As health care providers and professionals, you know that today’s regulatory environment involves multiple and sometimes overlapping frameworks that regulate and protect patient health information. Our recent Legal Alert clarifies matters at the intersection of two such frameworks: student records and medical records.

Last month, the U.S. Department of Education and U.S. Department of Health and Human Services issued joint guidance to affirm that most health information relating to students at public elementary and secondary schools is protected and governed by the Family Educational Rights and Privacy Act (FERPA), not the Health Insurance Portability and Accountability Act (HIPAA). The reasoning behind this guidance is that student-related health information maintained by schools generally falls within the category of “Education Records” under FERPA and falls outside the definition of “protected health information” under HIPAA.

In case of emergency

When it comes to disclosing personally identifiable information (PII) from education records to the student’s outside healthcare providers, school district and BOCES employees may disclose this information without prior written consent in the case of a health or safety emergency. FERPA also allows school employees to verify with healthcare providers information that is contained in a record created by the provider, provided that no PII is shared without prior written consent. The HIPAA Privacy Rule also permits covered entities to share protected health information with parents and others in a position to prevent or mitigate a serious and imminent threat to health and safety (of the individual, another person, or the public). For example, if a parent tells a child’s therapist that he or she is worried because the child threatened to kill a teacher and has access to a weapon, HIPAA permits the therapist to contact school officials in the interest of safety. For more information, see our MuniBlog post on FERPA, HIPAA and student health records.

This joint guidance sheds light on the confusion that that multiple, overlapping regulations can trigger for health care professionals. Our cybersecurity protection and response team has resources that can help guide you.