No, college student health services usually aren't covered entities because they generally don't handle the kinds of electronic transactions that allow for them to fall under HIPAA.
What is a covered entity?
According to the NIH guidance on HIPAA’s Privacy Rule, a covered entity is defined as specific organizations who, “...electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage.”
HIPAA clearly defines "covered entities" in Section 160.103 as organizations including health plans, healthcare clearinghouses, and healthcare providers who handle insurance transactions electronically. This is the reason they are called covered entities: they're covered under the law's strict guidelines to safeguard sensitive patient information.
Complying with HIPAA isn't just a suggestion—it's an obligation. These entities handle personal details, and HIPAA ensures that this information is kept confidential and secure. If they fail to protect this data, the consequences can be severe.
Why college health services aren't covered entities
College health services often don't fall under the category of "covered entities" as defined by HIPAA, and here's why: To be considered a covered entity, a healthcare provider must conduct certain transactions electronically, like billing insurance electronically. Many college health centers operate differently. They might only provide health services to students without involving electronic transactions with health plans.
This setup means they aren't handling the type of electronic billing that HIPAA covers. Instead, these services often charge fees directly to student accounts or operate through prepaid student health fees, bypassing the need for electronic health plan transactions. Since they're not engaging in the specific activities HIPAA regulates, college health services typically aren't bound by its rules.
Does this mean student health data isn’t safe?
In the U.S., college health services are primarily regulated by the Family Educational Rights and Privacy Act (FERPA). FERPA focuses on keeping student education records private, which includes some health information. However, the security of this health data isn't always assured.
Because colleges and universities are a favorite target for cyber attackers. According to Check Point Research (CPR), the Education/Research sector was hit hardest by cyber attacks, facing the highest volume of attacks monthly throughout 2021 and 2022. In July 2022 alone, this sector experienced more than double the number of weekly cyber attacks compared to the average across other industries.
This high risk of breaches is due in part to the extensive data schools handle and their collaboration with various third party service providers, which can lead to potential security gaps. Implementing HIPAA compliant email systems could be a game changer for college health services. These systems offer high grade security measures, such as strong encryption and strict access controls, designed to protect sensitive health information.
See also: Top 12 HIPAA compliant email services
FAQs
Can students request the same privacy protections as in a regular hospital?
While students can expect some level of privacy, the protections under FERPA are different and generally less stringent.
What happens to student health records after graduation?
Most colleges retain health records for a certain period as mandated by state laws or institutional policies, after which they may be securely destroyed.
Can students access their own health records at college?
Yes, FERPA grants students the right to access their educational records.
Kirsten Peremore
