Does FERPA or HIPAA apply to records on students at health clinics run by postsecondary institutions?
FERPA applies to most public and private postsecondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is aHIPAA covered entity. See the exceptions at paragraphs (2)(i) and (2)(ii) to the definition of “protected health information” at 45 CFR § 160.103.
The term “education records” is broadly defined under FERPA to mean those records that are: (1) directly related to a student and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 CFR § 99.3, “Education records.”
“Treatment records” under FERPA, as they are commonly called, are: records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.
See 20 U.S.C. § 1232g(a)(4)(B)(iv); 34 CFR § 99.3, “Education records.” For example, treatment records would include health or medical records that a university psychologist maintains only in connection with the provision of treatment to an eligible student, and health or medical records that the campus health center or clinic maintains only in connection with the provision of treatment to an eligible student. (Treatment records also would include health or medical records on an eligible student in high school if the records otherwise meet the above definition.)
“Treatment records” are excluded from the definition of “education records” under FERPA. However, it is important to note, that a school may disclose an eligible student’s treatment records for purposes other than the student’s treatment provided that the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30. If a school discloses an eligible student’s treatment records for purposes other than treatment, the treatment records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements, including the right of the eligible student to inspect and review the records.
While the health records of students at postsecondary institutions may be subject to FERPA, if the institution is aHIPAA covered entity and provides health care to nonstudents, the individually identifiable health information of the clinic’s nonstudent patients is subject to the HIPAA Privacy Rule. Thus, for example, postsecondary institutions that are subject to both HIPAA and FERPA and that operate clinics open to staff, or the public, or both (including family members of students) are required to comply with FERPA with respect to the health records of their student patients, and with the HIPAA Privacy Rule with respect to the health records of their nonstudent patients.