July 7, 2003
TO THE ADMINISTRATOR ADDRESSED:
The purpose of this letter is to inform Texas public schools about the Health Insurance Portability and Accountability Act (HIPAA) and the district’s responsibilities under HIPAA.
School districts have operated for many years under the privacy law that was enacted in 1974 called the Family Education Rights and Privacy Act (FERPA). FERPA requires schools that receive federal funding must hold as confidential the information in students’ education records. This information can only be made available to parents, students at age 18, or to school staff who have a ‘need to know’ in order to provide education. FERPA is administered and enforced by the U.S. Department of Education’s Office for Civil Rights.
HIPAA was enacted by Congress in 1996 and addresses confidentiality of health information records. The privacy regulations that are a part of HIPAA were issued in December 2000 and in August 2002 and cover only one part of the HIPAA requirements. Because FERPA and HIPAA both cover confidential information, HIPAA’s definition of protected health information excludes education records protected by FERPA. That means the use and disclosure of education records, as defined by FERPA, is not subject to HIPAA regulations. A student’s IDEA related-services records are included in the definition of ‘educational records’ and are covered under FERPA.
However, there are two instances in which a school district may fall under HIPAA regulations:
· A school district must comply with HIPAA if the district provides health insurance protection for its employees through a self-insured insurance plan.
· The second instance when a district may be covered by HIPAA is if the school district participates in the School Health and Related Services (SHARS) program. SHARS is the school-based Medicaid program that provides a reimbursement to a school district for related services to a special education student who is also Medicaid eligible and whose IEP describes the related services. HIPAA describes a ‘covered entity’ as a health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR 160.103. If the SHARS billing information is transmitted electronically, the district must comply with the administrative burdens of the HIPAA Privacy Rule. One of the responsibilities of the school district that is a covered entity is to distribute a notice of privacy rights to the parents of students. Including the privacy rights notice annually in the student handbook is one of the ways this may be accomplished.
Not all school districts in Texas participate in the SHARS program. Some districts participate in SHARS, but do not submit electronic billing information and are, therefore, not subject to HIPAA. We suggest that school districts consult with their legal counsel to determine if they are a ‘covered entity”, and therefore covered by the HIPAA requirements. The National School Board Association has initiated contact with the Office of Civil Rights (OCR) in the Department of Health and Human Services, which is tasked with the enforcement of the privacy rules under HIPAA. OCR is preparing to issue some Frequently Asked Questions on the intersection of HIPAA and FERPA. When information is available from OCR regarding HIPAA and FERPA, it will be posted on the TEA Interagency Coordination’s website at www.tea.state.tx.us/interagency.
There is information that could be of assistance on the Center for Medicaid and Medicare Services (CMS) website at www.cms.hhs.gov/hipaa. Additional information pertaining to HIPAA can be obtained from the National Heritage Insurance Company (NHIC). NHIC’s provider relations phone number is (800) 925-9126.
Sincerely,
Tommy Cowan
Director
Interagency Coordination