School administrators and health care professionals may have difficulty navigating the HIPAA privacy rules and the requirements of the Family Educational Rights and Privacy Act (“FERPA”) when dealing with the health information of students. In 2008, the U.S. Department of Education (“DOE”) and the U.S. Department of Health and Human Services (“HHS”) issued joint guidance the form of Q&As, with the purpose of clarifying issues such as when a school may be a covered entity under HIPAA, and when the health information of a student is excluded from the reach of HIPAA as an education record.
HHS and the DOE have now updated and expanded the prior guidance to include additional Q&As addressing when a student’s health information can be shared without the written consent of the parent or student under FERPA, and without written authorization under HIPAA. In releasing the updated joint guidance, Secretary of Education Betsy DeVos stated, “This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.” The December 19, 2019 press release from HHS here and the updated guidance may be viewed here.
