HIPAA and Schools: What You Need to Know

hipaa banner

The Kennedy–Kassebaum Act, better known as the Health Insurance Portability and Accountability Act of 1996, or HIPAA, came about to address insurance limitations, modernize the flow of healthcare information, and to set protection standards for sensitive patient health information. This last part led the U.S. Department of Health and Human Services to issue both a HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule concerns the safeguarding of certain health information while the Security Rule set protection standards for certain health information that is held or transferred in electronic form.

When paperless technologies and practices were evolving rapidly and variably in the healthcare industry in the 1990s these tried to bring some standardization while maintaining and balancing both efficiency and privacy. The Security Rule applies to health plans, health care clearinghouses, and to any health care provider transmitting health information in adopted electronic forms. The Office for Civil Rights (OCR) within HSS is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Thousands of HIPAA violations are investigated each year by the department. The penalty for a HIPAA violation can be as high as $50,000, and up to $1.5 million for multiple violations.

What does HIPAA mean for schools?

When many people think of HIPAA compliance and violations schools don’t come to mind. They think of doctors, hospitals and other easily recognizable medical providers. To a degree this does make sense, as that is where the majority of violations do take place. But there are some situations where a lack of scrutiny on record keeping could potentially lead to a HIPAA violation from a school.

Generally, HIPAA compliance is not required for elementary and secondary schools. Schools do regularly collect medical data from students, things like vaccination records, but a different law called the Family Educational Rights and Privacy Act largely covers this. The way it works for the most part is that school records covered under FERPA are not covered by HIPAA.

While FERPA largely supersedes HIPAA in schools, there are also two other tests to determine the applicability of HIPAA standards. First, find out if the school is a HIPAA covered institution. This could be the case if the school is transmitting healthcare information electronically or otherwise handling health plans. It could be that transmissions are a part of administrative or financial processes.

The second test goes into the type of information possessed by the school or school system. Information recorded by schools is generally considered to be part of the student’s educational record and falls under FERPA instead.

When could HIPAA Apply to Schools?

Well, there are a few scenarios. Probably the most common regards students and private schools. FERPA does not apply to educational institutions that do not receive any federal funding or grants. Private school students’ medical records may thus require HIPAA compliance, though these institutions likely have legal teams familiar with privacy regulations and their particular requirements.

Even public schools could be subject to HIPAA under other scenarios. One pertinent possibility is if someone who is not a direct school employee provides medical care to students. Maybe flu shots or other vaccines (maybe Covid-19 in the months to come) are provided through a local pharmacy at a school. Without direct school sanction on this activity HIPAA laws supersede FERPA. Also, if a public school employs a health care provider that bills Medicaid electronically for services provided to a student under theIndividuals with Disabilities Education Act, the school is covered by HIPAA  and would be subject to its requirements.

Sorting FERPA and HIPAA gets more complicated for students 18 and older because generally HIPAA takes over, though when schools operate a health clinic themselves even older students still fall under FERPA.

Concerns about securing medical data?

We at LINQ Forms & Workflows are ready to help your school improve and secure its record keeping processes. Our paperless solutions are efficient and safe, allowing schools to streamline their paperwork while maintaining (even improving!) peace of mind. Contact us today for a demo, we’re happy to walk you through the possibilities.