FERPA and HIPAA: What’s FACT and What’s FICTION for K-12 Schools and Compliance

In this article we are going to address some myths and some truths regarding Health Insurance Portability Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA). The US Department of Health released guidance in 2008 in relation to both health and student records. This is an area that can sometimes cause confusion, so a few important talking points are addressed below.

FICTION

“HIPAA is a privacy rule that applies to K-12 Schools.”

In many cases the HIPAA privacy rule does not apply to elementary and secondary schools.

WHY?

(1) A school is not a HIPAA covered entity.  

(2) Schools only maintains health records that are “education records” under FERPA and are therefore not subject to the HIPAA privacy rule.

The FACTS

• HIPAA only applies to health clearinghouses, and health care providers that submit health information transactionally. Health care workers in the school environment do not engage with any transactions and as a result are not generally a HIPAA covered entity.
• There are some certain situations where a school is a HIPAA covered entity and not subject to FERPA. A school that is not subject to HIPAA or FERPA must always comply with the HIPAA privacy rule for any individual health information about the students it serves and anyone else that provides health care. There are great ways for schools today to provide health information in a paperless format.
• FERPA does give parents certain rights regarding their child’s health records. Schools are often encouraged to create electronic forms and information to help easily manage records. Parents have the right to view education records.
• Schools may disclose student information that includes directory information such as name. address, birth date, awards, and dates of attendance. Schools must inform parents about this information and allow parents an allocated amount of time to rebuttal if they choose to not have their child’s information included.

You can access the guidance from the US Department of Education here.

FICTION

“FERPA is just like HIPAA!”

WHY?

(1) HIPAA protects one’s personal medical information.

(2) FERPA protects only educational records.

The FACT

• FERPA applies to any educational institution that receives funds from any program that is administrated under the US Department of Education.