As a school-based physical therapist or occupational therapist, you are responsible for protecting students’ privacy and confidentiality when it comes to their education records and health information. Two federal laws that need to be looked into are FERPA and HIPAA.
FERPA or HIPAA as a School-Based Therapist
As a school-based therapist, it can feel like you are at an intersection when it comes to these laws. If you search different Facebook groups you’ll often see people with varying opinions on this. As technology and cloud-based options continue to grow and evolve this question comes up more and more. In this blog post, we are going to take a deeper dive.
Before we go any further, I am not a lawyer and giving official legal advice in this blog post. You will need to check with your higher ups or a law professional to get official legal advice.
Let’s start with discussing the two laws.
Under FERPA, students and their parents have the right to access and review the student’s education records, and the right to request that any inaccurate or misleading information be corrected. Schools must obtain written consent from the student or parent before disclosing any personally identifiable information from the student’s education records, except in certain limited circumstances.
FERPA also requires schools to maintain the confidentiality of student education records, and to have policies and procedures in place to ensure that only authorized individuals have access to those records. Schools may disclose education records without consent in certain limited circumstances, such as to other school officials with legitimate educational interests or to comply with a court order or subpoena.
Overall, FERPA is an important law that helps to protect the privacy and confidentiality of student education records, while still allowing for important educational and administrative functions to take place.
As a school-based therapist, you are required to adhere to FERPA.
HIPAA stands for the Health Insurance Portability and Accountability Act, which is a federal law in the United States that was enacted in 1996. HIPAA is designed to protect the privacy and security of individuals’ health information, while also ensuring that individuals have access to their own health information and that healthcare providers can share information as necessary to provide quality care.
HIPAA establishes national standards for the protection of individually identifiable health information, also known as protected health information (PHI). Under HIPAA, covered entities are required to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. Covered entities must also give individuals certain rights with respect to their PHI, including the right to access and receive a copy of their own PHI, the right to request that their PHI be amended, and the right to receive an accounting of disclosures of their PHI.
HIPAA also established the Health Information Technology for Economic and Clinical Health (HITECH) Act, which strengthened HIPAA’s privacy and security protections and expanded its reach to include business associates (entities that perform certain functions or services on behalf of covered entities and have access to PHI). HITECH also established breach notification requirements, which require covered entities to notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media, in the event of a breach of unsecured PHI.
Overall, HIPAA is an important law that helps to protect the privacy and security of individuals’ health information and ensures that individuals have important rights with respect to their own health information.
But wait, as a school-based therapist, I may have health records and may be billing for services, so does HIPAA apply too?
FERPA and HIPAA Intersection in School-Based Therapy
It may seem straight out of the box that HIPAA would apply, especially if billing Medicaid, but their is language in the laws that help answer this question.
The U.S. Department of Health and Human Services administers and enforces HIPAA and establishes rules intended to clarify and implement the law. They have a FAQ section for professionals to help answer some of these questions.
This question comes straight from the FAQ section on the Health and Human Services website.
Does the HIPAA rule apply to elementary and secondary schools?
“Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule. “
Essentially, as long as your information is part of a student’s educational record you are required to follow FERPA.
But now what if you bill Medicaid? Would that be considered HIPAA?
You would think this would be the case, but as it turns out there are exceptions. According the the Health and Human Services website.
“The school is a HIPAA covered entity but does not have “protected health information.” Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student. “
According to this, even when billing Medicaid, it still falls under complying with FERPA.
Chances are your district has sorted this out for you, but it’s always important to check with your district technology person, boss or even district attorney before plopping any information into the cloud. Double check with your district on what programs are appropriate with security levels acceptable to meet the laws. Given many cloud based programs are used in schools, chances are they’ve already looked into these considerations.
Contracted providers also should look closely at their contract with the school or school district to determine if it dictates any standards not included by federal law.
When servicing a private school, rules may be different as federally funded schools fall under FERPA. If you are servicing in a private school, you will need to investigate this further. The FERPA and HIPAA joint guidance from the Department of Education in helpful in answering questions like this.
FERPA and HIPAA Resources
The following linked resources can help with answering these questions.