Private Schools and the Intersection of HIPAA and FERPA

My wife works as an Administrative Assistant at a local private school. As you might expect, they take very seriously their responsibility to help stop the spread of COVID-19 in the community. As part of their efforts, they require students who were in direct contact with persons diagnosed with COVID-19 to quarantine at home, away from the other students.

The school does a good job of communicating with parents. They send out regular email with statistics on the number of students or faculty diagnosed with COVID-19 and the numbers currently quarantining. Of course, they don’t disclose any names or other identifying information because of privacy concerns.

As a school, are they legally not allowed to disclose that kind of information, or are they refraining because of a more general concept of privacy?

That question is not so easy to answer because it depends on the interplay of two federal statutes — HIPAA and FERPA. Most people know that HIPAA covers the privacy of medical records. The Family Educational Rights and Privacy Act (FERPA), on the other hand, protects the privacy of student educational records. One or the other, or neither, apply to schools.

As a general rule, HIPAA does not apply to schools. HIPAA applies to health care providers who exchange electronic information, health plans, and health information clearinghouse. Even if the school has a nurse on-site, it is usually not considered a health care provider. There are certain exceptions, but they are not common. For instance, a school that provides health care to students in the normal course of business, such as through its health clinic, is also a “health care provider” under HIPAA. However, many schools that meet the definition of a HIPAA covered entity do not have to comply with the requirements of the HIPAA Rules because the school’s only health records are considered “education records” or “treatment records” under FERPA.

FERPA is a Federal law that protects the privacy of students’ “education records.” FERPA affords parents certain rights regarding their children’s education records maintained by educational agencies and institutions and their agents to which FERPA applies. These include the right to access their children’s education records, the right to seek to have these records amended, and the right to provide consent for the disclosure of personally identifiable information (PII) from these records, unless an exception to consent applies.

FERPA applies to educational agencies and institutions that receive Federal funds under any program administered by the U.S. Department of Education. An educational agency or institution subject to FERPA may not disclose the education records, or PII from education records, of a student without the prior written consent of a parent or the student, unless an exception applies.

Private and religious schools at the elementary and secondary levels generally do not receive funds from the U.S. Department of Education and are, therefore, not subject to FERPA. Neither will HIPAA apply unless one of the uncommon exceptions exists. Of course, private schools should still be mindful of the privacy of their students and just because HIPAA or FERPA does not apply does not mean the school should make those disclosures. However, private schools do have more flexibility in handling these situations than do most public institutions.

Source: Joint Guidance on the Application of FERPA and HIPAA to Student Health Records