This article was originally presented by the author on April 16, 2004, to the New Hampshire Association of Special Education Administrators, at its annual Law Day Conference.

A Word of Caution

No two cases are exactly alike. This material is designed to provide special educators with a general understanding of their obligation to comply with the privacy aspects with the privacy laws under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). You are strongly encouraged to seek a legal opinion from your school district's legal counsel regarding any specific matter.

I. Overview

The purpose of this material is to provide the special education administrator with an understanding of the "Administrative Simplification" standards adopted by Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This material is not intended to substitute for legal counsel nor is it intended to provide an exhaustive statement of the legal requirements imposed by the Health Insurance Portability and Accountability Act of 1996.

Return to Table of Contents

II. The HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act of 1996 (enacted on August 21, 1996) required the Secretary of Health and Human Services to publicize standards for the electronic exchange, privacy and security of health information. These requirements were euphemistically known as the "Administrative Simplification" provisions. The Act provided that if Congress did not enact privacy legislation within three years of its passage, the Secretary was required to issue privacy regulations governing individually identifiable health information.

Congress did not enact privacy legislation and thus, Health and Human Services developed a proposed rule which it first released for public comment in November of 1999. The proposed privacy rule went through an initial public comment phase which resulted in the publication of a final regulation on December 28, 2000. In March of 2002, the Department proposed and released for public comment modifications to the privacy rule and after comment, the final modifications were published on August 14, 2002. See 45 CFR Part 160 and Part 164 (subparts a and e).

Return to Table of Contents

III. What Are The Goals of HIPAA?

The privacy rule addresses the use and disclosure of individuals "protected health information" (PHI) by organizations subject to the privacy rule. In addition, HIPAA sets standards for the individuals' privacy right to understand and control how their health information is used.

A major goal of the privacy rule is to ensure that personal health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Act's goal is to balance the use of health information while protecting the privacy of people who seek medical treatment. One of the underlying goals behind the privacy rule is to frustrate the ability of health insurance companies to deny coverage based on readily accessible medical information. Simply put, the privacy rule insulates individuals from the risk that their personal health information will be inappropriately accessed, released or misused.

Return to Table of Contents

IV. When Might a School District Be a "Covered Entity?"

School districts have operated for many years under the privacy law that was enacted in 1974 known as the Family Education Rights and Privacy Act (FERPA). FERPA requires schools that receive federal funding to hold as confidential the information in students' education records. With few exceptions, this information can only be made available to the parents, students at age 18 or to school staff who have a 'need to know' in order to provide education.

As a general rule, HIPAA's definition of protected health information excludes education records protected by FERPA. This means the use and disclosure of education records, as defined by FERPA is not subject to HIPAA regulations. A student's IDEA related-services records are included in the definition of 'educational records' and are covered under FERPA.

However, there are two circumstances in which a school district may become subject as a "covered entity," to HIPAA regulations:

1. A school district must comply with HIPAA if the district provides health insurance protection for its employees through a self-insurance plan.
   
   
2. A district may be a "covered entity" under HIPAA if the school district participates in a school based Medicaid program that seeks reimbursement for related services to a special education student who is Medicaid eligible and whose IEP describes the related services. HIPAA describes a 'covered entity' as a health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR 160.103. If the Medicaid reimbursement/billing information is transmitted electronically, the district must comply with the administrative burdens of the HIPAA privacy rule. This includes the responsibility on the part of a district as a covered entity to distribute a notice of privacy rights to the parents of students. One way to do such is to include the privacy rights notice annually in the student handbook.

Often the determination as to whether or not a school district is a "covered entity," can be a factually sensitive matter and therefore, may require advice from your legal counsel.

Return to Table of Contents

V. The FERPA Exemption

Health information contained within a student's educational records that are subject to the Family Educational Rights and Privacy Act ("FERPA") are exempt from the requirements of HIPAA. See 24 CFR 164.501. The Office for Civil Rights has observed that, "While we strongly believe every individual should have the same level of privacy protection for his/her individually identifiable health information, Congress did not provide us with authority to disturb the scheme it had devised for records maintained by educational institutions and agencies under FERPA. We do not believe Congress intended to amend or preempt FERPA when it enacted HIPAA." The term "educational records" includes individually identifiable health information of students under the age of 18 created by a school nurse in a primary or secondary school receiving funds. In addition, medical records that are accepted from FERPA's definition of "education records" under FERPA Section 99.3 are also exempted from coverage by HIPAA.

Return to Table of Contents

VI. Obtaining Medical Records

The HIPAA privacy regulations have the greatest impact on the ability of school districts to access medical care records. Special education administrators are frequently encountering circumstances where health care providers are rejecting a parentally signed release as being non-HIPAA compliant. The end result is that school districts are best advised to alter their release forms in order to ensure that they are HIPAA compliant. A sample release form is attached as Appendix A. However, school districts are well advised to have their own legal counsel review and counsel them on the detail of their release.

Return to Table of Contents

VII. Conclusion

As a general premise, when it comes to student records, a school district need be concerned with FERPA compliance, but usually will not need to worry about HIPAA compliance.

However, districts are advised to use HIPAA compliant releases in order to simplify obtaining information from medical care providers.