ADVISORY ON LOCAL SCHOOL DISTRICTS' RESPONSIBILITIES UNDER HIPAA

Jointly prepared by KSBA and Kentucky Department of Education

This statement is intended to provide an overview of extensive HIPAA regulations and is not intended to provide comprehensive legal advice. Due to the variety and complexity of school health care issues in Kentucky's 176 school districts, districts are encouraged to perform a self- analysis to determine if they or any of their health care components are a "covered entity" under HIPAA and to follow appropriate measures. One good source for this analysis may be found at the Centers for Medicare & Medicaid Services' website at www.cms.hhs.gov/hipaa.

Model HIPAA authorization form

ISSUE:

• What are the possible effects of the new Health Insurance Portability and Accountability Act (HIPAA) on school districts?

SUMMARY:

• Health information in student records covered under the Family Educational Rights and Privacy Act (FERPA) is not subject to HIPAA requirements.
• School-based health centers may be subject to HIPAA requirements if they are sponsored by HIPAA-compliant health organizations.
• School nurses may be subject to HIPAA requirements if they engage in electronic billing.
• Medicaid billing may not be subject to HIPAA requirements if the information is not submitted electronically.
• Communications between schools and health care providers may be affected by HIPAA.
• Health care coverage for district employees is not affected by HIPAA, but flexible spending accounts may be.

The Health Insurance Portability and Accountability Act ("HIPAA") mandates actions that "covered entities" must take to protect the privacy of an individual's health information. The U.S. Department of Health and Human Services ("HHS") has issued rules to implement and enforce these privacy requirements. Generally, entities covered by HIPAA may release or receive "protected health information" about an individual only if that individual gives permission or the Act expressly permits its release.

HIPAA defines "covered entity" to mean a health plan; a health care clearinghouse; or a health care provider who transmits any health information in electronic form in connection with a transaction covered under the Act. "Protected health information" is defined as individually identifiable health information that is transmitted by electronic media; maintained in any medium meeting the definition of electronic media; or transmitted or maintained in any other form or medium.

While each school board attorney should assess the applicability of HIPAA to the school district based on the particular facts and circumstances, generally, HIPAA has potential applicability to school districts in several areas, as set forth below.

I. STUDENT EDUCATIONAL RECORDS

Under a final rule issued by HHS, health information contained within student educational records that are subject to the Family Educational Rights and Privacy Act ("FERPA") is exempt from the requirements of HIPAA. (See HIPAA, 24 CFR 164.501.) "Educational record" includes individually identifiable health information of students under the age of 18 created by a nurse in a primary or secondary school receiving federal funds. In addition, medical records that are excepted from FERPA's definition of "education records" under FERPA section 99.3[1] are also exempted from coverage by HIPAA. The HHS reasoned that subjecting districts to both FERPA and HIPAA requirements as to these records would be confusing and unduly burdensome.[2] Of course, districts must continue to ensure that these records are received, maintained and transmitted in a manner consistent with FERPA.

The regulations suggest that school-based health centers may qualify as "health care providers." In cases where centers are sponsored by health care entities covered by HIPAA, such as health departments, hospitals or community health centers, those entities are subject to the HIPAA privacy requirements and will be responsible for compliance. This may result in health information kept in the school district being treated as FERPA records, and the same information kept in the health facility being covered by HIPAA.

For example, when a center is performing school health functions or implementing health mandates on behalf of the school board, and the health information of students who use the facility are entered into the educational record, the information is covered by FERPA. Any health care information that is retained by the health care provider will be covered by HIPAA. Protected health information that exists only in the office of a health care provider may not be released to school personnel or other third parties without parental authorization. Districts may need to coordinate with these centers in drafting HIPAA-compliant authorizations if the school requires health information that is produced and available only outside of the school district. These health care providers will most likely be able to provide forms for this purpose, or the school may utilize the model form provided by the Kentucky Medical Association (see discussion in section II, below).

A confusing aspect of HIPAA is whether school nurses who are employees of the district are subject to HIPAA as "health care providers." The regulations are silent on this precise point, but the 2000 regulations state, "The educational institution or agency that employs a school nurse is subject to our regulation as a health care provider if the school nurse or the school engages in a HIPAA transaction."

Some sources interpret this regulation to mean that school nurses, as health care providers, are covered entities under HIPAA only if they transmit health information electronically in connection with a HIPAA transaction. This language suggests that when a school nurse is not billing electronically but simply providing care pursuant to an IEP or section 504 plan, the information generated by the care becomes an educational record covered under FERPA, but not subject to HIPAA.

But what if this information is then utilized to bill Medicaid? It appears that, at least for now, if the information is not submitted electronically, the entity does not become a "covered entity" and a HIPAA transaction is not created. For more information on Medicaid billing and determining whether your district is a covered entity, see the attached "Provider HIPAA Readiness Checklist" or visit the Centers for Medicaid & Medicare Services' website at www.cms.hhs.gov/hipaa.[3]

II. DEALING WITH PHYSICIANS AND OTHER HEALTH CARE PROVIDERS

The HIPAA privacy regulations will impact schools' communications with physicians and other health care providers. For example, the process by which a school obtains immunization records or athletic pre-participation physicals from health care providers may be affected.[4] The easiest method will likely be to require the parent to produce these records. In situations where this or other health information must be obtained directly from the health care provider, the Kentucky Medical Association has provided a model authorization form that its members will accept for HIPAA transactions. A copy of this form is attached. This model contains the specific elements required under HIPAA for a valid authorization, including a description of the information to be disclosed; the name or class of persons authorized to use or disclose the information; the name or class of persons to whom disclosure may be made; the purpose of the requested use or disclosure; a specific expiration date; and the dated signature of the patient or personal representative. In addition, the form must state that the individual has the right to revoke the authorization in writing. These requirements are set forth at 24 CFR 164.508.

In addition to obtaining immunization records or other health information, districts may have to communicate with physicians and other health care providers regarding injuries to students or student athletes. A HIPAA-compliant parental authorization will be required to obtain information from health care providers.

Another area of concern is the release of health information relating to student athletes, as in when an athletic trainer is asked to disclose information regarding an injury to a player. While it is disputed that such a disclosure to the coaching staff would violate HIPAA (as FERPA applies), the safest course is for personnel to refrain from discussing such injuries with third parties outside the school/district (such as the media) absent a specific authorization from the student's parent or legal guardian. The Kentucky Medical Association is currently working with the Kentucky High School Athletic Association in developing practical guidelines for athletic programs.

III. DISTRICT AS EMPLOYER

District employees are provided access to health insurance by the General Assembly. Does this mean that districts are "covered entities" with regard to these benefits? Thankfully, the answer appears to be "no." The Personnel Cabinet has concluded that the cabinet is a "Plan Sponsor" under HIPAA. The Commonwealth may be viewed as the initiator of the health plans with the possible exception of local flexible benefit programs (discussed below). Neither the Kentucky Department of Education nor the local district would fall under the category of health plan nor of a health care clearinghouse. While the local district may be a health care provider, as set forth in section I above, FERPA applies to cover student records.

Moreover, HIPAA's definition of "protected health information" specifically excludes employment records held by a covered entity in its role as employer. (45 CFR 164.501). Therefore, even if a district were somehow deemed to be a covered entity, employment records are exempt. Disclosures of health information for purposes of workers' compensation are permissible without prior authorization under HIPAA, 45 CFR 164.512(b)(1)(v)(A-D).

Districts are well advised, however, to protect employee health information as carefully as they do health information in student records, segregating employees' health information and keeping it locked with limited access on a specific need to know basis. In fact, this procedure should be already in place to comply with the Americans with Disabilities Act.

IV. FLEXIBLE SPENDING ACCOUNTS

Flexible Benefit Programs adopted by individual districts may be "covered entities" under HIPAA. In most of these programs, the district initiates the program and contracts with a third party administrator ("TPA") that receives protected health information. The program is self-funded, pays medical expenses and therefore may be a health plan as that term is defined in HIPAA. Currently, HHS has not exempted flexible spending programs from HIPAA. Districts should monitor the HHS website (www.hhs.gov) daily for updated information. In the meantime, TPAs should be prepared to be HIPAA-compliant and districts should ensure their contractual agreement with any TPA requires HIPAA compliance. Only the TPA should administer the participation of employees, with no protected health information from that program going through district offices or personnel. It should be noted that other self-funded health plans, such as dental insurance, may also be deemed a covered entity under HIPAA.

V. CONTACT INFORMATION

We hope this information has been useful to your district. Specific questions on whether and how HIPAA applies to your district should be directed to your board attorney. If you have general questions or concerns regarding the information provided herein, please contact the following:

John Fogle, Attorney   jfogle@ksba.org

Legal Services

Kentucky School Boards Assoc. 

260 Democrat Drive 

Frankfort, KY  40601

1-800-372-2962  (502) 695-4630 

FAX (502) 695-5451

Anne Keating Staff Attorney   akeating@kde.state.ky.us

Office of Legal and Legislative Services

Kentucky Dept. of Education

500 Mero Street

Frankfort, KY 40601

(502) 564-4474

FAX (502) 564-9321

VI. RESOURCES

We found the following Web sites to be helpful in compiling this information:

U.S. Department for Health and Human Services, www.hhs.gov

Centers for Medicare and Medicaid Services, www.cms.hhs.gov

National School Boards Association, www.nsba.org

U.S. Department of Education, www.ed.gov

FERPA compliance: www.ed.gov/offices/OM/fpco/ferpa/library/hippa

Kentucky Governor's Office of Technology, http://got.state.ky.us

North Carolina Health Care Information and Communications Alliance, www.nchica.org

© 2004 Kentucky School Boards Association.

Home | About KSBA | Site Map | Contact Us | Privacy Policy