The advent of school-based telemedicine has brought renewed focus on the intersection of two federal laws governing patient privacy: the Health Insurance Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (FERPA). Many are trying to navigate the tricky confluence of these laws in the context of telemedicine, but there is hardly a well-traveled course.
By way of background, HIPAA protects the privacy of patient records in nearly all healthcare settings, whereas FERPA protects only student health records maintained in school settings (where the school receives Department of Education funding). The laws are similar in that they generally limit the situations in which a healthcare provider can disclose health information without patient (or parental) consent. However, the laws have a few key differences. For example, under HIPAA, protected health information may be disclosed without consent for “payment, treatment, and operations”; FERPA has no such broad consent exception, but does allow disclosures without consent for “legitimate educational interests” to certain school officials, which might not be permitted recipients under HIPAA.
These differences have historically led school-based health providers to carefully examine whether a record is governed by HIPAA or FERPA. The overly simple answer is that an education record governed by FERPA is specifically exempt from HIPAA’s requirements. That is, In a traditional school-based clinic, a nurse or other provider would be held to confidentiality by FERPA, not HIPAA.
HHS/DoED 2008 GUIDANCE
The involvement of outside parties in school-based care caused the Department of Education and the Department of Health and Human Services, in 2008, to release joint guidance on the intersection of HIPAA and FERPA in school-based healthcare. Beyond clarifying the two distinct zones of HIPAA and FERPA privacy regulation, the report aimed to address some of the scenarios where the distinction was not self-evident.
Significantly, the agencies identified the HIPAA/FERPA boundary in the context of outside healthcare providers serving schools. Where a person or entity is providing services “on behalf of” a FERPA-regulated school, the report states, the record is subject to FERPA, and therefore not subject to HIPAA; as an example the report cites “a school nurse that provides services to students under contract with or otherwise under direct control of the school.” On the other hand, if an outside party is not acting “on behalf of” the school, such as “a public health nurse who provides immunization or other health services to students on school grounds or otherwise in connection with school activities but who is not acting on behalf of the school,” the record would be governed by HIPAA.
The “on behalf of” test may not meet many providers’ desired level of certainty. The FERPA regulations provide slightly more insight, adding that FERPA applies to a contractor performing “institutional services or functions…for which the agency or institution would otherwise use employees…under direct control of the school with respect to the use and maintenance of education records.”
TELEHEALTH IN FOCUS
Alas, the 2008 joint guidance did not specifically contemplate the use of telehealth as a delivery mechanism for school-based healthcare. Because many school-based telehealth programs involve the frequent exchange of student health records between school personnel and independent contractors, the line dividing “education records” from HIPAA records is a constantly moving target.
One might view an outside tele-provider as clearly not “under direct control” of a school with respect to its use and maintenance of medical records, which would mean the provider could treat such records as it normally would under HIPAA. However, such a provider could also be said to act “on behalf of” the school if it is serving as the school’s primary healthcare service, and therefore would be subject to FERPA.
Moreover, consider this scenario: a provider engaged in school-based telehealth receives a FERPA record from a school nurse. Even if the provider’s own records would be treated as HIPAA records, the record received from the school would be subject to FERPA’s rules regarding redisclosure — essentially, the FERPA disclosure rules themselves.
Outside providers are not the only parties affected by this overlap; school personnel also must be mindful of their potential HIPAA requirements. In practice, many providers contracting with a school will mandate that the school sign a HIPAA business associate agreement (BAA) as a condition of participation. Thus, even if a school is not statutorily subject to HIPAA because of the FERPA exemption, the school might have contractually committed to comply with certain (if not all) HIPAA provisions via the BAA.
SO, WHAT’S A PROVIDER TO DO?
While this complexity no doubt presents a conundrum for school-based telehealth providers, their outlook is not all doom-and-gloom. In reality, many of the protective measures a provider would take under HIPAA would be similarly beneficial under FERPA’s regulatory scheme, and vice versa. Once a provider commits in earnest to patient privacy, the mastery of the HIPAA-FERPA overlap boils down to a select few details.
For the outside tele-provider, it is largely academic to think of a scenario HIPAA would not be followed — the gargantuan 1996 law is a fixture in most healthcare settings. But, to protect against the possibility that their records would might be FERPA records, such providers might seek to obtain advance consent that meets the form requirements of FERPA (34 CFR 99.30) and authorizes the HIPAA-permitted disclosures that would require consent under FERPA, i.e. disclosures for payment and operations.
For school personnel, the question of HIPAA liability will depend on the school’s particular circumstances, including the presence and scope of a BAA. If a school is required to comply with HIPAA’s Privacy Rule, it must be mindful of disclosures that would be routine under FERPA (e.g. to non-treating school officials) that would require consent under HIPAA, and obtain consent for such disclosures before delivering treatment. If a school is required to comply with HIPAA’s Security Rule, it should consult a healthcare attorney in developing policies and procedures to safeguard health records.
Disclaimer: The foregoing materials are provided for informational purposes only and are not to be construed as legal advice. The information relies on limited authority and has not been screened or approved by any governmental agency. Please consult an attorney before applying this guidance to any particular facts or circumstances.