Just when we thought we started to understand FERPA, institutions of higher education face new regulatory challenges posed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Secretary of Health and Human Services (HHS) has published rules that require health care providers, health plans, and others entities that handle individual medical records to safeguard the privacy of those records. Institutions of higher learning that: (a) have insured health plans and receive protected health information about their employees, (b) have self-insured health plans for their employees, or (c) act as health care providers need to know more about HIPAA.
What is HIPAA?
HIPAA protects an individual’s identifiable health information and sets standards regarding electronic transmission of health information. Congress enacted HIPAA to limit the ability of health care entities to share an individual’s protected health information without the individual’s permission and to standardize transmission of health information. HIPAA is composed of three parts:
- Privacy rules
- Transaction rules
- Security rules
HIPAA requires a “covered entity” to be compliant with all three parts of HIPAA. Covered entities include (a) health plans such as group health plans and insurers that pay the cost of medical care, (b) health care providers such as hospitals, clinics, physicians, laboratories if they transmit health information electronically in connection with a standard transaction and (c) health care clearinghouses. The dates for compliance with two of the parts are quickly approaching, October 16, 2002 for the transaction rules (unless the covered entity seeks a one-year extension within the next six months) and April 14, 2003 for the privacy rules1. HHS has not yet published the security rules in final form and therefore has not established a compliance date.
What are the privacy rules? The privacy rules set forth conditions under which a covered entity may or may not share protected health information. To accomplish this task, the privacy rules require covered entities to adopt comprehensive privacy compliance programs. Among other requirements, covered entities must establish written privacy policies and procedures, create and distribute a notice of privacy practices, designate a privacy officer, provide privacy training for workforce members, sanction those who violate privacy policies, and implement administrative and technical safeguards. The privacy rules also require covered entities to enter into business associate relationships with entities that perform activities on their behalf that involve protected health information.
What are the transaction rules? The transaction rules create standards for electronic transmission of eight transactions commonly used in the health care industry. For example, the transaction rules require that providers filing claims electronically must use HIPAA’s data content and format requirements. If a provider does not conduct any of the eight types of electronic transactions, the provider need not comply with HIPAA. However, the vast majority of providers transmit transactions electronically and cannot escape HIPAA compliance.
What are the security rules? The security rules dictate standards for securing the transmission of protected health information such as through encryption of web sites. To date, the Secretary of Health and Human Services has not published these rules in final form.
How does HIPAA affect institutions of higher education?
Institutions of higher education often are integrated entities composed of a university, hospitals, clinics and academic medical centers. HIPAA treats these integrated entities as “hybrid” entities. This means that certain of the component parts—such as the hospitals, clinics, and medical centers—are providers subject to HIPAA as covered entities. The covered components must shield protected health information from sister components that are not covered entities, such as undergraduate education departments. Under HIPAA, there are limited circumstances in which even the covered entity components may share protected health information with one another.
Institutions of higher education that sponsor health plans for their employees, whether self-funded or insured, must comply with HIPAA. HIPAA prohibits health plans from sharing protected health information with an employer except in very limited circumstances, as when an employee provides an authorization for the health plan to release the employee's protected health information. An employer that administers its own health plan or receives protected health information must amend its plan documents and notice of privacy practices to alert employee-enrollees that their employer may receive protected health information.
Where do HIPAA and FERPA intersect?
In general, HIIPAA and FERPA do not intersect. While HIPAA safeguards “protected health information,” the Family Educational Rights and Privacy Act (FERPA) protects “education records.” In developing the HIPAA regulations, the U.S. Department of Health and Human Services specifically exempted from its definition of “protected health information” FERPA’s education records.
FERPA defines education records as those records that contain information directly related to a student that are maintained by an education agency, institution or a person acting for the agency or institution. FERPA Education records do not include records of students who are 18 years or older, or are attending post-secondary educational institutions, that are:
- made or maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity,
- made, maintained, or used only in connection with the provision of treatment to the student, and
- not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student.
Any use or disclosure of the above medical records for other purposes, including providing access to the individual student who is the subject of the information, turns the record into an educational record protected by FERPA. HIPAA also excludes from its definition of “protected health information” these medical records “because it would be unduly burdensome to require providers to comply with two different, yet similar, sets of regulations.” Accordingly, HIPAA excludes from its definition of “protected health information” the student medical records an educational institution obtains whether or not they qualify as education records.
Again, in general, while HIPAA and FERPA do not intersect, their application will arise in common situations faced by educational institutions. For example, students with disabilities requesting accommodations are often asked to produce a physician’s certification of disability before the institution makes the requested accommodation. The information disclosed by the non-institution-affiliated physician ceases to be protected health information under HIPAA once the information is shared, at the student’s request, with the institution. However, now that the student has made the medical information available to the institution, it falls under the protections of FERPA and may not be further released without the student’s permission.
What are the costs of non-compliance with HIPAA?
Congress delegated enforcement of HIPAA to HHS’ Office of Civil Rights (“OCR”). HIPAA gives OCR power to impose civil monetary penalties of $100 per knowing compliance failure, up to a maximum annual fine of $25,000 for multiple violations of the same standard or requirement. Knowingly obtaining or disclosing protected health information in violation of HIPAA is a crime with minimum penalties of $50,000 and one year in prison. If the infraction involves false pretenses, the penalties increase to $100,000 and five years in prison; if it involves commercial or personal gain or malicious harm, the penalties are $250,000 and 10 years in prison.
What is the bottom line?
Educational institutions that provide health care services to individuals other than students or that provide health care coverage to their employees need to be familiar with HIPAA. Educational institutions that do not receive federal funds that maintain any student medical records may also be subject to HIPAA requirements.
For more information on compliance with HIPAA and FERPA, please contact Luis Arroyo at firstname.lastname@example.org or (414) 225-2773 or Fran Makuch at email@example.com or (312) 836-5086, or any of our attorneys in the Education Law Focus Group.
1 “Small health plans” with not more than $5 million in annual receipts have an additional year to comply with HIPAA’s privacy requirements.