In my role as Director of Operations here at Hello, I quite often field questions about HIPAA and FERPA. Today I’d like to share some of my personal knowledge of these two federal laws and how they apply to speech pathologists, occupational therapists, and school psychologists working in public schools. I am not a lawyer and all of my knowledge is from my own research, so I encourage you to do your own research and/or talk to an attorney if you have questions about your unique situation.
You hear HIPAA mentioned way more often than FERPA and often in situations where it doesn’t apply. So, let’s start with the basics.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law to protect patient health information from being shared without consent. There are certain covered entities under HIPAA and they include health plans, health care clearinghouses, and health care providers who electronically transmit information. Also included under HIPAA rules are business associates of the covered entities. Business associates are individuals, groups, or companies that are used to help carry out healthcare activities. Examples might include companies that provide billing, coding, collections, or IT services. A covered entity must have a contract with a business associate, called a Business Associate Agreement or a BAA. In our world, we often hear the business associate term used in regards to clinicians using software such as Zoom (information on their HIPAA compliance and BAA can be found here) or electronic records systems.
What is FERPA?
The Family Educational Rights and Privacy Act of 1974 is a United States federal law that governs access to educational information. FERPA applies to educational agencies and institutions that receive federal funds. This law allows parents access to their student’s educational records until the student is 18 at which time control transfers to the student. It also means that educational records can’t be shared with outside entities (such as a school that a student has transferred to) without written permission from the parent (if the student is under 18). Individual Education Plans (IEPs) are part of the educational record and covered under FERPA and I encourage you to read this document from the US Department of Education that specifically outlines the FERPA confidentiality provisions for IEPs. FERPA specifically looks to protect any personally identifiable information. Exceptions can be made to FERPA to release information only during a health or safety emergency.
Does HIPAA Apply to Schools at All?
In general, schools are not considered a “health care provider” and are not subject to HIPAA rules. When the school nurse treats a student, those records are still considered part of the educational record. The school is not electronically sending information for reimbursement so HIPAA does not apply. Of course, the school nurse does still has to protect personally identifiable information under FERPA rules. Treatment notes from speech pathologists, occupational therapists, and school psychologists are all considered part of educational records and covered under FERPA. This even applies when Medicaid is being billed. There are, however, some special circumstances where HIPAA does apply to schools. This document, issued jointly by the US Department of Health and the US Department of Education and Human Services, has good information about where HIPAA and FERPA intersect.
And what about COVID?
In the time of COVID, we hear a lot about HIPAA concerns. Really, the concerns should be talked about as FERPA concerns, or even better, just privacy concerns. When we can acknowledge that the real issues aren’t about the laws governing privacy but about practical, real-life issues that arise around privacy, we are much better suited to solve these problems. Whether we are on-site or using a teleconference platform, we want to be sure we have privacy procedures in place. Are we careful not to use identifiable information in electronic communications? Are we using passwords on documents sent through email? Are our teleconference sessions set up with meeting rooms and/or passwords? These are all the types of issues we should be thinking about and have a plan for. This is no different than being physically in a school building and thinking about what we are saying over the phone when a student is present, who is walking past our open door, or keeping records safely locked away. Of course, COVID presents some unique challenges, especially when thinking about public health, and I recommend that you refer to this FERPA & COVID-19 Frequently Asked Questions document issued by the US Department of Education for guidance around those issues.
Privacy issues are important to consider and shouldn’t be lost in the mire of law. Instead, they should be front and center of all our interactions as we continually look for ways to improve our privacy procedures for all the students we work with.