top of page

HIPAA and FERPA: What You Need to Know

Updated: Nov 18, 2020

Image courtesy of the Today Show

HIPAA and FERPA: we hear about them almost every day with all of the news surrounding COVID-19, but what are they? According to the Centers for Disease Control (CDC), HIPAA is the acronym for the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996. HIPAA required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The CDC also states that FERPA stands for the Family Educational Rights and Privacy Act, which is a federal law enacted in 1974 that protects the privacy of student education records.

Both HIPAA and FERPA are extremely relevant when talking about COVID-19 because schools are primary locations for clusters and HIPAA and FERPA both protect the privacy of students who are sick. These rules can be difficult for schools to navigate, because it is essential to know the names of affected students for contact tracing, but names can’t be released under these regulations. Health and school records are both protected under HIPAA and FERPA, which make pandemics and global health issues more complicated than expected.

HIPAA consists of two main parts: the Privacy Rule and the Security Rule. The HIPAA Privacy Rule’s standards address the disclosure and use of any individual’s health information. The entities that are covered by the HIPAA Privacy Rule include healthcare providers, health plans covering more than 50 people, healthcare clearinghouses and business associates. The main goal of the Privacy Rule is to make sure that individuals’ health information is properly protected. The HIPAA Security Rule protects a specific sector of information already covered by the Privacy Rule, which includes all health information a covered provider creates, receives, maintains or transmits in electronic form.

In order to comply with these rules, entities that are included in the HIPAA Privacy Rule need to do multiple things. There must be a balance between disclosing important pieces of information while also protecting people’s privacy. To comply with the HIPAA Security Rule, these same aforementioned entities must ensure confidentiality, integrity and availability of all electronically protected health information and safeguard against anticipated threats to the security of the information. However, the Privacy Rule permits the disclosure of personal health information without permission under certain circumstances, such as when it is required by law, for organ donation or for workers’ compensation.

FERPA applies to any public or private elementary, middle or high school and any state or local education agency that receives funds from the U.S. Department of Education. FERPA serves two main purposes: to give parents or eligible students (one who has reached age 18 or attends a school beyond the high school level) more control over their educational records and to prohibit educational institutions from disclosing personal information and records without the written consent of an eligible student (or if the student is a minor, the student’s parents).

Schools that fail to comply with FERPA risk losing federal funding. Public schools at all levels, including colleges and universities, receive funding from the U.S. Department of Education and are subject to FERPA. On the other hand, private schools at the elementary, middle and high school levels generally do not receive such funding and therefore are not subject to FERPA. Private colleges and universities do receive such federal funding and are subject to FERPA.

FERPA allows schools to disclose information from a student’s education record without consent under a few conditions, such as a request by a school official with legitimate educational interest and by other schools to which a student is transferring. Schools may also disclose “directory” information such as a student’s name, address and telephone number without consent, but to do so, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.

HIPAA and FERPA are both in place to preserve people’s personal information and to maintain anonymity with personal endeavors. In a college setting, especially during a pandemic, they work closely together and are crucial in keeping both students and faculty safe.

By Freya Dahlgren, Contributing Writer


Recent Posts

See All
bottom of page