Does HIPAA apply to schools?

HIPAA does not usually apply to schools, but there are circumstances in which schools may have to consider HIPAA regulations. 

Are schools covered entities?

Generally, K-12 schools are not considered covered entities under HIPAA. Schools are subject to the Family Educational Rights and Privacy Act (FERPA), which governs the privacy and security of student education records, including health information contained in those records. 

Some schools may offer healthcare services to their students and employ medical professionals. If healthcare services are provided, health information will be collected, stored, maintained, and transmitted. However, if the school does not conduct healthcare transactions electronically, HIPAA regulations still do not apply. 

Related: How to know if you're a covered entity

When is a school a covered entity?

Some schools employ a healthcare provider that conducts transactions electronically, for which the HHS has adopted standards. In this case, the school would be classified as a HIPAA covered entity.

• Student health records: While HIPAA does not typically apply to schools, student health records maintained by a school nurse or other healthcare professionals within the school may be subject to HIPAA if they are involved in healthcare operations that fall under HIPAA's scope.
• Hybrid entities: In some cases, a school may be considered a "hybrid entity" if it performs covered and non-covered functions. In such cases, only the parts of the school that engage in covered functions may be subject to HIPAA, while the rest of the school would not be.

FERPA, HIPAA, and private schools

FERPA applies to all educational institutions that receive direct funding through programs administered by the Department of Education. FERPA, therefore, applies to public schools. Still, private schools are not typically covered by FERPA as they do not receive federal funding directly from the Department for Education. 

If the private school is not covered by FERPA, it may or may not be covered by HIPAA, depending on whether it conducts electronic transactions for which the HHS has adopted standards. If it does, it would be required to comply with HIPAA, although if not, neither HIPAA nor FERPA would apply.

When a school hires a healthcare provider that uses electronic means to carry out covered transactions, like sending medical claims to a health plan electronically for payment, the school becomes a covered entity under HIPAA and is subject to HIPAA regulations.

• Business associate agreements: If a school, as a covered entity or hybrid entity, works with third-party service providers (business associates) that handle health information on their behalf, they must have appropriate business associate agreements in place.
• Protected health information (PHI) safeguards: Schools subject to HIPAA regulations should implement appropriate administrative, physical, and technical safeguards to protect PHI. This includes secure storage, HIPAA compliant email, access controls, encryption, and policies and procedures for handling health information.
• Privacy notices: Schools subject to HIPAA should provide HIPAA-compliant privacy notices to patients or students receiving healthcare services to inform them of their rights and the school's privacy practices.