OCHIN Position Paper. April 2012. Student Treatment Records under HIPAA vs. FERPA

Similar documents
U.S. Department of Health and Human Services. U.S. Department of Education

HIPAA or FERPA? A Primer on School Health Information Sharing in California

Young Scholars of Central Pennsylvania Charter School 1530 Westerly Parkway State College, PA School Year

HIPAA PRIVACY REGULATIONS AND THE SCHOOLS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Hybrid Entities Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Family Educational Rights Privacy (FERPA) Act

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

Kiran Mishra, Ph.D. Licensed Clinical Psychologist. Sugar Land, TX (832) TEXAS NOTICE FORM

Whether information is on paper or online, the basic privacy rights for students and parents remain the

Differences in School Nursing and SBHC Nursing Practices in Oregon

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

Bradley D. Powell, PhD NOTICE OF PRIVACY PRACTICES: Effective June 1, 2004

Frequently Asked Questions About the Privacy Rule Under HIPAA

HIPAA Omnibus Notice of Privacy Practices Effective Date: March 03, 2012 Revised on: July 1, 2015

Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule)

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

Students SCHOOL HEALTH SERVICES

HIPAA, Licensed Health Care Providers and The Ohio State Dental Board (Board)

RUTGERS POLICY. Responsible Office: RBHS Office of Ethics, Compliance & Corporate Integrity

HIPAA Business Associate Contract. Definitions

Covered Entity Charts

THE LAW. Legal Issues in School Nursing. Legal Foundations

The HIPAA Privacy Rule: Overview and Impact

Kentucky Wesleyan College Policy & Procedure Manuals - Student Information Privacy

HIPAA INFORMATION FOR METLIFE GROUP DENTAL and/or VISION INSURANCE CUSTOMERS

HIPAA Notice of Privacy Practices HAND & MICROSURGERY ASSOCIATES, INC.

Chief Privacy Officer Christian Brothers Services 1205 Windham Parkway Romeoville, IL

Executive Memorandum No. 27

HIPAA Enforcement Training for State Attorneys General

Personal Information - Protecting And Balancing It At Hulse QM

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

Healthcare Compliance and Hybrid Entity Designation

Notice of Privacy Practices

Co-Pay Assistance Program for CUBICIN (daptomycin for injection) for Intravenous Use Enrollment Form

HIPAA Privacy Rule Primer for the College or University Administrator

Recent Developments Affecting the Disclosure of Test Data and Materials: Comments Regarding the 1996 Statement on the Disclosure of Test Data 1

Health Care Finance & Adlministration PoHcy Manual

Arizona School Immunization Requirements

HIPAA CHECKLISTS DEVELOPING YOUR HIPAA DOCUMENTS PRACTICAL TOOLS AND RESOURCES. MASSACHUSETTS MEDICAL SOCIETY Getting Ready for

Keweenaw Holistic Family Medicine Patient Registration Form

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA Considerations for Small Non-Profits. Jill M. Girardeau July 20, 2011

BUSINESS ASSOCIATE AGREEMENT

RONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania (215) (215) (Fax) childproviderlaw.

Family Educational Rights and Privacy Act Regulations

APR Marilyn Tavenner Administrator Centers for Medicare & Medicaid Services

Effective Date: March 23, 2016

Strategies for Electronic Exchange of Substance Abuse Treatment Records

BUSINESS ASSOCIATE AGREEMENT

HIPAA Guidance for Identifying Business Associates

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

HIPAA PRIVACY AND SECURITY AWARENESS

UPDATED. Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

Entities Covered by the HIPAA Privacy Rule

HIPAA / FERPA - Privacy in Schools 2014

Health Insurance Portability and Accountability Act HIPAA. Glossary of Common Terms

Business Associate Agreements and Similar Arrangements

MERCY HEALTH MEDICAL TRANSPORTATION SERVICES PRIVACY NOTICE Revised Notice Effective Date: September 23, 2013

THE HIPAA PRIVACY RULE AND THE NATIONAL HOSPITAL CARE SURVEY

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

SDC-League Health Fund

This notice describes how psychological and medical information about you may be used and disclosed and how you can get access to this information.

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

How To Write An Early Intervention Program Record Book

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Security of Student Information: Family Educational Rights and Privacy Act (FERPA)

Anxiety Treatment Center, LLC

NOTICE OF PRIVACY PRACTICES

Business Associate Agreement

Rocklin Unified School District Employee Authorized Network, Internet Usage, and Privacy Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

Pearl River Community College Practical Nursing Dual Application Information

Notice of Privacy Practices

HIPAA Employee Compliance Program TRAINING MANUAL

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Category: Patient Information Number: Use and Disclosure of Protected Health Information

Business Associate Agreement

Resthave Home of Whiteside County, Illinois Resthave Nursing Home Resthave Home Assisted Living. Notice of Privacy Practices

Business Associates Agreement

HIPAA NOTICE OF PRIVACY PRACTICES

Decision Tree: When is a Business Associate Agreement (BAA) Required?

Graphic Communications National Health and Welfare Fund. Notice of Privacy Practices

APPENDIX B DEFINITIONS

HIPAA Privacy Summary for Fully-insured Employer Groups

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164]

HIPAA BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES

BUSINESS ASSOCIATES [45 CFR (e), (e), (d) and (e)]

NOTICE OF PRIVACY PRACTICES

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

Transcription:

OCHIN Position Paper April 2012 Student Treatment Records under HIPAA vs. FERPA

TABLE OF CONTENTS Purpose... 2 Definitions... 2 School-Based Health Centers and HIPAA... 4 Third-Party Healthcare Providers... 4 Postsecondary School Based Health Centers... 4 Conclusion... 5 References... 5 We are consulting, hosted services and solutions, research, analytics, advocacy, and so much more. We are OCHIN, and we are very pleased to meet you. 1881 SW Naito Parkway Portland, OR 97201 503.943.2500 (telephone) 503.943.2501 (fax) www.ochin.org 1

Purpose The purpose of this document is to explain OCHIN, Inc. s position about the relationship between the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and how these two laws apply to student health records maintained by schools. Definitions FERPA FERPA is a federal law that protects privacy of students education records. (See 20 U.S.C. 1232g; 34 CFR Part 99). FERPA regulations apply to all schools that receive funds from the US Department of Education. And educational agency or institution subject to FERPA may not have a policy or practice of disclosing the education records of students, or personally identifiable information from education records, without a parent or eligible student s (student age 18 or older or who attends a postsecondary institution at any age) written consent. Under FERPA, parents and eligible students have the right to inspect and review the student s education records and to seek to have them amended in certain circumstances. Generally, under FERPA, schools must have written permission from the parent or the eligible student in order to release any information from a student s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions: school officials with legitimate educational interest; other schools to which a student is transferring; specified officials for audit or evaluation purposes; appropriate parties in connection with financial aid to a student; organizations conducting certain studies for, or on behalf of, the schools; accrediting organizations; to comply with a judicial order or lawfully issued subpoena; appropriate officials in cases of health and safety emergencies; and State and local authorities within a juvenile justice system, pursuant to specific state law. See 34 CFR 99.31. Education Records The term education records is broadly defined to mean records that are (1) directly related to a student, and (2) maintained by an educational agency or institution or by a part of the organization that is acting for the agency or institution. At the elementary or secondary level, a student s health records, including immunization records, maintained by an educational agency or institution subject to FERPA, as well as records maintained by a school nurse, are education records subject to FERPA. Records that schools maintain on special education students, including records on services provided to students under the Individuals with Disabilities Education Act (IDEA), are also education records under FERPA. Treatment Records At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of education records if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. These records are commonly referred to as treatment records. An eligible student s treatment records may be disclosed for purposes other than the student s treatment provided the records are disclosed under one of the exceptions to written consent or with the student s written 2

HIPAA consent. If a school discloses a student s treatment records for any purpose allowable under FERPA, the records will then be included in the definition of education records instead of treatment records, and the records will be subject to all other FERPA requirements. Congress enacted HIPAA in 1996 to improve the efficiency and effectiveness of the healthcare system through the establishment of national standards and requirements for electronic healthcare transactions and to protect the privacy and security of individually identifiable health information. Collectively, these are known as HIPAA s Administrative Simplification provisions, which include provisions regarding transactions, code sets and identifier rules (referred to as HIPAA Transaction regulations) and also include provisions regarding privacy of electronically transmitted health information (referred as HIPAA Privacy regulations). HIPAA Privacy regulations provide regulatory protection for a patient s protected health information (PHI). Patients or their legal representative must give authorization for the release of the patient s information with certain exceptions. Additionally, HIPAA Privacy regulations give patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The HIPAA Security Rule is a subset to the HIPAA Privacy regulations. HIPAA Transaction regulations prescribe requirements for certain billing and payment transactions, and requirements regarding the diagnosis and procedure codes that must be used in those electronic billing transactions. Covered Entity Entities subject to the HIPAA rules, known as covered entities, are health plans, health care clearinghouses, and health care providers that transmit protected health information in electronic form in connection with covered transactions. Covered transactions are those transactions for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. Protected Health Information (PHI) Under the HIPAA Privacy Regulations, PHI means individually identifiable health information pertaining to an individual s medical history, diagnosis, treatment, or payment for treatment (1) That is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; (ii) Treatment records described at 20 U.S.C. 1232g (a) (4) (B) (iv); and (iii) Employment records held by a covered entity in its role as employer. HIPAA Transactions HIPAA Transactions are electronic transactions that use specified standards adopted by the Secretary of the U.S. Department of Health and Human Services in the HIPAA Transaction regulations. These transactions relate to health care claims, health care payment, coordination of benefits, health care claim status, and eligibility and enrollment in a health plan including Medicaid or Medicare health plans. Covered entities are required to comply with applicable requirements in the HIPAA Transaction regulations. 3

School-Based Health Centers and HIPAA Some schools, school districts, universities and colleges, generally referred to collectively as School Based Health Centers (SBHC), employ nurses, physicians, psychologists, or other healthcare providers who serve their students. Thus, the SBHC is a healthcare provider as defined by HIPAA. However, the SBHC is only considered a covered entity under HIPAA if it conducts any covered transactions electronically in connection with the health care it provides, such as billing insurance electronically. If the SBHC is a covered entity, then it must comply with the HIPAA Transactions regulations with respect to those covered transactions. These SBHCs generally will not be required to comply with the HIPAA Privacy regulations because the records they maintain are education records or treatment records under FERPA, which are excluded from the HIPAA Privacy regulations. In that case, FERPA privacy requirements apply to their records. School based health centers that do not conduct covered transactions, such as billing insurance electronically, do not have to comply with any of the HIPAA regulations. However, the FERPA privacy requirements do apply to their records. Third-Party Healthcare Providers In some cases, students receive healthcare at a SBHC, or elsewhere, from a healthcare provider that is not employed by, or contracted with, the school. In these circumstances, these records are not education records subject to FERPA, even if the services are provided on school grounds, because the party creating and maintaining the records is not acting on behalf of the school. For example, the records created by a public health nurse who provides immunization or other health services to students on school grounds or otherwise in connection with school activities but who is not acting on behalf of the school would not be education records under FERPA. In such situations, a school that wishes to disclose to this third-party provider any personally identifiable information from education records would have to comply with FERPA and obtain parental or eligible student consent. However, if a nurse is hired as a school official or contractor, then the records maintained by the nurse or clinic are education records subject to FERPA. Postsecondary School Based Health Centers To determine the applicability of HIPAA and FERPA to postsecondary institutions, it is important to examine the context in which the institution is providing care. The applicability of HIPAA and FERPA depends on whether the care is provided to students at a health clinic run by the institution or at a clinic that is merely affiliated with the institution. Institution-run Health Clinic: FERPA applies to most public and private postsecondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will either be education records or treatment records under FERPA. While the health records of students at postsecondary institutions may be subject to FERPA, if the institution is a HIPAA covered entity and provides healthcare to non-students, the individually identifiable health information of the clinic s non-student patients is subject to the HIPAA Privacy regulations. Thus, when a postsecondary institution operates clinics open to staff, or the public, the clinic is required to comply with FERPA with respect to the health records of their student patients, and with the HIPAA Privacy regulations with respect to the health records of their non-student patients. Institution-affiliated Health Clinic: FERPA does not apply to a hospital that is affiliated with a postsecondary institution when the health center does not provide health care services to students on behalf of the institution. When the health center provides such services without regard to the patient s status as a student, the student s records are not subject to FERPA. Assuming the health 4

center is a HIPAA covered entity, the records it maintains will be subject to all of the HIPAA regulations. Conclusion School based health centers are healthcare providers as defined by HIPAA; however, the SBHC is only considered a covered entity under HIPAA if it conducts electronic billing and payment transactions. Where a SBHC is sending electronic billing and payment transactions, the SBHC will need to comply with HIPAA Transaction and Code Set regulations. However, SBHC will not be required to comply with the HIPAA Privacy regulations, as follows: If a student receives health care at one of these SBHC, those records are considered to be education records or treatment records under the FERPA regulations, not protected health information under HIPAA, because education records and treatment records are specifically excluded from the HIPAA Privacy regulations. However, if an SBHC conducts electronic billing and payment transactions for services provided to a student, including billing electronically for services provided to students, the health center must send the electronic transactions in a format that complies with HIPAA Transaction and Code Set regulations. Note: Please see the FERPA Versus HIPAA School Based Health Center Records Compliance Decision Tree. References Interplay between FERPA and HIPAA and the impact of HIPAA on FERPA-covered schools that electronically bill Medicaid for school based services, DHFS HIPAA Communication Number 10, July 29, 2003. HIPAA Regulations 45 CFR 160, 162, and 164 FERPA Regulations 34 CFR 99 Joint Guidance on the Application of the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to Student Health Records, US Department of Health and Human Services, and US Department of Education 2008. U.S. Department of Health & Human Services, Health Information Privacy, Frequently Asked Questions, FERPA and HIPAA, created November 25, 2008, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/ferpa_and_hipaa/index.html. Medicaid Reimbursement of School-Based Health Care at the State-Operated Schools and HIPAA Memorandum, November 12, 2002, Oregon Department of Justice. Ohio Department of Education Medicaid Schools Program Fact Sheet HIPAA vs. FERPA, July 15, 2009. Understanding the Privacy Rights of HIPAA & FERPA in Schools, Published on The National Law Review 2012. Wisconsin DHFS HIPAA Communication 10, July 29, 2003. Wisconsin Rule 453.11, May 28, 2003. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information