Many people mistakenly believe that HIPAA violations are made by medical providers alone. In some cases, however, American school systems are required to comply with HIPAA.
Each year, there are thousands of HIPAA violations investigated by the United States Department of Health and Human Services (HHS). The penalty for a HIPAA violation is up to $50,000, with a maximum fine of $1.5 million for multiple violations.
The vast majority of these violations occur at a hospital or doctor’s office. In rare instances, a school can violate HIPAA laws as well.
Read on to learn more about proper record storage. In addition, explore what schools need to know about HIPAA compliance.
For the most part, HIPAA compliance is not mandated on elementary and secondary schools. Obviously, these schools collect medical data for young students such as vaccination records.
However, a different law called the Family Educational Rights and Privacy Act (FERPA) covers most of these students. Simply put, a school record that is covered under FERPA is not covered by HIPAA.
Besides the fact that FERPA supersedes HIPAA in many cases, there are two other criteria to determine if HIPAA applies. First, check to see if the school is a HIPAA covered entity.
This means that the school is handling health plans or transmitting healthcare information electronically. These transmittals are required for administration or financial reasons.
The second criteria are what type of information the school possesses. Generally, the information recorded by schools is considered part of the student’s educational record and subjected to FERPA instead.
There are a number of different scenarios when HIPAA applies rather than FERPA. One common example is students who attend a private school.
Private schools do not receive any federal grants or funding, therefore, do not fall under FERPA. This means that medical records of private school students may require HIPAA compliance.
This fact comes with an important caveat. There are instances in which privacy laws are not applicable. You should consult with a privacy law expert to see exactly what medical records are subject to HIPAA laws in this situation.
Another situation in which HIPAA applies is when a non-school employee provides medical care. Consider a scenario in which a local pharmacy provides the flu shot at a school. If this activity is not sanctioned by the school than HIPAA laws take precedence over FERPA.
When a student turns 18, the HIPAA versus FERPA debate gets more complicated. In general, HIPAA takes over when a student turns 18.
However, FERPA is the law of the land for students 18 and over when a school is operating the health clinic. This is common at American colleges and universities.
Determining whether a school’s medical records need to be FERPA or HIPAA compliant is confusing. Regardless of the applicable law, protecting the students’ privacy is paramount.
Digital records are a great way to secure medical data. In addition, you should contact privacy experts to ensure you are complying with federal and state law.
If you have any questions about implementing a digital recordkeeping system, please contact us for assistance.