HIPAA & FERPA: How They Affect Higher Ed IT

As an IT professional in Higher Ed, you may need to work with systems affecting student health clinics on your campus. With two different laws, HIPAA and FERPA, affecting those clinics, it is important to know how to navigate your work around their bylines, especially because there can be so many gray areas. Moreover, it is important to make sure you don’t jeopardize your team or your university. In this article, we discuss how each law functions to provide you with an overview so you can continue to always work within compliance.

HIPAA, otherwise known as the Health Care Portability and Accountability Act, came into law in 1996. It protects an individual’s right to keep their personal health records private. FERPA, otherwise known as the Family Educational Rights and Privacy Act, passed in 1974, is another privacy law working in conjunction with education.

These two laws are often considered two of the most well-known laws regarding individual’s personal information in relation to a public sphere, which brings up the question of whether or not HIPAA regulations are applicable to student health clinics in Higher Education. There are three separate camps of consideration in this debate. The first is that FERPA is applicable but HIPAA is not, the second agrees that HIPAA applies to health clinics specifically, but is not applicable anywhere else on campus, leaving the majority of campus covered by FERPA. The third camp, and least common, is that neither FERPA or HIPAA apply to student health clinics due to the exemption given to “treatment records”–a dangerous position to take, as it opens the university up to liabilities, according to Elizabeth Swinton Schoen, JD, author of “Do HIPAA Privacy and Security Laws Apply to College & University Health Clinics.”

HIPAA: What You Need to Know

Electronic PHI is protected via additional security regulations due to being a part of a larger entity, like a medical records system.

Since HIPAA was passed into law, it has mandated covered entities, such as hospitals, clinics, insurance companies and medical offices, to comply with the regulatory rules of protected health information (otherwise known as PHI). PHI can come in the form of electronic and non-electronic information, and includes, but is not limited to, any identifiable information such as a patient’s name, demographics, and ethnicity among other things. Moreover, electronic PHI is protected via additional security regulations due to being a part of a larger entity, like a medical records system. HIPAA also applies to the business associates of any covered entity, as the business associates usually work directly in relation to or with the covered entity’s PHI. Examples of these business associates include the vendor of the aforementioned medical records system, law offices, and medical billing companies.
The penalties for not complying with HIPAA regulations can result in fines of up to $1.5 million. Furthermore, non-compliance with HIPAA guidelines is not the only way to be fined. An entity can also be fined for not training their employees in HIPAA regulations. Moreover, the concept of downstream liability allows for covered entities to be considered liable for any breaching down by their associates and affiliated subcontractors.

The U.S. Department of Health and Human Services (abbreviated as HHS) has the authority to create regulations and enforce the law; and since 2009, the Office of Civil Rights (abbreviated as OCR) has been given the authority to apply a civil monetary penalty (CMP) to those found out of compliance. In order to avoid not following regulations of the law, both covered entities and business associates must establish safeguards, including effective policies and procedures, conducting risk assessment, staff training, and compliance if rules have been breached.

Both 2009 and 2013 saw new regulations added to HIPAA regarding what both covered entities and business associates must undergo in order to resolve a suspected breach, such as notifying the government, the media (if 500 or more records are involved), and the individuals—with two exceptions to these regulations being encryption and destruction.

A university IT department working in conjunction with the clinic’s health record management system must comply with the regulations of HIPAA.

A hybrid entity is that which has both HIPAA-covered and non-covered components. In order to be covered by HIPAA, part of the organization must fall under the jurisdiction of HIPAA (such as a health plan). Perhaps the best example of a hybrid entity is a university, where they have both a HIPAA-covered (a health clinic) and a non-covered entity (such as a residence hall). A 2013 regulation requires that the covered component of a hybrid entity include all of the business associates functionality within the entity at large—for example, a university IT department that is working in conjunction with the clinic’s health record management system must comply with the regulations of HIPAA.

FERPA: What You Need to Know

The Family Educational Rights Privacy Act (more commonly known as FERPA) is similar to HIPAA in the sense that it is put into law in order to protect a student’s educational information and records; it applies to any agency that receives funding from the Department of Education (DOE), such as a postsecondary institution. The specifics of the educational records that FERPA aims to protect can include any documentation related to the student, such as identifying information, information related to an IEP, any documentation maintained by a third party educational agency, and records that do not fall under the guise of relating to treatment (more on that later). In order for an institution to be found breaking FERPA compliance, a formal complaint must be made to the DOE by either a student or parent and an investigation will be launched. If the complaint proves a breach in FERPA compliance, the institution is subject to having their DOE funding terminated.

What are the Arguments?

Schoen offers two definitions for FERPA’s explanation of what is considered a treatment record.

In order to understand the debate at hand, it is important to understand what HHS defines as an exception to a PHI. HHS gives exemptions to both education records and treatment records as they are defined by FERPA. Schoen offers two definitions for FERPA’s explanation of what is considered a treatment record. The first is considered the most basic and states that a treatment record is a medical record of someone 18 years old or younger that is in the care of a licensed medical professional where record is only used to treat the specific individual and disclosed only to the medical professional providing the treatment. A treatment record defined as basic as this does not fall under HIPAA or FERPA. Schoen calls these records “no man’s land” as they cannot be regulated. Schoen argues that these records are too impractical to defend their use.

A secondary definition of a treatment record comes from the record in practice: if a treatment record is shared for a reason outside of treatment (like billing), then it falls into the realm of an educational record and is therefore protected by FERPA. In order for it to be classified as a treatment record, the attending medical professional would need to keep a medical chart on paper in addition to the chart that exists on the EMR (Electronic Medical Records system); as an EMR allows multiple parties to have access to a student’s personal information, there would need to be a solution to keeping it completely private. Use of an EMR allows treatment records to fall under FERPA because it is no longer a relationship that involves two total entities, the professional and the patient.

HIPAA v FERPA

It gets tricky because once this falls under FERPA, it cannot then be subject to HIPAA.

How do these regulations set forth by HIPAA apply to a student health clinic? In order to begin to answer this question, Schoen states, “it’s important to understand the difference between a health record and the type of entity that provides medical services.” FERPA has jurisdiction over the documents that make up one’s educational record—i.e. the experiences at the health clinic relate to the student’s overall educational record, as the clinic is a part of the institution as a whole. It gets tricky because once this falls under FERPA, it cannot then be subject to HIPAA. On the other hand, HIPAA, however, governs both the type of record involved (with the exemption of education and treatment) and the entity it stems from. This means that if a record is not exempt under FERPA, HIPAA will automatically apply, as long as it is compliant with HIPAA regulations.

Is a health clinic a covered entity under HIPAA?

In order to further decide if HIPAA regulations apply, another question must be answered: is a health clinic a covered entity under HIPAA? Covered entities include clinics and providers that “transmit” any information electronically through claims, payment, coordination of benefits, claim status, enrollment or disenrollment into a health plan, health plan eligibility, premiums, referrals, first-person accounts of injury, and any attachments or additional transactions made by an administrative assistant. Then, the phrase “transmitting” data must be reviewed. HIPAA considers the transmission of data to be a transaction between two parties, meaning that one party sends data to the other one electronically; HIPAA further defines “electronically”, stating that it must be done via a secure connection. The conversation must further look into whether or not the student clinic is actually considered a health care provider under HIPAA: which, according to US law (specifically 1861(u) of 42 U.S.C. 1395x(u)), it is. Furthermore, according to the OCR, a postsecondary institution has been deemed a hybrid entity under HIPAA.

HIPAA & Non-Students

Although not as common, health clinics will treat non-students. If they do, it is more often than not the treatment of faculty or staff members or the occasional family members of a faculty or staff member or a doctoral student. If a non-student is treated at the student health clinic they are not subject to FERPA laws, as their treatment has nothing to do with an educational record. HIPAA would continue to apply unless it falls under an exemption previously determined by HIPAA (such as obtaining a flu shot on campus due to a university-wide mandate). Furthermore, if someone is both a university employee and a student they are still subject to FERPA.

Student Records & External Providers

This takes a turn of further complication when records are sent out to external providers, such as what happens in referrals for treatments. In regards to the University, they are handing off a file that is contingent with FERPA regulations. However, once the record reaches the external provider’s hands, it then changes over and is regulated under HIPAA. Billing is another blurred line. When a student health clinic bills an insurance company, they are doing so under the guise of FERPA due to the fact that this is directly related to the student and is a part of their overall education. However, the insurance agency would still be regulated under HIPAA due to their position as a business associate of a hybrid entity.

HIPAA & Third Party Vendors

If the system housed information from non-students, that would then fall under HIPAA.

Suppose your university purchases a license to use a third-party EMR system, how would that then affect HIPAA? The answer, as you may have guessed, is dependent on the specifics for the situation. For example, if the EMR system is only housing information from students that the clinic sees, that would fall under FERPA. If, however, the system housed information from non-students, that would then fall under HIPAA. The same general thoughts would apply to encryption used to protect the files stored as well as the potential to store them on the software’s accompanying cloud. This also rings true if your EMR system is being used to fulfill prescriptions for medication via an e-prescription service or working with additional third party entities like a laboratory in order for specimens to be tested.

Wrapping Up

Hold your university administration and their vendors to HIPAA standards.

While there is still significant debate over whether or not HIPAA or FERPA applies, or neither, or both, it may be best to take everything on a case-by-case basis The problem with applying a generalized ruling to issues of privacy, as Schoen states, is that, “HHS did not go far enough to address the issue of student health clinics and their expanding role in the healthcare area.” While this may change over the course of the next few years, there is no clear indicator that HHS will be reevaluating their current standings on HIPAA and FERPA. Schoen’s best piece of advice to offer Higher Ed institutions, however, is to hold your university administration and their vendors to HIPAA standards. While this would also give you overall higher standards of privacy and practicality, it would save your institution a difficult transition, should HHS opt to reevaluate their current standings and hold student health clinics to HIPAA regulations completely. As a Higher Ed IT professional, you may need to work within HIPAA regulations, and we hope this article has provided you with a good foundation of knowledge.