Introduction
The Family Educational Rights and Privacy Act[2] (FERPA) is obscure for most healthcare professionals, yet more and more healthcare services link to educational institutions. Often schools and districts contract for services related to health and mental health. This contractual link may require that the privacy professional clearly define what information is covered by each regulation so both institutions may be compliant.
This chapter is designed to give a general outline of the most important parts of FERPA. If you have mastered other healthcare privacy law, many pieces of FERPA will look familiar; however, never assume one substitutes for another or compliance with one satisfies both.
If the privacy professional serves an educational institution that delivers healthcare, a passing acquaintance with FERPA is not sufficient to ensure compliance. Additionally, placing artificial legal barriers on the legitimate use of information because of inattention to the specifics does not serve the subject’s nor the institution’s best interest.
This outline will put FERPA in a simple context:
-
To which entities does FERPA apply?
-
What information is covered?
-
What information is excluded?
-
What are the mandates and procedures for meeting them?
To Which Entities Does FERPA Apply?
As stated in the Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records (Joint Guidance):
FERPA applies to educational agencies and institutions that receive Federal funds under any program administered by the U.S. Department of Education. 20 U.S.C. §§ 1221(c)(1) and 1232g(a)(3) ; 34 C.F.R. § 99.1(a) . If an educational agency or institution receives Federal funds under one or more of these programs, FERPA applies to the recipient as a whole, including each of its components, such as a department within a university. 34 C.F.R. § 99.1(d) .[3]
Though this definition does not mention healthcare entities, the Joint Guidance offers some clarification of how FERPA applies to them in a section of Frequently Asked Questions:
Does FERPA or HIPAA apply to student health records maintained by a health care provider acting for a FERPA-covered elementary or secondary school that is not employed by the school?
Health records that directly relate to students and are maintained by a health care provider, such as a third party contractor, acting for a FERPA-covered elementary or secondary school, would qualify as education records subject to FERPA regardless of whether the health care provider is employed by the school…. Conversely, student health records that are maintained by a health care provider that provides services directly to students and that is not acting for a FERPA-covered educational agency or institution do not constitute FERPA-protected education records.[4]
While FERPA once tightly restricted the act’s applicability, a 2012 amendment to the regulation broadened access to education records to include “authorized representatives,” defined as “any entity or individual designated by a State or local educational authority or an agency headed by an official listed in [34 C.F.R.] § 99.31(a)(3) who is involved in Federal- or State-supported education programs.”[5] This means that state and local government services and education authorities can share data with other government agencies that are not under their direct control, as long as those other agencies are involved in federal or state-supported education programs.
While this amendment seems to put the applicability of the act into a simple framework, it should be pointed out that “Federal- or State-supported education programs” encompass nearly three hundred Department of Education programs. Careful research should be done to determine if your healthcare entity provides services for an educational program funded by a federal program.
Applicability may hinge on the nature of the funding. Specifically, FERPA:
…considers funds to be made available [if they are]
1)…provided to the agency or institution by grant, cooperative agreement, contract, sub-grant, or subcontract; or
2)…provided to students attending the agency or institution and the funds may be paid to the agency or institution by those students for educational purposes, such as under the Pell Grant Program and the Guaranteed Student Loan Program....[6]
But it’s important to recognize, “Private and religious schools at the elementary and secondary level generally [emphasis added] do not receive funds from the Department of Education and are, therefore, not subject to FERPA”.[7] Please note the emphasis on the word “generally,” because it is important to check for the availability of federal funds to the institution or students and not rely on the private or religious affiliation to make the FERPA applicability decision.
Additionally, you have to account for all records relating to a student, including those that reside at another institution not subject to FERPA:
Where a student is placed in a private school for the provision of Individualized Education Program (IEP) services on behalf of a school or school district subject to FERPA, the education records of the privately placed student maintained by the private school are subject both to FERPA and to the confidentiality requirements under the IDEA [Individuals with Disabilities Education Act], which incorporate the provisions of FERPA.[8]
Conversely, FERPA does not consider the information maintained by a clinic to be part of the education record if the medical clinic for a university is contracted out. Therefore, none of the healthcare records are available to the educational entity that holds the official education record; they are only available to the healthcare professional. The clinic isn’t necessarily considered a division of the university as it is a standalone and does not provide any educational services. While the act applies to the whole institution, care must be taken to not overapply FERPA.
Note: For sharing purposes, a healthcare provider covered by HIPAA would only send the school the minimum necessary data to accomplish the purpose, which is the education record. A school may need to know that the physical therapy sessions were accomplished, but the entire content of the medical information (such as range of motion, specific measurements, or diagnosis) may not be necessary. The purpose of the education record is education, not healthcare treatment (see Caution below). This transfer of information must be negotiated in advance of any disclosure.
Nursing records are specifically considered part of the education record. Nurses do not medically diagnose or treat individuals, and by licensure, they cannot practice medicine. It would be rare that a school nurse’s documentation would be covered by HIPAA regulations. Rare, but not impossible.
In short, applicability is based on the institution receiving federal funds directly or through a subcontract, or on a student receiving federal funds that are used for payment of educational services.