HIPAA and Schools

In the first article, we provided some background on HIPAA, the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996. The question most school districts have is "How does HIPAA affect us?" The purpose of this article is to try and outline what impact HIPAA will have on school districts in Minnesota.

School districts know about the federal Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g and the regulations that implement it (34 C.F.R. part 99). FERPA says that data about students are available to the parents of the student and those school staff members who have a "legitimate educational interest." There are exceptions to this general rule and they are more fully outlined in the federal regulations. Minnesota law also provides that most data about students are accessible to the student, the student's parents and those whose job duties reasonably require access. See Minnesota Statutes, section 13.32. HIPAA adds another layer of federal law and rules to the medical data that may be found in school records.

There are 3 areas where HIPAA may impact schools. Each will be addressed separately.

1. Do you have a school-based health center (not the school nurse) operated by a hospital, clinic or government health department?

The hospital, clinic and government health department all are covered by HIPAA and will have to follow the regulations promulgated by the federal Department of Health and Human Services (HHS). These health care providers should already be working on how they will comply with HIPAA and should inform you of any changes they will require in order to continue to operate the school-based health center. Assuming that there has not historically been interaction or a sharing of records between the health center and the school district, nothing should change.

A helpful article is "Safeguarding Individual Health Privacy: A Review of HIPAA Regulations" found at www.healthinschools.org/focus/2002/no4.htm.

2. Do you have a school nurse? Does the nurse submit claims to pay for his or her services? Are those claims submitted electronically?

Only if you answered "yes," to all three of these questions is there a need for you to become more familiar with HIPAA and its requirements. HIPAA's provisions are triggered when a provider of health care (the nurse) submits claims electronically. If your school district finds itself in this situation, the first thing that needs to be done is to request an extension from HHS so that the electronic transactions standards will not apply until October 16, 2003. Go to http://aspe.os.dhhs.gov/admnsimp/ for more information.

3. Do the schools in your district receive medical data about students directly from health care providers such as doctors and hospitals?

If you receive medical data about students directly from health care providers, nothing much should change with the advent of HIPAA. In Minnesota, there is a law (Minnesota Statutes, section 144.335) that says that health care providers cannot release medical data without written consent from their patient. This requirement is not affected by HIPAA and so consents will still be required to obtain medical data about students directly from health care providers.

A final note: HHS recognizes that the interrelationship of FERPA and HIPAA is one that will require further study and consideration. Watch for additional information from Washington, D.C. on this topic.