How FERPA and HIPAA work together to protect student data

FERPA governs educational records and applies to educational institutions, while HIPAA focuses on healthcare-related information and applies to covered healthcare entities. The intersection occurs when healthcare services are provided within educational institutions, leading to a nuanced interplay of these laws in specific scenarios involving student health information.

What is Family Educational Rights and Privacy Act?

FERPA, the Family Educational Rights and Privacy Act, is a federal law that aims to protect students' educational privacy while ensuring educational institutions can appropriately manage and share information for legitimate educational purposes. 

FERPA establishes guidelines for educational institutions to obtain written consent before sharing students' personally identifiable information with third parties, except in specific situations outlined in the law. It also allows for the designation of "directory information" that can be disclosed without consent. 

See also: Legislation that applies to minor patient data

Who does FERPA apply to?

FERPA applies to students' educational records regardless of the student's age. However, the rights under FERPA transfer from the parents to the student once the student turns 18 or attends a post-secondary institution, regardless of age. 

Here's a breakdown:

• Minors: For students under 18 years old and not attending a post-secondary institution, their parents (or guardians) hold the rights under FERPA. This means parents have the right to access their child's educational records, have control over the disclosure of certain information from those records, and can seek to amend those records if they believe them to be inaccurate.
• Adult Students: Once a student turns 18 or attends a post-secondary institution (like a college or university), the rights under FERPA transfer from the parents to the student. This means the student now has control over their educational records and can decide who has access to them. However, there are certain exceptions where schools can disclose information without the student's consent, such as in the case of a health or safety emergency or under other conditions specified in the law.

Application of HIPAA and FERPA

Sharing PHI with the parent of an adult student

FERPA: If the educational records, including health records, are maintained by the educational institution, FERPA applies. An adult student's records are generally protected by FERPA, and the educational institution would need written consent from the student to share their records, including health information, with their parent.

HIPAA: If the educational institution provides healthcare services and maintains protected health information (PHI), HIPAA may apply to healthcare-related activities. HIPAA's rules for sharing PHI with parents would come into play in this case.

Options for family members concerned about adult student's mental health under HIPAA

HIPAA: Generally, if an adult student doesn't give consent to disclose their PHI, healthcare providers covered by HIPAA cannot share their mental health information with family members without permission. HIPAA is stringent about protecting individuals' health information, even if it concerns their well-being.

HIPAA provisions for disclosing PHI about a minor with a mental health condition

HIPAA: HIPAA allows healthcare providers to disclose PHI about a minor with a mental health condition or substance use disorder to their parents or guardians, especially if the provider believes the disclosure is in the best interest of the minor's health and well-being.

Sharing PHI or PII about students in danger to themselves or others

FERPA: Educational institutions are permitted to share information with appropriate parties, including parents and law enforcement, when there's a legitimate threat to the safety and well-being of the student or others under the "health and safety emergency" exception in FERPA.

HIPAA: HIPAA allows for the disclosure of PHI in situations where there's a serious threat to health or safety. Healthcare providers can share information with individuals who are in a position to prevent or lessen the threat.

Disclosing PII from education records to law enforcement officials under FERPA

FERPA: Under specific conditions, FERPA allows educational institutions to disclose PII from education records, including health records, to law enforcement officials without prior consent. This applies when there's a legitimate law enforcement interest, and the information is necessary to address a situation.

Disclosing PII to the National Instant Criminal Background Check System (NICS) under FERPA

FERPA: FERPA permits the disclosure of PII from education records to NICS in cases where the disclosure is mandated by state law, and the institution is legally obligated to report information to NICS. This is generally related to firearm background checks.

See also: How does HIPAA apply to minor patients?

FERPA exceptions to disclosure

1. Directory information: Educational institutions can disclose "directory information" without consent if they have provided public notice of the types of information they consider directory information and allow students a reasonable amount of time to request that such information not be disclosed. 
2. School officials with legitimate educational interest: Educational institutions can share student records with school officials who have a legitimate educational interest. These officials may include teachers, administrators, counselors, or other staff members who need access to the records to fulfill their professional responsibilities.
3. Other schools or educational agencies: Information can be disclosed to other schools or educational agencies where the student seeks to enroll or is already enrolled, provided that the disclosure is for purposes related to the student's enrollment or transfer.
4. Health and safety emergencies: Educational institutions may disclose information to protect the health or safety of students or others in case of emergencies. This includes sharing information with parents, law enforcement, or other appropriate parties.
5. Studies and research: In some instances, organizations conducting studies or research on behalf of the educational institution may have access to student records without consent as long as strict privacy safeguards are in place.
6. Judicial orders or subpoenas: If an educational institution receives a valid judicial order or subpoena, they may be required to disclose student records without obtaining consent.
7. Audit or evaluation: Government agencies responsible for auditing or evaluating educational programs can access student records without consent.

See also: HIPAA Compliant Email: The Definitive Guide