Advancements in data storage and management have allowed colleges and universities to race to the top of the technological food chain. There are now innovative ways to store, manage, and share student records that allow an institution to change its landscape from paper-based to paperless. This is the case with student health records maintained by a campus health center.

In managing student health records, colleges and universities have sought more efficient ways to collect, store, and share health records without running afoul of federal or state laws. For some, contracting out the management functions to third parties is preferable, while other institutions have developed information management systems that utilize in-house IT resources. Regardless of the method that best fits your institution's needs, the management of health records - by hand or by cloud - requires familiarity with laws that have a direct impact on healthcare providers: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Family Educational Rights and Privacy Act (FERPA). For those institutions that are covered entities knowing which applies to what and when is crucial for compliance purposes and the avoidance of institutional liability.

FERPA, a federal law that applies to educational institutions (private and public) that receive funds under any program administered by the Department of Education, protects the privacy of student education records. Education records are broadly defined to include any record that directly relates to a student and maintained by an educational institution or party acting on the institution's behalf. This would include immunization records, family history records, billing records, and any other health-related forms maintained by an institution. This would not include records made, maintained, or used by a clinician solely for the treatment of students which are commonly referred to as "treatment records". FERPA requires that education records (absent an exception) are only disclosed to individuals with a "legitimate educational interest" - meaning anyone who is required as part of their job responsibilities to have access to such records.

HIPAA has many functions, but perhaps chief among them is to protect the privacy and security of individually identifiable protected health information created, used, or maintained by "covered entities". The term "covered entity" under the HIPAA Privacy Rule refers to three specific groups, including health plans, health care clearinghouses, and health care providers that transmit health information electronically.

So which law applies to student health records? Generally, FERPA (and not HIPAA) applies to all student health records maintained by a college or university student health care center. These records are either considered "education records" or covered "treatment records," and not "protected health information". Absent a "legitimate educational interest," or a FERPA exception, student health records cannot be disclosed to faculty, staff, or third parties without the student's prior written consent. It is important to note that any treatment records maintained by the clinic for non-students (i.e. faculty, staff, family members) are not covered by FERPA and are covered by HIPAA.

Regardless of how an institution manages student health records - by cloud or by paper, by third party or internally - colleges and universities would be well served to do the following:

  1. Revisit institutional policies and procedures to identify who has access to student health records, how these records are maintained, whether the appropriate consent forms are used, and when the disclosure of records to outside entities is permitted. Institutional policies and procedures that are inconsistent with FERPA will be scrutinized by the Department of Education and may risk a college or university's federal funding.
  1. Review existing memorandums of understanding and third party end user license agreements to ensure that only individuals with a legitimate educational interest have access to health records and are familiar with the requirements of FERPA. Should any university employee or contractor violate FERPA, the college or university will be the responsible party and any remedies will be assessed against them and not the employee or contractor.
  1. Ensure that faculty, staff, and third parties receive appropriate FERPA training. That training should, at a minimum, include the timing and scope of disclosures, and effective ways to remediate an improper disclosure of student records.

For further information visit Waller.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.