How to share PHI with educational institutions

Healthcare providers may need to share protected health information (PHI) with educational institutions for the student's best interest. In specific cases, institutions may need to abide by HIPAA, but most often, they fall under the Family Educational Rights and Privacy Act (FERPA).

HIPAA in education

Generally, HIPAA does not apply to educational institutions, including elementary, secondary, or post-secondary schools. Under these institutions, the Department of Health and Human Services says that schools are usually not a HIPAA covered entity, or if they are covered, the records are considered “education records” and are instead under FERPA. 

FERPA protects the privacy of student education records, offering a different layer of protection than HIPAA but with a similar commitment to confidentiality. 

There are instances when HIPAA does apply, specifically when schools offer healthcare services similar to those provided by traditional healthcare providers. For example, many universities operate health clinics that process claims electronically, including billing and health insurance information. These operations must still follow HIPAA regulations. 

Why providers share PHI with institutions

Health providers share protected health information (PHI) with educational institutions to improve the medical services at university or school-based health centers. Sharing information can help schools and health centers coordinate and manage student well-being. For instance, if a student has a chronic condition that requires ongoing management, the health provider may share PHI to coordinate care while facilitating continued education. 

Administrative processes, like verifying health coverage, processing insurance claims, and scheduling appointments, may also require PHI. Collaboration between providers and institutions can reduce bureaucratic hurdles and improve access to care, which may be especially vital in emergencies. 

Health providers also collaborate with educational institutions to monitor and manage public health concerns, like disease outbreaks. Sharing PHI can aid in preventative care and public health monitoring.

Best practices

1. Before sharing PHI, health plans and educational institutions should enter into a Data Use Agreement (DUA), outlining what information can be shared, how it will be used, and how it will be protected. 
2. When sharing PHI, organizations should apply the minimum necessary standard, meaning only sharing information required for the institution’s purpose. 
3. Electronic exchange of PHI should be conducted over encrypted communication channels, which includes using HIPAA compliant email.
4. Regular audits should be conducted to monitor the flow of PHI between health plans and educational institutions, allowing compliance or security issues to be identified proactively. 
5. Establish robust incident response protocols to handle potential PHI breaches or unauthorized disclosures. 
6. Restrict access to PHI to only those individuals at the educational institution who need it to perform their job functions.  

See also: Top 12 HIPAA compliant email services

FAQs

What is FERPA?

The Family Educational Rights and Privacy Act is a federal law that protects the privacy of student education records at all schools that receive funding from the U.S. Department of Education.

What are HIPAA’s requirements for transmission security?

HIPAA requires information exchanged electronically to be secured through encryption, integrity controls to prevent unauthorized alteration or destruction, and transmission security.

What is PHI?

Protected Health Information refers to any information in a medical record that can be used to identify an individual and that was created, used, or disclosed during health care services, such as diagnosis or treatment.