My school keeps some medical records for students. How does HIPAA apply to how we handle those records?
Many schools collect and store certain kinds of medical records for students—medical histories, immunization records, insurance information, et. al.—and questions periodically arise about who at a school may have access to these items (or whether these may be stored and accessed via Populi in the first place). The regulations governing these questions are described in the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the United States Department of Education and Department of Health and Human Services has published Joint Guidance on the Application of [FERPA] And [HIPAA] To Student Health Records. What follows reflects our understanding of this guidance as of December, 2022; while we hope this brief summary is helpful, we refer you to the aforelinked document for full particulars.
- FERPA defines and governs the use of "education records", which are records directly related to a student or are maintained by an educational institution.
- HIPAA regulates how "health care providers" keep "individually identifiable health information" private and restricted to those authorized to access that information.
- Records collected about the student, even if the information is health-related (immunization records, for example), are considered "education records" and so fall under the purview of FERPA.
- If your school provides medical and/or psychological treatment for students via, say, an in-house clinic, and the records kept in the course of that treatment are used solely in connection with that treatment, they are considered "health information" and fall under HIPAA.
This quote from the guidance seems most pertinent to our customers:
At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. See 34 CFR § 99.3 “Education records.” These records are commonly called “treatment records.” An eligible student’s treatment records may be disclosed for purposes other than the student’s treatment, provided the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30. If a school discloses an eligible student’s treatment records for purposes other than treatment, the records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
It appears that FERPA leaves much of this up to your judgment. Provided you use Populi as intended, any health-related information you collect that falls under the definition of "education records" is appropriate to collect and store in Populi. For more information on how Populi provides tools to help your school comply with FERPA, please see this article.
Some notes and ideas:
- Profile > Activity Feed lets you make notes and upload files and restrict visibility to particular user roles.
- Forms lets you manage access to the form so that only particular user roles and people have access to responses.
- Likewise for Files. You could create a shared folder in Files for medical records, but this could prove unwieldy—there would be no direct links between the individual medical files and the student's profile.
- Custom fields are another option. Keep in mind that the information in these fields is visible to any user with access to the section of Populi in which the fields are created:
- Contacts: Anyone with the Staff role (which includes all of the other roles mentioned below except for Advisor)
- Academics: Anyone with Academic Admin or Registrar role, as well as any Advisors assigned to the student
- Admissions: Academic Admin, Admissions Admin, Registrar, and Admissions users
- Billing: Financial Admin and Student Billing users
- Campus Life: Campus Life, Financial Admin, and Student Billing
- Financial Aid: Financial Aid users