The updated DOE and OCR guidance for HIPAA and FERPA sheds light on common privacy applications to student health records, like when it’s appropriate to share PHI during an emergency.
The Department of Education and the Office for Civil Rights released an update to both the Family Educational Rights and Privacy Act (FERPA) and HIPAA, addressing the privacy applications to the records maintained on students.
First issued in 2008, the guidance outlines how the regulations apply to school administrators, healthcare providers, family members, and others when it comes to student health records. Officials said the update sheds light on frequently asked questions about when a student’s health information can be shared without consent of the parent or eligible student, or without written authorization.
“This document updates and expands on prior guidance to help address potential confusion on the part of school administrators, healthcare professionals, and others on how FERPA and HIPAA apply to records maintained on students,” according to the guide.
“It also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially those related to emergency health or safety situations,” it added.
The guide outlines when protected health information or personally identifiable information from an education record can be shared with the parent or adult student, as well as the options outlined in HIPAA if parents are concerned about the student’s mental health and the student does not agree to the disclosure of their PHI.
Covered entities can also receive clarification on whether HIPAA allows providers to disclose PHI on a minor with a mental health or substance use disorder condition to the minor’s parent, along with when PHI or PII can be shared about a student who presents a danger to others or themselves.
The guidance also includes clarification on whether an educational organization can disclose PII from a student’s educational record, including health data, to law enforcement officials or the National Instant Criminal Background Check System.
Lastly, the update breaks down where the two regulations intersect. The hope is that the update will shed light on how HIPAA and FERPA apply to the health and educational information of students, as well as when covered entities can disclose their personal information, especially in emergency situations.
“This updated resource empowers school officials, healthcare providers, and mental health professionals by dispelling the myth that HIPAA prohibits the sharing of health information in emergencies,” said OCR Director Roger Severino, in a statement.
“Confusion on when records can be shared should not stand in the way of protecting students while they are in school,” said Secretary of Education Betsy DeVos, in a statement. “This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.”
The Department and Health and Human Services has continued to improve upon regulations to reflect current trends. The agency has already sought industry feedback on how to update HIPAA for the digital age, while releasing several clarifications about how HIPAA handles modern concerns, such as the liability of business associates and third-party apps.
Source: HealthIT Security