Please be advised that the following is not intended as legal advice. Schools are strongly advised to seek legal assistance should there be any question relating to their status and obligations under HIPAA.

Background
A law passed in 1996 that is also sometimes called the "Kassebaum-Kennedy" law. This law expands health care coverage for those who have lost a job, or moved from one job to another. HIPAA protects individuals and their families if they have: pre-existing medical conditions, and/or problems getting health coverage, and they think it is based on past or present health. HIPAA also has the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.

Application to Private Schools
In general, the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) do not apply to private schools unless a private school is a "covered entity" as defined in the statute. The HIPAA rules apply to what are termed "covered entities." To the extent that a private school meets the definition of covered entity, then it is subject to HIPAA's requirements. Covered entities are defined as health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with a transaction for which the Secretary has adopted a standard (a covered transaction). If a school, such as through a school clinic, furnishes, bills, or is paid for health care[1] in the normal course of business, then it is a "health care provider" under 45 C.F.R. § 160.103.[2] If the school conducts any covered transactions electronically in connection with that health care, it is a covered health care provider, and thus a covered entity, for purposes of the HIPAA rules.[3] Decision tools for determining whether an entity is a covered entity may be accessed at www.cms.gov/hipaa/hipaa2.

If the school is a covered entity, it is covered by, and would have to comply with the HIPAA rules, as applicable. Even if a school is a covered entity, however, it may not necessarily have to comply with the HIPAA Privacy Rule. The Privacy Rule does not apply to certain records of certain schools, because such records are excluded from the definition of "protected health information" at 45 C.F.R. § 164.501. Two exclusions to the definition of "protected health information" are relevant here. The first exclusion from the definition of "protected health information" (at paragraph (2)(i) of the definition) is "education records" covered by the Family Educational Rights and Privacy Act ("FERPA"). The Privacy Rule does not cover such records because Congress, through FERPA, specifically has addressed how these records should be protected. The term "education records" is defined at 20 U.S.C. 1232g(a)(4)(A) as: those records, files, documents, and other materials which

    (i) contain information directly related to a student; and
    (ii) are maintained by an educational agency or institution or by a person acting for such agency          or institution.

Health and family history records that are maintained by the school and directly related to the student (such as those in a school clinic) would be considered to be education records under FERPA. They would, thus, be exempted from coverage by the Privacy Rule.

The second exclusion from the definition of "protected health information" (at paragraph (2)(ii) of the definition) is for records coming within 20 U.S.C. 1232g(a)(4)(B)(iv). These are the following:

records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student's choice.

As noted above, education records covered by FERPA are not covered by the Privacy Rule. FERPA applies only to schools that receive federal funds from the U.S. Department of Education. 34 C.F.R. § 99.1. Whether a school receives funds from another federal agency or state funds is not relevant in determining the application of FERPA. FERPA applies to all public elementary and secondary schools and virtually all—public and private—postsecondary institutions. Generally, FERPA does not apply to private elementary and secondary schools, because those institutions usually do not receive federal funding from the U.S. Department of Education. Except as discussed in the next paragraph, in the case of a school that does not receive funding from the U.S. Department of Education, if the school is a covered entity for the reasons described above,[4] the school would be required to comply with the Privacy Rule, because the health information it maintains would not be covered by FERPA.

If a public school places a child with a disability in a private school, the U.S. Department of Education considers the records of that student to be maintained by a party acting for the public school and subject to FERPA. Thus, the records of that student in the hands of the private school would not be covered by the Privacy Rule even though the remainder of the private school's individually identifiable health information in student records would be (assuming the private school is a covered entity, as discussed above). Also, if a student with a disability who is enrolled in a private school receives services at a public institution, the records on that student at the public institution would be protected by FERPA as well.

For further information, visit the HHS' Website on HIPAA at http://www.hhs.gov/ocr/hipaa and http://www.cms.gov/hipaa.

Footnotes

1. "Health care" includes "care, services or supplies related to the health of an individual." 45 C.F.R. § 160.103.

2. What legal entity is the covered entity depends on how the school, and its clinic, are legally organized. If the school is part of a larger legal entity, such as a school system, the school system may be the covered entity for purposes of compliance with HIPAA. However, covered entities, such as schools, that perform functions in addition to the provision of health care, may wish to designate their school clinics as health care components, in accordance with 45 C.F.R. § 164.504.

3. If a school uses an agent to undertake billing or payment functions on its behalf and the agent conducts these (or any other) covered transactions electronically, the school is considered to be conducting the transactions electronically and, thus, to be a covered entity.

4. Covered entities are defined as health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with a transaction for which the Secretary has adopted a standard (a covered transaction). If a school, such as through a school clinic, furnishes, bills, or is paid for health care in the normal course of business, then it is a "health care provider" under 45 C.F.R. § 160.103. If the school conducts any covered transactions electronically in connection with that health care, it is a covered health care provider, and thus a covered entity, for purposes of the HIPAA rules. Decision tools for determining whether an entity is a covered entity may be accessed at www.cms.gov/hipaa/hipaa2.