HIPAA, FERPA, and Student Health Records

Download PDF

Avoiding Liability Bulletin – February 2009

… As a result of confusion among health care professionals and school administrators throughout the country, the U.S. Department of Education and the U.S. Department of Health and Human Services have issued a joint guidance (November 2008) on the application of two federal acts – the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – to student health records. I have used the content of this written guidance, often “word for word,” quite liberally in this article so as to avoid inaccuracies. The intersection of these two laws has caused some confusion, primarily for school administrators, when faced with questions about the release of student health records to parents and/or to third parties. This article touches upon only some of the aspects of this rather complex subject matter.

FERPA protects the privacy of students’ “education records,” which term is defined broadly enough (e.g., records that are directly related to a student and maintained by an educational agency or institution or by one acting for the agency or institution) to include certain student health records. HIPAA, among other things, deals with the privacy of mental health records maintained by those mental health practitioners (and other “covered entities”) who are “covered providers” because they transmit health information in electronic form with respect to specified transactions related to insurance billing. The HIPAA Privacy Rule specifically excludes from its coverage those records that are protected by FERPA – that is, “education records.” (The HIPAA Privacy Rule also excludes “treatment records,” as defined in FERPA, from its coverage.)

These two federal laws intersect with each other when a school that is covered by FERPA (generally, educational institutions/agencies that receive funds from the U.S. Dept. of Education, such as virtually all public schools and school districts and most private and public postsecondary institutions, including medical and other professional schools) provides health care to students in the normal course of business and conducts covered transactions electronically in connection with that health care.

One of the areas clarified by the joint guidance is whether the HIPAA Privacy Rule applies to elementary or secondary schools that maintain health records of students. Generally, the HIPAA Privacy Rule does not apply to these schools. This is typically so because the school is not a “covered entity,” or if a “covered entity,” the health information maintained on students is contained in records that are considered “education records” under FERPA, which are not subject to the HIPAA Privacy Rule. Also, elementary or secondary schools may employ mental health practitioners to provide therapy or counseling services to students, but if the school or the provider does not bill a health plan electronically for such services the school is not a “covered entity” under HIPAA.

A different example would be where a public high school employs a mental health practitioner that bills Medicaid electronically for services provided to a student under IDEA (Individuals with Disability Education Act). In that case, the school is a HIPAA “covered entity” and would be subject to HIPAA requirements concerning transactions, but would probably not be subject to the HIPAA Privacy Rule because the mental health information may be maintained in what is considered to be “education records,” as defined in FERPA. The school would then have to comply with the FERPA privacy requirements. (Private and religious schools at the elementary and secondary level generally do not receive funds from the U.S. Department of Education and are, therefore, not subject to FERPA.)

Some therapists or counselors may be employed at a university hospital. A question arises as to whether FERPA or HIPAA applies to the patient records maintained by the hospital affiliated with a university that is subject to FERPA. Since these hospitals typically provide health care services without regard to the person’s status as a student and not on behalf of the university, patient treatment records are subject to all of the HIPAA rules, including the Privacy Rule – assuming that the hospital is a “covered entity” (usually the case). These particular patient records would not ordinarily be considered “education records” or “treatment records” covered by FERPA. However, if the hospital runs the student health clinic on behalf of a university, the clinic records on students would be subject to FERPA and not subject to the HIPAA Privacy Rule.

Why is it important to know whether the HIPAA Privacy Rule applies, or the privacy requirements of FERPA, in any given situation? The rules regarding disclosure of student health records may differ between FERPA and the HIPAA Privacy Rule, depending upon the circumstances involved. Questions are likely to arise as to a student’s right to access (inspect or copy) his or her own records, both as a minor and as an adult. Additionally, parents may desire to access the health records of their minor children who are students (the HIPAA Privacy Rule essentially defers to state law with respect to the issue of a parent’s right to access the health care records of a minor patient). Finally, schools may be faced with requests by parents or the student that the student’s health records be sent to other health care providers or to “third parties.” In each situation, it is critical for the practitioner and the school to know which law applies.

I was able to access this thirteen-page document by “googling” the words “joint guidance on FERPA and HIPAA.” It can likely be accessed through the websites for either the U.S. Department of Education or the U.S. Department of Health and Human Services.


Richard Leslie

"At the Intersection of Law and Psychotherapy" Richard S. Leslie is an attorney who has practiced at the intersection of law and psychotherapy for the past twenty-five years. Most recently, he was a consultant to the American Association for Marriage and Family Therapy (AAMFT), where he worked with their various state divisions to develop and implement their legislative agendas. He also provided telephone consultation services to AAMFT members regarding legal and ethical issues confronting practitioners of diverse licensure nationwide. Additionally, he wrote articles regarding legal and ethical issues for their Family Therapy Magazine and presented at workshops on a variety of legal issues. Prior to his work with AAMFT, Richard was Legal Counsel to the California Association of Marriage and Family Therapists (CAMFT) for approximately twenty-two years. He was director of Government Relations for CAMFT, and as such was the architect of CAMFT’s widely regarded and successful legislative agenda. He represented CAMFT before the regulatory board (the Board of Behavioral Sciences) and was a tireless advocate for due process and fairness for licensees and applicants. He was a regular presenter at workshops and was consistently evaluated as CAMFT’s most highly rated presenter. He also sat with the CAMFT Ethics Committee and acted as their advisor on matters pertaining to the enforcement of ethical standards. Richard is an acknowledged expert on matters pertaining to the interrelationship between law and the practice of marriage and family therapy and psychotherapy. For many years, he taught Law and Ethics courses for a number of colleges and universities in their marriage and family therapy degree programs. While at CAMFT, he provided telephone consultation services with thousands of therapists in California and elsewhere for over twenty years. He is highly regarded for his judgment, his expertise, his direct style, and his clarity. Richard has been the driving force for many of the changes and additions to the laws of the State of California that affect MFTs. In 1980, he was primarily responsible for achieving passage of the "Freedom of Choice Law" that required insurance companies to pay for psychotherapy services performed by MFTs. Passage of that law allowed MFTs to earn a living, allowed them to better compete in the marketplace, and strengthened the profession in California by leading to a great increase in the number of licensees and CAMFT membership. Currently, about half of the licensed marriage and family therapists in the country are licensed in California. While at CAMFT, Richard was primarily responsible for, among other things, the successful effort to criminalize sex between a patient and a therapist. He was successful in extending the laws of psychotherapist-patient privilege to MFTs, thereby giving patients the same level of privacy protection as when seeing a psychiatrist or psychologist. He fought tirelessly and successfully for the right of MFTs to refer to themselves as "psychotherapists," to perform psychological testing services, to be appropriately reimbursed by California’s Victims of Crime Program, and to be employed in county mental health agencies throughout California. Richard was admitted to the Bar in New York (1969) and in California (1973). While practicing in New York, he served as a public defender, and later, as an Assistant District Attorney. Shortly after moving to California, he worked for the San Diego County Human Relations Commission as their Law and Justice Officer. While there, he worked successfully to achieve greater racial diversity in the criminal jury selection system and to expose and stop police abuse. For such work with that agency, he was the recipient of the Civil Libertarian of the Year Award by the San Diego Chapter of the American Civil Liberties Union.

Have Questions? click here, We’re happy to help!