Most schools are not directly subject to HIPAA. Still, they must comply with the Family Educational Rights and Privacy Act (FERPA) when handling student health data. This is because schools are generally not considered covered entities under HIPAA. However, there may be cases where school nurses are subject to HIPAA, mainly when they provide healthcare services and conduct electronic transactions that involve handling a student's patient data.
What types of health information do school nurses typically handle in their roles?
- Medical histories: Information about students' medical backgrounds, such as pre-existing conditions, allergies, and chronic illnesses.
- Injury and illness records: Records of injuries or illnesses that occur while the student is at school, including details of the incident, symptoms, and treatments provided.
- Medication records: Document the medications administered to students during the school day, including dosage and timing.
- Vaccination records: Records of students' immunization history and compliance with vaccination requirements.
- Health screenings: Results of health screenings, such as vision, hearing, and scoliosis checks.
- Medical examination notes: Notes and observations from medical examinations conducted by the school nurse, including height, weight, and vital signs.
- Individualized healthcare plans: Plans developed for students with specific medical needs, outlining necessary accommodations and care procedures.
- Emergency treatment records: Information about any emergency treatments administered, including first aid and responses to severe allergic reactions or injuries.
Specific situations where HIPAA applies to school nurses
HIPAA applies to school nurses in specific situations when they provide healthcare services to students. Specifically, HIPAA applies to school nurses when:
- Healthcare services: School nurses are responsible under HIPAA when they provide healthcare services to students, and healthcare transactions are conducted electronically, following the standards set by the Department of Health and Human Services.
- Treatment purposes: HIPAA allows healthcare providers to disclose protected health information (PHI) to school nurses for treatment purposes without requiring the student's or parent's authorization. This allows healthcare providers to discuss a student's health information with school nurses when it is necessary for their treatment.
- Immunization records: If state or other laws require schools to obtain proof of a student's immunizations before admission and the parent or guardian consented to the disclosure, HIPAA allows healthcare providers to share immunization records with school nurses or designated school representatives.
See also: How does HIPAA apply to minor patients?
Application of HIPAA and FERPA
Sharing PHI with an adult student's parent:
FERPA: If an educational institution maintains educational records, including health records, FERPA applies. Typically, FERPA protects an adult student's records, requiring their written consent to share information, including health data, with their parent.
HIPAA: HIPAA may apply if the institution provides healthcare services and manages PHI. HIPAA's rules for sharing PHI with parents would be relevant in this context.
Family concerns about an adult student's mental health under HIPAA:
HIPAA: Usually, without a student's consent, healthcare providers governed by HIPAA cannot share the student's mental health information with family members. HIPAA strongly safeguards individuals' health data, even concerning their well-being.
HIPAA provisions for disclosing PHI about a minor with mental health issues:
HIPAA: HIPAA allows the disclosure of PHI about a minor with mental health concerns to their parents or guardians if it benefits the minor's health and well-being. These disclosures must be performed through secure communication such as HIPAA compliant email.
Sharing PHI or PII for student safety:
FERPA: Under the "health and safety emergency" exception in FERPA, educational institutions can share information with relevant parties, including parents and law enforcement, when there's a legitimate safety concern for the student or others.
HIPAA: HIPAA permits disclosing PHI in serious health or safety threats. Healthcare providers can share data with those who can prevent or mitigate the threat.
Disclosing PII from education records to law enforcement:
FERPA: FERPA, under specific circumstances, allows disclosing PII from education records, including health records, to law enforcement without prior consent when a legitimate law enforcement interest exists, and the information is necessary.
Disclosing PII to the National Instant Criminal Background Check System (NICS):
FERPA: FERPA permits disclosing PII from education records to NICS when state law mandates it, and the institution is legally obliged to report information to NICS, typically for firearm background checks.
See also: How FERPA and HIPAA work together to protect student data