HIPAA and Leader Web Applications
Leader Services is committed to meeting the requirements of both HIPAA and FERPA, as they apply to the services we offer to clients. The following information is for informational purposes only:
Concerning HIPAA privacy requirements, it appears, based on current information available from the US Department of Education's Family Policy Compliance Office and a section concerning FERPA contained in the HIPAA Final Privacy Rules and Preamble, that public schools receiving federal funding are exempt from the HIPAA Privacy requirements. Concerning educational records, FERPA supercedes HIPAA, as FERPA already provides adequate privacy protections. The exemption from HIPAA Privacy requirements also includes records such as medical records, which are not included in the FERPA definition of education records.
Regarding HIPAA security requirements, Leader's web-based applications encrypt data as it is transmitted between the client (your Web browser) and Leader's Web server using Secure Sockets Layer technology. This is the same type of data encryption used all over the Web for securing sensitive transactions, such as credit card numbers. Additionally, Leader uses secure coding practices during application development. Leader's facility enforces secure physical security, including controls on data access as well as controlled access to servers and physical records.
Because health-related claims for your school are submitted electronically to the state's Medicaid agency, your school is considered a HIPAA covered entity for EDI transactions. Leader Services is also a HIPAA covered entity in that it acts as a clearinghouse for billing purposes and submits HIPAA-compliant EDI claims on your behalf.
Because of the apparent HIPAA privacy exemption discussed previously, most of Leader's clients deemed a business associate agreement with Leader Services was unnecessary. A few clients submitted an agreement to Leader. Should your school desire such an agreement, the agreement would originate from your school, as the Medicaid provider. We suggest you discuss the issue with the school's legal representative.
We included the following explanatory text that may address your concerns, with references to the relevant laws. If you have any further questions, please consult with your district's legal counsel or contact your Leader Services Account Manager.
FROM THE US DEPARTMENT OF EDUCATION FAMILY POLICY COMPLIANCE OFFICE:
This Office has not published any guidance on the applicability of FERPA to HIPAA. However, we worked closely with the Department of Health and Human Services (HHS) on this issue during the rulemaking process. Because FERPA affords students adequate privacy protections, the Government agreed that records that are protected by FERPA should not be subject to HIPAA.
The HIPAA final rule : 45 CFR Parts 160 & 164; Standards for Privacy of Individually Identifiable Health Information; Federal Register, Thursday, December 28, 2000 : explains that records that are subject to FERPA are not subject to HIPAA. Additionally, medical records that are excepted from FERPA's definition of "education records" under section 99.3 "education records" provision are also exempted from coverage by HIPAA. See page 82483 of the December 28, 2000 , Federal Register document on the HIPAA final rule.
FROM THE HIPAA FINAL PRIVACY RULE PREAMBLE:
The Family Educational Rights and Privacy Act.
FERPA, as amended, 20 U.S.C. 1232g, provides parents of students and eligible students (students who are 18 or older) with privacy protections and rights for the records of students maintained by federally funded educational agencies or institutions or persons acting for these agencies or institutions. We have excluded education records covered by FERPA, including those education records designated as education records under Parts B, C, and D of the Individuals with Disabilities Education Act Amendments of 1997, from the definition of protected health information. For example, individually identifiable health information of students under the age of 18 created by a nurse in a primary or secondary school that receives federal funds and that is subject to FERPA is an education record, but not protected health information. Therefore, the privacy regulation does not apply. We followed this course because Congress specifically addressed how information in education records should be protected in FERPA.
We have also excluded certain records, those described at 20 U.S.C. 1232g(a)(4)(B)(iv), from the definition of protected health information because FERPA also provided a specific structure for the maintenance of these records. These are records (1) of students who are 18 years or older or are attending post-secondary educational institutions, (2) maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity, (3) that are made, maintained, or used only in connection with the provision of treatment to the student, and (4) that are not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student. Because FERPA excludes these records from its protections only to the extent they are not available to anyone other than persons providing treatment to students, any use or disclosure of the record for other purposes, including providing access to the individual student who is the subject of the information, would turn the record into an education record. As education records, they would be subject to the protections of FERPA.
These exclusions are not applicable to all schools, however. If a school does not receive federal funds, it is not an educational agency or institution as defined by FERPA. Therefore, its records that contain individually identifiable health information are not education records. These records may be protected health information. The educational institution or agency that employs a school nurse is subject to our regulation as a health care provider if the school nurse or the school engages in a HIPAA transaction.
While we strongly believe every individual should have the same level of privacy protection for his/her individually identifiable health information, Congress did not provide us with authority to disturb the scheme it had devised for records maintained by educational institutions and agencies under FERPA. We do not believe Congress intended to amend or preempt FERPA when it enacted HIPAA.
With regard to the records described at 20 U.S.C. 1232g(a)(4)(b)(iv), we considered requiring health care providers engaged in HIPAA transactions to comply with the privacy regulation up to the point these records were used or disclosed for purposes other than treatment. At that point, the records would be converted from protected health information into education records. This conversion would occur any time a student sought to exercise his/her access rights. The provider, then, would need to treat the record in accordance with FERPA's requirements and be relieved from its obligations under the privacy regulation. We chose not to adopt this approach because it would be unduly burdensome to require providers to comply with two different, yet similar, sets of regulations and inconsistent with the policy in FERPA that these records be exempt from regulation to the extent the records were used only to treat the student.