The Health Insurance Portability and Accountability Act ("HIPAA") provides protection for personal health information held by covered entities. A covered entity under HIPAA is either: (1) a health plan, (2) a healthcare clearinghouse, or a (3) healthcare provider that transmits health information electronically in connection with certain administrative and financial transactions.
Schools are obviously not a covered entity health plan or healthcare clearinghouse. However, many school districts employ nurses, physicians, psychologists, or other healthcare providers who serve students and staff. Would the employment of these healthcare providers qualify a school district as a covered entity "healthcare provider" under HIPAA? The answer to this question depends on whether the school district: (1) furnishes, bills or receives payment for healthcare in the normal course of its business, and (2) transmits these covered transactions electronically.
Thus, if a healthcare provider serves students under contract with or otherwise under the direct control of a public school covered by FERPA, any student health records created or maintained by this person are considered education records under FERPA, and not personal health information under HIPAA. This is the case regardless of whether the healthcare is provided to students on school grounds or offsite. Therefore, the school district in the above example would be required to comply with FERPA's privacy requirements with respect to this student's health information, including the requirements to obtain parental or student consent (if 18) in order to disclose Medicaid billing information about a service provided to this student.