Understanding HIPAA and FERPA

This article is intended to provide resources to assist in understanding the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA) and how each applies to college health and wellness. This is no substitute for legal advice as each health/wellness center should consult with its legal affairs office/general counsel for interpretation and application of privacy and confidentiality laws.

Privacy and confidentiality in health care are usually governed by the state as well as the federal government (HIPAA) and generally apply to adults; there are some instances in which they are enforceable for minors. In institutions of higher learning, student privacy and confidentiality are governed by FERPA and enforceable regardless of the student’s age. Readers should refer to their individual state for more information about state confidentiality laws. Usually the more stringent law applies, but this determination should be left to your university’s legal counsel.

HIPAA and FERPA Resources

The following sites provide basic information about HIPAA and FERPA, as well as how they intersect. Courses and training are available for those who require advanced competency and/or certification for HIPAA compliance.

Consulting with Other Staff

Consult with your campus legal counsel when issues involve (or may involve) potential breach of confidentiality and privacy. Also, consult with them to ensure that you are appropriately adhering to all applicable laws. This may require them to review your relevant policies and procedures.

Senior leaders in the health or wellness center’s reporting chain should have at least a cursory knowledge of the law to ensure that they do not inadvertently disclose protected information, as they may be the first point of contact regarding confidentiality and privacy issues.

Also consult with your campus legal counsel for assistance in determining if your health or wellness center is subject to HIPAA. CMS provides this guidance as well.

Bottom line: If you are electronically transmitting insurance claims you need to know how HIPAA applies to your health or wellness center. When in doubt, check with your legal affairs office.