Paubox blog: HIPAA compliant email made easy

Does HIPAA apply to special education schools?

Written by Tshedimoso Makhene | November 04, 2023

Special schools are not considered HIPAA covered entities and, therefore, are not subject to HIPAA regulations. However, there are exceptions where HIPAA regulations may apply. 

 

What are special education schools?

Special education schools are educational institutions that cater to students with disabilities or special educational needs. These schools provide tailored educational programs and support services to students with various physical, cognitive, emotional, or developmental challenges. 

There are 14 categories under special education:

  • Autism
  • Deaf-blindness
  • Deafness
  • Emotional disturbance
  • Hearing impairment
  • Intellectual disability
  • Orthopedic impairment
  • Specific learning disability
  • Speech or language impairment
  • Traumatic brain injury
  • Visual impairment
  • Multiple disabilities
  • Other health impairments

Related: Do special education teachers need to be HIPAA compliant?

 

Are special education schools permitted to collect PHI?

Special education schools may collect protected health information (PHI) for providing healthcare services or support to students with disabilities based on the nature of the service, privacy laws, and student consent. 

However, there are a few considerations to be kept in mind:

  • Healthcare services: If a special needs school operates a healthcare clinic or provides healthcare services within its facilities, it may collect PHI. In such cases, the school may be subject to HIPAA.
  • Informed consent: Special education schools, like other healthcare providers, should obtain informed consent from students' parents or guardians before collecting and using PHI. 
  • Individualized education plans (IEPs): When developing IEPs for students with disabilities, special education schools may collect health-related information to tailor educational and support services to the student's needs. 
  • Privacy laws: The privacy of student records, including health information, in educational settings is primarily governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.
  • Health records and FERPA: Under FERPA, health records maintained by educational institutions, including special education schools, are considered "education records." FERPA protects the privacy and security of these records and specifies who can access them and under what conditions.

Go deeper: Does HIPAA apply to schools?

 

What is FERPA?

FERPA is a federal law in the United States that is designed to protect the privacy of student education records. FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes all public schools and school districts and most private and public postsecondary institutions, including medical and other professional schools. 

 

FERPA provisions

  • Access to records: FERPA gives students and their parents or guardians the right to access their education records. This includes the right to review and inspect these records and to request corrections or amendments if they believe the records are inaccurate.
  • Control over disclosure: FERPA allows students or their parents or guardians to control the disclosure of education records. Institutions are generally required to obtain written consent before releasing a student's records to third parties.
  • Directory information: FERPA permits institutions to disclose certain directory information without consent. This typically includes the student's name, address, phone number, and email address. However, institutions must notify students about their directory information policies and allow students to request that this information be kept private.
  • Privacy and security of records: FERPA requires educational institutions to maintain the privacy and security of education records. Access to these records is limited to authorized personnel.
  • Annual notification: Schools must provide annual notification to students and their parents or guardians about their rights under FERPA and the school's policies and procedures regarding education records.

See also: HIPAA Compliant Email: The Definitive Guide

 

Where do FERPA and HIPAA intersect?

When a school provides health care to students through its health clinic, they are defined as a "health care provider" under HIPAA. If a school also conducts any covered transactions electronically in connection with that health care, it is a covered entity and must comply with HIPAA.

Many schools don't have to follow HIPAA's Privacy Rule, even if it usually applies to them. This is because the health information they keep is part of the student's educational records or treatment records. These records are protected under FERPA.

Go deeper: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records