HIPAA and FERPA Privacy and Security Rules

When healthcare providers and schools work together, both sets of privacy rules need to be observed.

HIPAA protects a patient’s information from being shared while FERPA protects a student’s personal information. HIPAA is concerned with protecting diagnosis, dates of service, medication lists, etc. FERPA is concerned with grades, attendance, discipline and more.

  • This paper from the Association of State and Territorial Health Officials compares the two sets of guidelines

This Privacy & Confidentiality Agreement is an example of a way to communicate between school staff and agency staff about what information is shared and how.

Privacy in a school setting can be hard to come by. Consider covering the window set in the door, sound proofing, and making sure that a closed door will not be opened accidentally during a healthcare appointment.

Unfortunately, there is no government seal of approval to verify HIPAA security of a vendor, and a software alone cannot make a school-based telehealth provider HIPAA compliant by using their software or hardware. Technically speaking, no vendor can be “HIPAA-compliant” because software vendors do not meet the criteria of a Covered Entity (for whom HIPAA applies).

It is good practice to include a statement about HIPAA and FERPA on enrollment or registration forms.