Comparison of FERPA and HIPAA Privacy Rule for Accessing Student Health Data
Public health agencies view schools and education agencies as important partners in protecting children and adolescents from health threats. Sharing data between schools and public health agencies may, in some instances, be the only realistic and reliable method for getting the information necessary to conduct public health activities, such as tracking immunization rates. Federal privacy protections for student education records have created confusion and difficulties for public health efforts to conduct ongoing and emergency public health activities in schools. This document compares key aspects of the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule related to the use and disclosure of information. The following chart provides only a snapshot of the rights, duties, and limitations imposed by FERPA and HIPAA. Please see the ASTHO Public Health Access to Student Health Data Issue Brief and the text of the federal laws and regulations for more detailed information. (Download a printable PDF.)
Privacy Rights Conferred
- Prevents the disclosure of personally identifiable information (PII) in a student’s education record without the consent of a parent or eligible student (aged 18 or older) unless an exception to the law’s general consent requirement applies.
- Grants parents and eligible students the right to review the student's education records maintained by the school and request correction of records they believe to be inaccurate or misleading.
- Prohibits covered entities from disclosing protected health information (PHI) to any third parties, unless the individual who is the subject of the information (or the individual’s personal representative) authorizes it in writing or the rule otherwise permits the disclosure.
- Disclosure is required to be made to the individual/representative.
Persons or Entities Covered
- All educational institutions (e.g., elementary, high school, college) and agencies that receive any funds for programs administered by the U.S. Department of Education (ED) are covered by FERPA.
- Nonschool entities that do not have students but receive funding from ED.
- All public schools and school districts, most public and private post-secondary institutions (e.g., colleges), and any other programs receiving ED funds.
- Private and religious elementary and secondary schools are not subject to FERPA because they generally do not receive funding from ED.
- “Covered entity,” which is a health plan, healthcare clearinghouse, or any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.
- A school that is not covered by FERPA may be a covered entity if it provides health services for which it transmits health information electronically, such as submitting claims for payment from a health plan.
- “Business associate” is a person or organization not employed by the covered entity that performs certain activities for a covered entity that involve the use or disclosure of individually identifiable health information.
- “Hybrid entity” is an entity that conducts both covered and noncovered activities. State and local health departments and schools can be hybrid entities if they provide healthcare services to patients for which they transmit health information electronically.
- “Personally identifiable information” (PII) which includes name, address, personal identifiers like Social Security number or date of birth, or other information that could be used alone or in combination to identify a student.
- “Education record” is defined as records that are: (1) directly related to a student and (2) maintained by an educational agency or institution or by a party acting on behalf of the agency or institution.
- A student’s health records, including immunization information and other records maintained by a school nurse, are considered part of the student’s education record and are protected from disclosure under FERPA.
- A school may disclose "directory information” about a student without consent. Directory information includes information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.
- Schools must tell parents and eligible students about directory information and allow them a reasonable amount of time to request that the school not disclose directory information about them.
- “Protected health information” (PHI), which is individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media—electronic, paper, or oral.
- PHI includes demographic data; common identifiers (e.g., name, address, birth date, Social Security number); information relating to the individual’s past, present, or future physical or mental health condition, healthcare provided to him or her, or payment for healthcare; and data that identifies the individual or which could be reasonably used to identify the individual.
- Employment records maintained by a covered entity for its own employees are excluded from the definition of PHI.
- Education records covered by FERPA are also specifically excluded from the definition of PHI.
Accessing Data With Consent
- Under FERPA, health agencies can access education records—including student health data maintained by the school or a person acting on its behalf—if the school has received written consent from a parent or eligible student.
- ED notes that such releases are advisable for health agencies wishing to use PII to track absences or immunization rates before an emergency is recognized.
- ED has developed sample consent forms for schools and health agencies to use.
- Under the Privacy Rule, health agencies can obtain PHI from covered entities if the agency receives written consent from the patient or their representative.
Accessing Data Without Consent: Exceptions and Generally Permitted Uses
- FERPA contains a number of exceptions that allow schools to disclose PII from a student’s education record without consent of a parent or an eligible student.
- FERPA exceptions have generally been narrowly construed by ED to err on the side of protecting the student’s privacy and may present challenges for health agencies in accessing student health data.
Under the Privacy Rule, a covered entity is permitted to use and disclose PHI without an individual’s authorization for the following purposes or situations:
- For treatment, payment, and healthcare activities like quality assessment or evaluations.
- Informal opportunities to agree or object such as providing information for hospital directories or notifications to family members.
- Disclosures incident to an otherwise permitted use and disclosure.
- The use or disclosure of limited data sets for the purposes of research, public health, or healthcare operations.
- Public interest and benefit activities. There are a dozen “public purposes” identified in the rule under the public interest and benefit permitted use. These include public health activities and addressing serious threats to health and safety. (See discussion of each below.)
De-Identified and Limited Data
- Schools can provide health agencies with access to student health and other relevant data if the information does not contain PII.
- ED notes that, in instances like the H1N1 influenza pandemic or other outbreaks, a school may share general information about the number of students absent from the school without prior written consent. However, if absentee data to be shared includes PII and no FERPA exception applies, then the school must obtain written consent before sharing the data with health officials.
- De-identified data must not allow the recipients to identify the students through either single or multiple releases of data or by combining the data with other information.
- The Privacy Rule does not restrict the use or disclosure of de-identified health information.
- The rule also allows the release of limited data sets—in which specific identifiers about the patient or household have been removed—for public health, research, and other purposes.
- Users of limited data sets must complete a data use agreement covering the protection of remaining PHI in the data.
- This exception permits health agencies to access limited health data about children and adolescents that are not covered under FERPA.
Public Health Activities
- FERPA does not contain a “public health exception” akin to the one found in HIPAA.
- Because education records covered by FERPA are expressly excluded from the Privacy Rule, public health authorities cannot use HIPAA’s public health exception to access school education records covered under FERPA without consent unless a FERPA exception applies.
The Privacy Rule contains a robust exception which allows public health authorities to receive PHI without prior consent of a patient or his or her representative. Covered entities may disclose PHI to:
- Public health officials authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability.
- Public health or other government officials authorized to receive reports of child abuse and neglect.
- Entities subject to FDA regulation regarding FDA-regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance.
- Individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law.
Emergencies and Threats to Health or Safety
- FERPA permits disclosure without written consent in specified emergency situations if the information is necessary to protect the health and safety of the student or other individuals.
- Disclosure of PII in student education records may be made to “appropriate parties,” which include health agencies.
- ED has narrowly construed the emergency exception so that it must be limited to the time period of the emergency; disclosures made for general emergency preparedness activities are not covered under the emergencies exception.
- This exception would not apply where a threat of a possible or eventual emergency exists but the likelihood of its occurrence is unknown.
- Each school or education agency is responsible for making a case-by-case determination that the release of PII is necessary to address an “articulable and significant threat.”
- ED will defer to the judgment of the school or agency in making the determination that there was a “rational basis” regarding the nature of the emergency and the appropriate parties to whom the disclosure was made.
- The Privacy Rule has a specific exception for disclosure of PHI in emergencies in addition to its broad public health exception.
- The rule allows covered entities to disclose PHI that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).
- HHS notes that PHI can be released without disclosure to public officials responding to a bioterrorism or other public health threat or emergency.
Data Not Maintained by School
- If a person or entity is employed by or acts on behalf of the school by providing health services (whether at the school or off-site) under contract or otherwise under the “direct control” of a school and maintains student health records, then these records are considered education records under FERPA as if the school was maintaining the records directly.
- However, if a person or entity provides health services directly to students and is not employed by, under contract to, or otherwise acting on behalf of a school, then the resulting health records are not deemed to be part of the education record covered by FERPA, even if the services are provided at the school site.
- If a school’s education records are not covered under FERPA—as is generally the case for private elementary and secondary schools—they may be subject to HIPAA as a covered entity if they transmit health information electronically.
- In this scenario, the school is a covered entity and student health records are PHI under the Privacy Rule. One of the rule’s permitted uses, such as a public health activity, would have to apply before the records are released without consent.
- If the records are not covered under FERPA or HIPAA, state or local privacy laws may still apply.
Affect on State Law
- Any state law or regulation that conflicts with FERPA and its regulations are preempted by the federal law.
- If a school determines that it cannot comply with FERPA because of a conflict with state or local laws, it must notify ED and the agency will review the conflicting law and any interpretations of it made by the state and provide guidance to the requesting entity regarding FERPA’s applicability to the situation.
- In general, a state law or regulation that conflicts with HIPAA and the Privacy Rule is preempted by the federal law.
- The Privacy Rule contains exceptions that allow differing state requirements to control if the state law: (1) relates to privacy of individually identifiable health information and provides greater protections or rights than the Privacy Rule; (2) requires the reporting of disease, injury, child abuse, birth, or death, and for public health surveillance, investigation, or intervention; or (3) requires certain reporting by health plans, such as for management or financial audits or evaluations.
- States can also request a determination that a conflicting state law will not be preempted by HIPAA if the state can demonstrate one of the conditions listed in the rule, including, but not limited to, that the conflicting provision serves a compelling public health, safety, or welfare interest, and, if the conflicting provision relates to a privacy right, that the intrusion into privacy is warranted given the public interest being served.
- FERPA does not include a private cause of action; individual parents or students may not bring a lawsuit to enforce the act’s provisions or to seek redress for violations of the act.
- Persons who believe their rights under FERPA have been violated may file a complaint with the ED’s Family Policy Compliance Office (FPCO), which investigates the complaint.
- FPCO is authorized to, among other things, revoke funding for institutions found in violation of FERPA and its regulations.
- The Privacy Rule does not authorize individuals to sue for violations; individuals must direct their complaints to HHS’s Office for Civil Rights (OCR), which then investigates the complaint.
- In cases of noncompliance, the Secretary is directed to resolve the matter by informal means.
- If the matter cannot be resolved informally, the Secretary may issue written findings of noncompliance that may be used as a basis for initiating a civil action or a criminal case.
- Violators that knowingly and improperly disclose identifiable health information are subject to civil monetary and criminal penalties.
Comparison of FERPA and HIPAA Privacy Rule for Accessing Student Health Data: The Association of State and Territorial Health Officials
Family Educational Rights and Privacy Act, as amended. Codified at 20 U.S.C. §1232g.
Family Educational Rights and Privacy Act Regulations. 34 C.F.R. Part 99.
Health Insurance Portability and Accountability Act of 1996, as amended. Codified at 42 U.S.C. §1320d et seq. and §300gg; and 29 U.S.C. §1181 et seq.
U.S. Dept. of Health and Human Services. Standards for Privacy of Individually Identifiable Health Information. 45 C.F.R. Parts 160, 164.
U.S. Dept. of Education. Final Rulemaking “Family Educational Rights and Privacy.” 76 F.R. 75604. December 2, 2011.
U.S. Dept. of Education. “Family Educational Rights and Privacy Act (FERPA) and the Disclosure of Student Information Related to Emergencies and Disasters.” June 2010. Available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-disaster-guidance.pdf. Accessed May 30, 2013.
U.S. Dept. of Education. “Family Educational Rights and Privacy Act and H1N1.” October 2009. Available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-h1n1.pdf. Accessed May 30, 2013.
U.S. Dept. of Education and U.S. Dept. of Health and Human Services. “Joint Guidance on the Application of the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act of 1996 to Student Health Records.” November 2008. Available at http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf. Accessed May 30, 2013.
U.S. Dept. of Health and Human Services, Office for Civil Rights. “HIPAA—Frequently Asked Questions” webpage. Available at www.hhs.gov/ocr/privacy/hipaa/faq/index.html. Accessed May 30, 2013.
U.S. Dept. of Health and Human Services. “Summary of the HIPAA Privacy Rule” website. Available at www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html. Accessed May 30, 2013.
ASTHO. “Accessing School Health Information for Public Health Purposes” Position Statement (2006). Available at www.astho.org/Advocacy/Policy-and-Position-Statements/FERPA-Position-Statement/. Accessed May 30, 2013.
Chaikind H. et al. Congressional Research Service. The Health Insurance Portability and Accountability Act (HIPAA) of 1996: Overview and Guidance on Frequently Asked Questions (RL31634). January 24, 2005. Available at www.law.umaryland.edu/marshall/crsreports/crsdocuments/RL3163401242005.pdf