Does HIPAA apply to Individualized Education Programs (IEPs) or 504 Plans?

HIPAA usually does not apply to Individualized Education Programs (IEPs) or 504 Plans. This is because schools that handle IEPs or 504 Plans often do not fall under the types of organizations HIPAA regulates, such as healthcare providers or insurance companies. 

What are Individualized Education Programs (IEPs) or 504 Plans?

An IEPs and 504 Plans are special tools used in schools to help students who have disabilities. The Cystic Fibrosis Foundation provides that an IEP is, “... can be used for students whose health conditions, or other factors, have caused a need for specialized instruction.” It sets out specific goals for the student and outlines the services that the school will provide to help them achieve these goals. This plan is developed by a team that includes teachers, parents, and other school staff, and it's reviewed at least once a year to make adjustments if needed.

The same article defines 504 plans as plans, “...used for students who need accommodations to access their education the same as their peers.”. This could include things like wheelchair ramps, the ability to take extra time on tests, or the provision of specific seating arrangements. A 504 Plan helps to remove barriers for students with disabilities, ensuring they have equal access to education as their peers.

See also: Promoting mental health in schools with HIPAA compliant emails

Why HIPAA does not apply to IEP’s and 504s

The primary reason why HIPAA does not typically apply to IEPs and 504 Plans is that schools and educational institutions are generally not considered covered entities under HIPAA. These educational documents, including any health information they contain, are managed by schools and fall outside HIPAA's scope.

Reasons IEPs and 504 Plans are generally not under HIPAA:

• Schools are not healthcare providers, and the services they offer are educational rather than medical. Even if schools employ nurses or health professionals, the primary purpose of the school is education, not healthcare.
• The health-related information in IEPs and 504 Plans is considered part of the student's educational record. HIPAA explicitly excludes education records covered by FERPA, another federal law that protects the privacy of student education records.
  
  

Exceptions where HIPAA might apply:

1. Schools as providers: In instances where a school offers services that could be considered healthcare and involves transactions covered by HIPAA (such as billing to health insurance), the specific records related to those transactions might be subject to HIPAA. However, these instances are rare and typically involve separate records from those used for educational purposes like IEPs or 504 Plans.
2. Sharing with healthcare providers: If a school shares medical information from an IEP or 504 Plan with a healthcare provider who is treating the student, that specific information may become PHI under HIPAA once it is in the hands of the healthcare provider. However, the original record at the school remains protected under FERPA.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is FERPA?

The Family Educational Rights and Privacy Act is a law that protects the privacy of student education records at all levels of education.

When does HIPAA apply to students?

HIPAA applies to students' medical records if they are patients at a healthcare provider that conducts certain transactions electronically, like billing health insurance.

What are the communication requirements set by FERPA?

FERPA requires educational institutions to allow parents or eligible students to access their educational records and to obtain their consent before disclosing these records, unless an exception applies.