Paubox blog: HIPAA compliant email made easy

When can student health services share students PHI?

Written by Kirsten Peremore | June 19, 2024

While FERPA predominantly governs how schools manage and share student education records, including health information maintained by the school, HIPAA comes into play in specific situations where schools engage in standard healthcare provider transactions. The distinction helps in understanding how and when student health information can be accessed and disclosed. 

 

Legal frameworks in schools 

FERPA

Based on Department of Education guidance material released in 2019, “The term “education records” is defined to mean, with certain exceptions, those records that are: (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. 20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3 (definition of “education records”). For instance, a student’s health records, including immunization records, maintained by an educational agency or institution (such as by an elementary or secondary school nurse) would generally constitute education records subject to FERPA.”

FERPA ensures that students' health records remain confidential and are only accessible under strict conditions. This means that these sensitive records cannot be disclosed without the explicit consent of the student if they are 18 or older, or from their parents if they are younger. The only exceptions to this rule are specific, legally defined circumstances where information is needed, such as during emergencies to protect the health or safety of the student or others.

 

HIPAA 

HIPAA is like a guardian for personal health information in many healthcare settings, but its role in schools is a bit more specific. Typically, HIPAA doesn't oversee student health records in most schools because that's FERPA's territory. However, there are special cases where HIPAA takes the lead, stepping in when schools provide certain health services that involve transactions covered by HIPAA, like billing insurance electronically.

In these situations, HIPAA might supersede FERPA. This happens primarily in school clinics that operate more like health centers open to the general public or when schools offer services through a healthcare provider that bills health plans electronically through means like Medicaid. Here, HIPAA ensures that the strictest confidentiality and security measures are applied to protect student health information, just as it would in a hospital or doctor's office.

See also: How FERPA and HIPAA work together to protect student data

 

When can student health information be shared

FERPA

  1. With consent: Schools can share health records with the consent of the student or, if the student is a minor, their parent or guardian. Consent must be written and specify the records to be disclosed, the purpose of the disclosure, and the party to whom the disclosure is made.
  2. Without consent in special situations: There are specific circumstances where schools are allowed to share health data without consent:
  • If there is a threat to the health or safety of a student or other individuals, schools may disclose records to appropriate parties who need the information to address the emergency.
  • When school officials with legitimate educational interests. This includes teachers, administrators, or staff members who need access to the records to fulfill their professional responsibilities.
  • If a student is transferring to another school, records may be shared with that institution.
  • If legally required, schools may comply with court orders or subpoenas to provide records.

See also: Why HIPAA compliant email should be used for student health services

 

HIPAA

  1. Treatment: Health information can be shared among healthcare providers to treat a student. For example, a school nurse might consult with a specialist about a student’s condition.
  2. Payment: Healthcare providers can share information to obtain payment for healthcare services, like billing a health insurance company for a medical test.
  3. Healthcare operations: This includes activities necessary for running healthcare services, such as quality assessment and improvement, licensing, and conducting or arranging for medical reviews.
  4. Public health activities and safety threats: HIPAA allows disclosures for public health activities (e.g., preventing disease) and to prevent a serious and imminent threat to health or safety.
  5. Legal and law enforcement purposes: Similar to FERPA, HIPAA permits disclosure in response to court orders, legal processes, or law enforcement requests.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Can schools share health information for research purposes without consent?

Schools can share health information for research purposes without consent only if the research is conducted to improve instruction, the information is de-identified, or the study is part of a legitimate educational interest under FERPA.

 

Can student health services share information with a student’s siblings?

Generally, student health services cannot share information with a student’s siblings without the student’s consent (if they are over 18) or parental consent if the student is a minor unless there is a health or safety emergency.

 

Are there exceptions for sharing information with school counselors?

Yes, there are exceptions, such as when the information is necessary to provide academic or emotional support to the student.