agency or institution. See 34 CFR § 99.3. At the elementary or secondary level, a student’s health
records, including immunization records, maintained by an educational agency or institution subject
to FERPA, as well as records maintained by a school nurse, are “education records” subject to
FERPA. In addition, records that schools maintain on special education students, including records
on services provided to students under the Individuals with Disabilities Education Act (IDEA), are
“education records” under FERPA. This is because these records are (1) directly related to a
student, (2) maintained by the school or a party acting for the school, and (3) not excluded from the
definition of “education records.”
At postsecondary institutions, medical and psychological treatment records of eligible students are
excluded from the definition of “education records” if they are made, maintained, and used only in
connection with treatment of the student and disclosed only to individuals providing the treatment.
See 34 CFR § 99.3 “Education records.” These records are commonly called “treatment records.”
An eligible student’s treatment records may be disclosed for purposes other than the student’s
treatment, provided the records are disclosed under one of the exceptions to written consent under
34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30. If a school
discloses an eligible student’s treatment records for purposes other than treatment, the records are
no longer excluded from the definition of “education records” and are subject to all other FERPA
requirements.
The FERPA regulations and other helpful information can be found at:
http://www.ed.gov/policy/gen/guid/fpco/index.html.
III. Overview of HIPAA
Congress enacted HIPAA in 1996 to, among other things, improve the efficiency and effectiveness
of the health care system through the establishment of national standards and requirements for
electronic health care transactions and to protect the privacy and security of individually identifiable
health information. Collectively, these are known as HIPAA’s Administrative Simplification
provisions, and the U.S. Department of Health and Human Services has issued a suite of rules,
including a privacy rule, to implement these provisions. Entities subject to the HIPAA
Administrative Simplification Rules (see 45 CFR Parts 160, 162, and 164), known as “covered
entities,” are health plans, health care clearinghouses, and health care providers that transmit health
information in electronic form in connection with covered transactions. See 45 CFR § 160.103.
“Health care providers” include institutional providers of health or medical services, such as
hospitals, as well as non-institutional providers, such as physicians, dentists, and other practitioners,
along with any other person or organization that furnishes, bills, or is paid for health care in the
normal course of business. Covered transactions are those for which the U.S. Department of Health
and Human Services has adopted a standard, such as health care claims submitted to a health plan.
See 45 CFR § 160.103 (definitions of “health care provider” and “transaction”) and 45 CFR Part
162, Subparts K–R.
The HIPAA Privacy Rule requires covered entities to protect individuals’ health records and other
identifiable health information by requiring appropriate safeguards to protect privacy, and setting
limits and conditions on the uses and disclosures that may be made of such information without
patient authorization. The rule also gives patients rights over their health information, including
rights to examine and obtain a copy of their health records, and to request corrections.
2