The university Compliance Program team continues to work to support the university compliance efforts while working remotely. This month, the team has prepared an overview of privacy requirements for student records and patient records to help you and your team understand the differences and stay in compliance.

HIPAA and FERPA: What do these terms mean and how do they apply to the records we maintain at the university?

HIPAA stands for the Health Insurance Portability and Accountability Act. This federal law covers many subjects but most people are familiar with the privacy rights and protections it provides to certain medical records. FERPA stands for the Family Education Rights and Privacy Act and is another federal law regarding privacy of education records.

What do they have in common?

Both federal laws concern the privacy and protection of information. HIPAA sets standards for the use and disclosure of patient records and gives patients the right to view and correct their records. 

Similarly, FERPA outlines the circumstances in which an educational institution may share student education records and how and when a student (or their parent) may have access to that information. While the subject matter is the same, the specifics regarding who can access the records and the circumstances in which you can share them differ.

Both laws contain specific exceptions allowing for disclosure of information in the case of a threat to the health and safety of the patient/student or others.

Student health records: Does HIPAA or FERPA apply?

Given that HIPAA concerns the privacy of health information, many people logically assume students’ health records maintained by a campus health clinic or a school’s athletics department would be covered by HIPAA. However, HIPAA has some specific exceptions for health information, one of which is covered by FERPA. FERPA covers student educational records, which include health records that directly relate to a student and are maintained by a qualifying educational institution.

Does this mean student health records are not protected records?

Student health records are still private and must be maintained securely with restricted access. When it comes to determining when and with whom student medical information can be shared, we must follow the university’s FERPA policies and procedures. 

In some cases, FERPA is more restrictive than HIPAA rules. For example, for treatment purposes, HIPAA allows medical information to be freely shared between medical providers without patient permission or notice. Under FERPA, information maintained in a student record can only be shared with a treatment provider with student consent or if the disclosure meets one of the FERPA exceptions to consent.

To learn more about these two laws and how they apply to student health records the guidance, visit StudentPrivacy.edu. For questions regarding privacy of Pacific records, contact Lindsey Green, university privacy officer (lgreen@pacific.edu).