education records (FERPA/HIPAA)

The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).

FERPA provides privacy protections for such records when held by federally funded educational institutions. Failure to adhere to FERPA rules can result in the loss of federal funds, though that punishment is very rare.

(It is a rare educational institution that is not "tainted" by federal funding of some sort, and so within the reach of FERPA. Note, however, that parochial and private schools at the elementary school levels do not generally receive such funding and thus are not subject to these federal protections. In such cases, state education records laws still apply and may provide privacy protections.)

FERPA defines an "education record" as "those records, files, documents, and other materials" that

  • "contain information directly related to a student;" and
  • "are maintained by an educational agency or institution or by a person acting for such agency or institution."

Students who are at least 18 years of age, or attending postsecondary institutions -- or otherwise their parents -- generally have a right to:

  • gain access to their education records (obtain copies) within 45 days of a written request;
  • seek to amend any information therein considered to be in error;
  • control how information in such records is disclosed to other institutions -- in general, such disclosures must be authorized by the student or parent, with some exceptions; and
  • complain to the US Department of Education if these rights appear to have been violated.

There is no right of access to confidential letters of recommendation, if the right of access has been waived in advance; students' access to parents' financial information is also limited. A court order may condition a parent's access to a minor student's records.

The amendment right includes an "opportunity for a hearing" to seek deletion or correction -- or the insertion of a "written explanation" -- of any information in the educational record which the student (or parent) deems "inaccurate, misleading or otherwise inappropriate."

Disclosure without consent is permitted to "school officials" with "legitimate educational interests"; for compliance with judicial orders and subpoenas; for audit and evaluation of federally-supported education programs; and for other legally-mandated record keeping.

For example, as regards the first, education records may be disclosed without consent to officials of another school at which a student seeks or intends to enroll.

In the case of a judicial order or subpoena, the student (or parent) must be notified in advance of compliance, providing an opportunity to seek a counter-order to stop the disclosure. (Note that searches conducted on the basis of section 215 of the USA Patriot Act, under a FISA warrant, do not require prior notification. Nor do the persons affected by such a search need to be contacted subsequently to inform them of the process. Indeed, the educational institution can be prohibited from providing such information to the objects of the search under section 215.)

In general, disclosures to third parties can only be made on the condition that the recipient observes FERPA rules. Recipients can be banned from receiving educational records for five years if they fail to do so.

An institution must give public notice of the categories of "directory information" it has designated, and allow students (or parents, if a minor) the opportunity to request prior consent for such disclosures.

There are several important exclusions from FERPA's definition of an education record, the last of which is important for HIPAA. FERPA excludes:

  • "records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute";
  • "records maintained by a law enforcement unit of the educational agency or institution that were created by that law enforcement unit for the purpose of law enforcement";
  • "in the case of persons who are employed by an educational agency or institution but who are not in attendance at such agency or institution, records made and maintained in the normal course of business which relate exclusively to such person in that person's capacity as an employee and are not available for use for any other purpose"; or
  • "records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student's choice."

In addition to excluding FERPA-protected records generally, HIPAA excludes this fourth category from the definition of PHI as well. The exclusion is narrower than it first appears, however, since most "student health" records will indeed be shared beyond the immediate clinical practitioner(s) providing treatment (e.g., to file an insurance claim or for other reporting). That would then (re)qualify a student health record as a kind of education record, subject to FERPA (but not HIPAA).

Note that the same general approach applies to health information in education records at the primary and secondary level, where there may be school clinics but rarely a student health facility as such. Incidental bits of information on a student's health (such as notes from a school nurse) do not convert an education record into a health record.

HIPAA's protections extend to health information broadly defined, for a broad range of covered entities. Fundamentally, it is the type of information held that triggers the protection, rather that type of holder. (To be sure, the type of use envisioned by the holder determines the particulars of protection.) The FERPA carve-out for health information represents a different approach -- health information held by an educational institution becomes education information instead. (Note that state law, which HIPAA only sometimes preempts, may have a different view.)

An education facility may voluntarily elect to give to its student health records any additional protections accorded under HIPAA, as well as the required ones afforded by FERPA. Fortunately, the general privacy rights under each are very similar, so there is no fundamental conflict. Note, however, that the Family Policy Compliance Office of the US Department of Education (which enforces FERPA) has taken the position that "students' medical records and education records under FERPA are not subject to HIPAA and should not be disclosed to HHS under HIPAA."

Further refinement of the precise boundaries between the two laws can probably be expected from DHHS and DEd in future.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine