HIPAA applies in schools only when the school, or a health-related unit within the school, functions as a HIPAA covered entity or a business associate, and most student health records maintained by elementary and secondary schools are regulated under the Family Educational Rights and Privacy Act rather than the HIPAA Privacy Rule.
An elementary or secondary school is outside the scope of the HIPAA Privacy Rule when it does not meet the definition of a HIPAA covered entity. The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain standardized transactions. Schools that only maintain student health information as part of student records typically maintain that information as education records under the Family Educational Rights and Privacy Act, which places those records outside the definition of protected health information for purposes of the HIPAA Privacy Rule.
A school can meet the definition of a HIPAA covered entity in limited circumstances, such as when it provides health care and conducts covered electronic transactions like electronic billing to a health plan. Even when a school meets the covered entity definition, the HIPAA Privacy Rule may still not apply to the school’s student health information if the school’s health records for students are Family Educational Rights and Privacy Act education records or treatment records, because those records are excluded from protected health information under the HIPAA Privacy Rule.
HIPAA can apply to a school that is not subject to the Family Educational Rights and Privacy Act and that meets the definition of a HIPAA covered entity, such as a private school that does not receive funding that makes it subject to the Family Educational Rights and Privacy Act and that operates a clinic that bills electronically for health care services. In that circumstance, individually identifiable health information maintained by the school in its capacity as a covered entity is subject to the HIPAA Privacy Rule.
HIPAA can also apply to health care providers who deliver services on school grounds but are not employed by the school and are not acting on behalf of the school. Records created and maintained by those outside providers are not school education records under the Family Educational Rights and Privacy Act, and the provider’s handling of individually identifiable health information is governed by HIPAA when the provider is a covered entity or business associate.