Since they
are not education records covered by FERPA, they are
PHI and are subject to HIPA A school could avoid this
result by designating itself a hybrid entity and excluding
the school nurse from its health care component. However,
the school nurse could not be excluded from the health
care component if the care she provides is associated
with health information that is transmitted electronically
in connection with a HIPAA transaction.
Q. Suppose a school that is a covered entity
has no PHI—all its individually identifiable health
information is maintained in education records covered
by FERP Must the school appoint a privacy official and
comply with all the administrative requirements in section
164.530 of the privacy rule?
There is no stated exception to the administrative
requirements for covered entities that do not have
PHI. However, the touchstone of the rule is reasonableness
and to require a covered entity with no PHI to comply
with many, if not all, of the administrative requirements
would seem unreasonable. For example, the entity would
be required to develop policies and procedures with
respect to PHI—but there is no PHI. The workforce
would have to be trained in those policies and procedures—but
there would be no policies and procedures. It may
be reasonable, however, for a school that is a covered
entity to have a privacy official who is responsible
for monitoring the status of health information in
the school and to ensure privacy rule compliance in
the event that something changes and the school begins
to have PHI. We hope that HHS will provide guidance
on this issue for schools that are covered entities.
Back to FAQs |
