Whether in private or public schools, nurses all over the United States are responsible for the personal data of millions of pre-K to high school students. The Network for Public Health Law released a document in June of 2019 explaining how and when school nurses can share private data as outlined in the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
Depending how a school receives federal funding, it may be subject to FERPA instead of HIPAA, or vice versa. For example, a private school is exempt from FERPA if the individual students receive federally funded services instead of the school itself. However, in public schools, nurses are almost always subject to FERPA. Here's how the laws work.
Explaining FERPA and HIPAA
What is FERPA? FERPA is a federal law that was enacted in 1974 to protect the privacy of students’ education records. It applies to educational entities that receive funding under any program administered by the U.S. Department of Education, which includes public elementary and secondary schools and school districts. Most private and religious schools at the elementary and secondary levels do not receive federal funding, and therefore are not subject to FERPA.
FERPA gives parents the right to inspect, review and request amendments to educational records and ensures the privacy of personally identifiable information (PII), but the law does provide some exceptions that allow school personnel to share certain PII without parental consent. For example, school nurses may share PII with appropriate officials in health and safety emergencies and with other school officials that have a “legitimate educational interest” in the information.
FERPA prohibits schools from disclosing PII from students’ education records without the consent of a parent or guardian (or a student who has reached age 18 or attends a post-secondary institution). Each year, schools must provide annual notice of students’ privacy rights and how the school or school district defines the terms "school official" and "legitimate educational interest" for purposes of PII disclosure.
What is HIPAA? HIPAA, along with its associated regulations known as the “Privacy Rule,” comprise a federal law that establishes privacy requirements for oral, written, and electronic individually identifiable protected health information (PHI). HIPAA regulates the sharing of personally identifiable health information by certain “covered entities,” such as health care providers that are generating and receiving standard electronic transactions in the course of caring for a patient. Schools may be covered entitles if they employ a health care provider that delivers health services and engages in covered transactions, such as billing Medicaid for Medicaid-covered services that are delivered in the school setting.
Nonetheless, because the health information is maintained by the school—or by an entity acting on behalf of the school—it is considered part of the educational record. So, even if the school would be considered a covered entity under HIPAA, it would have to comply with FERPA’s privacy requirements. If a school accepts no funding under any program of the U.S. Department of Education (e.g., a private or religious school) and qualifies as a covered entity under HIPAA (e.g., bills Medicaid for eligible health services), HIPAA standards would apply.
Where FERPA and HIPAA May Intersect
While school nurses are almost always subject to FERPA, their external health care collaborators (a student’s pediatrician or psychologist) must comply with HIPAA. For this reason, it is important that all providers involved in the care coordination of a child have a working understanding of both laws in order to facilitate communication and sharing of health information.
The most important point to remember about the interplay of HIPAA and FERPA in the school setting is that health care providers may share health information with a school nurse under HIPAA for “treatment purposes” without parent authorization (the so-called “provider-to-provider” exception under HIPAA).
A pediatrician may discuss the student’s treatment record with the student’s school nurse, and the school nurse may contact the physician to clarify the physician’s recommendations. But once that information is entered into the student’s school record, FERPA applies in determining permissible disclosures. FERPA does not contain a provider-to-provider exception, which limits the PII that school nurses can share with other providers. A consent form signed by the parent or guardian that allows schools to share health information with other health care providers would facilitate communication, continuity of care, and management of students’ health conditions while they are at school.
How ACT.md Facilitates Safe, Secure Data Exchange
When a community’s healthcare, education, social services, and governmental stakeholders come together to share data, processes, and technology, this is cross-sector data exchange in action. Also called "community information exchange", this collaborative approach to health and social care dramatically improves your community’s ability to address intersectional health and social needs, especially for vulnerable populations.
Many of ACT.md's customers have implemented our CareHub™ platform in conjunction with local educational partners. The use cases vary by community, but have included projects such as:
- Shared plans of care for children with medical complexity
- Nurse-led care coordination in partnership with social workers in the community
- Telehealth for collaborative care between FQHCs, hospitals, and other settings
Connecting information systems and sharing data across the care continuum requires your community to go beyond what is comfortable and familiar. ACT.md helps you get it done. Reach out to our team to learn more about how we could support your work.