Question

This week, we have learned about HIPAA, privacy issues, and the concept of a covered entity. You may face some of these issues as a health care professional. For our discussion this week find a case study that addresses an aspect of HIPAA or FERPA and helps us to better understand the ways in which these laws are applied and the situations that are covered by either.

Answer 1

Points:

• The Privacy Rule applies only to covered entities. Many organizations that use, collect, access, and disclose individually identifiable health information will not be covered entities, and thus, will not have to comply with the Privacy Rule.
• The Privacy Rule does not apply to research; it applies to covered entities, which researchers may or may not be. The Rule may affect researchers because it may affect their access to information, but it does not regulate them or research, per se.
• To gain access for research purposes to PHI created or maintained by covered entities, the researcher may have to provide supporting documentation on which the covered entity may rely in meeting the requirements, conditions, and limitations of the Privacy Rule.

The Privacy Rule applies only to covered entities; it does not apply to all persons or institutions that collect individually identifiable health information. It may, however, affect other types of entities that are not directly regulated by the Rule if they, for instance, rely on covered entities to provide PHI. It is important that researchers be aware of how the Rule might affect them in the various types of organizations in which they operate, and what they may have to do in order to continue their research or begin new research efforts on and after the compliance date for the Privacy Rule.

Covered Entities

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.

Researchers are covered entities if they are also health care providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard. For example, physicians who conduct clinical studies or administer experimental therapeutics to participants during the course of a study must comply with the Privacy Rule if they meet the HIPAA definition of a covered entity.

Health Plan – With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many types of organizations and government programs as health plans.
Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “valueadded” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
Health Care Provider – A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health Care – Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Six golden rules of privacy law

• FERPA never applies to non-students
• FERPA only applies when the student’s medical records are released
• HIPAA doesn’t apply to records covered by FERPA or to student “treatment records”
• Even if you treat non-students, you’re not bound by HIPAA unless you perform electronic transactions.
• Student health and counseling centers that do perform electronic transactions for non-students can declare themselves “hybrid”.
• State laws are applicable whether or not other federal laws apply.

• MENU

  Jump to navigation

  

  NueMD An AdvancedMD. company

  You are here

  Home

  /

  Why NueMD?

  /

  Resources

  /

  Blog

  /

  HIPAA and FERPA: Six golden rules of privacy law

  HIPAA and FERPA: Six golden rules of privacy law

  Consider this question. Say the mother of a 22-year old student that you have treated requests to see her daughter’s medical records. The Bursar’s office confirms that the student is listed as a dependent for tax purposes. There seems to be no urgent reason for such a release and the student does not wish to give her mother access. How would you protect the privacy of her information?

  Situations such as this one that require knowledge of privacy laws to resolve successfully are all too common in the average student health center, yet the acronyms HIPAA and FERPA tend to strike fear into the hearts of the staunchest of college health professionals. So much has been written anecdotally on the subject of how complicated and unspecific these laws are that some may be surprised to find that according to legal professionals, the intersections between the laws are generally clear-cut. This article aims to explain which laws apply to you and what you can do to avoid the headaches that ensue from a conflict between your principles as a care provider and the law.

  
  Six golden rules of privacy law

  • FERPA never applies to non-students
  • FERPA only applies when the student’s medical records are released
  • HIPAA doesn’t apply to records covered by FERPA or to student “treatment records”
  • Even if you treat non-students, you’re not bound by HIPAA unless you perform electronic transactions.
  • Student health and counseling centers that do perform electronic transactions for non-students can declare themselves “hybrid”.
  • State laws are applicable whether or not other federal laws apply

  This is how these rules break down.

  RULE 1: FERPA never applies to non-students
  RULE 2: FERPA only applies when the student’s medical records are released

  The Family Educational Rights and Privacy Act (FERPA) is the older of the two federal privacy laws. Enacted in 1974, one aspect of its governance is the privacy of educational records. There is a popular myth circulating that student medical records fall under the FERPA’s umbrella term “educational records”. In fact, FERPA specifically excludes the treatment records of students in higher education from its definition of educational records (see USC 20, 1232gfor a complete definition). It also excludes employees of an educational institution if they are not students. FERPA does come into play, but only if the records are released to someone outside the health center, whether that is the student, their parents, their professors, or another health provider outside the university, at which point they become “educational records” rather than treatment records.

  It is important to note that it is not the request for the release that brings FERPA into effect. Many student health professionals believe that if a request to see the records is made that is in accordance with FERPA guidelines, they have to release them or be in violation of FERPA. Not so, says Kristine Dunne, BA, EdM, JD, an associate at the Washington, D.C. office of law firm Arent Fox, LLC.

  “It's the release of the records that triggers FERPA,” she explains. “There are no rights extended under FERPA to those medical records until such time as they have been made available to someone other than the treating health professionals, at which point the FERPA protections of student records kick in.”

  Applying this to the example at the beginning of the article, if state law doesn’t require you to release the student’s unreleased medical records to her mother, you are under no legal obligation to do so without a court order. Similarly, even if you think a professor may have a “legitimate educational interest” in requesting a student’s unreleased medical records, you still don’t have to release them.

  FERPA is just one part of the puzzle, however. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is another relevant law that seeks to be the national privacy standard in healthcare. It was updated in 2003 to take into account the trend toward automation and electronic record-keeping. These privacy guidelines have been well publicized and generally uphold the kind of patient confidentiality that most health care providers are comfortable with and there has therefore been a widespread trend in health centers to apply these standards to student medical records, even if they are not legally required. It is important to realize, however, that while its principles of privacy and confidentiality are excellent, in most cases, compliance is not required by law.

  RULE 3: HIPAA doesn’t apply to records covered by FERPA or to student medical records which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment.

  
  RULE 4: Even if you treat non-students, you’re not bound by HIPAA and won't be subjected to an audit unless you transmit healthcare information in electronic form in connection with the submission of claims for payment.