ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Does the HIPAA Privacy Rule Apply to Elementary and Secondary Schools?

Does the HIPAA Privacy Rule Apply to Elementary and Secondary Schools?

Pamela Burks CISA, PCIP, Cyber Security Advisor, U.S.
| Posted at 2:59 PM by ISACA News | Category: Audit-Assurance | Permalink | Email this Post | Comments (1)

Pamela BurksThe Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information. This protection is achieved through implementing appropriate privacy safeguards and by setting limits and conditions around the uses and disclosures of that information that may be made without patient authorization.

An organization’s obligation to meet these requirements under HIPAA may be created from engaging in covered transactions or being a covered entity. Defined by the U.S. Department of Health and Human Services, covered transactions are those involving the transmission of health information electronically in connection with certain administrative and financial transactions (45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R). Similarly, an organization is a covered entity if the organization is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits any health information in electronic form in connection with covered transactions 45 CFR § 160.103.

Given the criteria for covered entities and covered transactions, are elementary and secondary schools subject to HIPAA? In making this determination, consider covered entities first. Even though a school employs nurses, physicians, psychologists or other healthcare providers, the school is not generally a HIPAA-covered entity because the providers do not engage in any covered transactions, such as billing a health plan electronically for their services. Looking secondly at covered transactions, there may be instances where the practitioners listed above (school nurses, physicians, psychologists or other health providers) may conduct one or more covered transactions, such as electronically transmitting healthcare claims to a health plan for payment. If so, the school becomes a HIPAA-covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions.

Even in these cases, however, some schools would not be required to comply with the HIPAA Privacy Rule due to an exception created through the Family Educational Rights and Privacy Act (FERPA). FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education (DOE). This includes virtually all public schools and school districts, as well as most private and public postsecondary institutions, including medical and other professional schools.  Under FERPA, schools are deemed to maintain health information only in student health records that are classified as “education records.” As education records, public elementary or secondary school student health information is excluded from HIPAA due to protection of those records under FERPA.

For private and religious schools at the elementary and secondary level that generally do not receive funds from the Department of Education (DOE), exclusion for HIPAA requirements due to FERPA does not apply. It is worth noting that a private school is not made subject to FERPA just because its students and teachers receive services from a local school district or state educational agency that receives funds from the DOE. The school itself must receive funds from a program administered by the Department of Education to be subject to FERPA. For example, if a school district places a student with a disability in a private school that is acting on behalf of the school district with regards to providing services to that student, the records of that student are subject to FERPA; the records of the other students in the private school are not covered under FERPA.

So, in most cases, elementary schools are neither covered entities nor do they engage in covered transactions that would require them to comply with HIPAA. However, the type of school (public or private) as well as receipt of funds from a program administered by the Department of Education, are considerations in making a final determination of an obligation to comply with HIPAA.

Editor’s note: For additional resources on this topic, download ISACA’s HIPAA Audit/Assurance Program.


HIPAA for Schools

Thanks to Pamela for the valuable insight! Curious to know if there are instances where a private school is a covered entity and has BAAs signed with third parties.

iatluri at 1/3/2018 4:20 PM
You must be logged in and a member to post a comment to this blog.