Universities handle student health records, but does that mean they also need to comply with the regulations set by HIPAA or the Health Insurance Portability and Accountability Act?
While HIPAA requires its covered entities to follow guidelines for safeguarding protected health information (PHI), whether or not it applies to universities and other educational institutions depends on specific circumstances.
Health plans play a crucial role in HIPAA’s framework, as they are considered covered entities. This involves health insurance providers and other entities that manage health benefit plans. However, the classification of universities as covered entities under HIPAA is not straightforward and often requires consideration of various factors.
This post explores the scope of HIPAA compliance for universities and some tips to ensure compliance with industry and privacy regulations within the university premises.
Table of Contents
Understanding HIPAA Compliance in Universities
Does HIPAA apply to universities? The answer is no. Educational institutions like universities are exempted from the HIPAA Privacy Rule. Even when schools provide healthcare services to students, their PHI will only be filed under education records which HIPAA does not cover. Instead, the student health records will be covered by FERPA or the Family Educational Rights and Privacy Act of 1974, a federal law enacted to safeguard the privacy and maintain the integrity of student education records. It also grants parents and eligible students access to their university records.
Unlike healthcare providers, complying with HIPAA does not apply to universities. A student’s medical information is not considered PHI, thereby exempting it from following the HIPAA Privacy and Security Rule guidelines.
HIPAA Privacy Rule in Universities: Protecting Student Health Information
Health care components within universities, including on-site health clinics and medical professionals, play a vital role in the overall well-being of students. Nowadays, many educational institutions offer healthcare services to their students and even employ medical professionals. Some universities also have on-site health clinics that provide medications and vaccines to students. This means they also collect, store, and transmit the health information of their students. While HIPAA oversees the use and disclosure of PHI, schools are not considered covered entities. Therefore, the HIPAA Privacy Rule does not apply.
Still, it is worth noting that when schools hire a business associate, such as a healthcare provider to conduct PHI transactions, the school can then be considered a covered entity. In this case, the medical provider must comply with HIPAA, where patient authorization is mandatory before PHI disclosure.
When schools perform electronic PHI transactions, they must follow the HIPAA Transactions and Code Sets and Identifier Rules. This means they need to create consistent formats for the disclosure of PHI involving claims, enrollment, etc. In this case, student health information must be separate from education records.
Safeguarding Research Data
Health care institutions have specific regulations to ensure the confidentiality of sensitive health care information, but in the realm of education, FERPA mainly regulates schools instead of HIPAA. According to FERPA’s general rule, PHI from education records needs written consent before disclosure. However, it permits agencies or third-party vendors to obtain research data from universities, provided it complies with the regulatory requirements.
Since most educational institutions depend on sharing research data to improve classroom instruction, FERPA allows sharing these data with individuals or entities working for the school. But to ensure student data protection, they must secure a written agreement and other requirements as agreed by both parties involved.
HIPAA Compliance Policies and Procedures for Universities
Generally, HIPAA does not govern universities and other educational institutions. However, schools with student health services and psychology clinics can be considered HIPAA-covered entities. In this case, the school will set up a committee with representatives from each one to design and disseminate a university-wide HIPAA annual training program.
Although HIPAA does not directly regulate universities, it is still necessary for its staff to implement security measures to safeguard sensitive student health details. Not only does this prevent unauthorized access, but it also keeps the university safe from paying costly violation penalties.
Here are some HIPAA compliance policies and procedures for universities:
Implementing a university HIPAA training program
After the school board appoints HIPAA compliance officers, they are required to complete a HIPAA awareness training program. Just like healthcare professionals in hospitals and businesses, student doctors and nurses must safeguard the confidential medical records of students. To ensure proper use and disclosure of PHI, they must thoroughly understand the compliance guidelines.
Documenting HIPAA violations
If there are any complaints of HIPAA violations, such as hacking or loss of documents containing PHI, they should be documented and reported directly to the university’s HIPAA committee. Additionally, the documentation should be made available to all staff with roles relevant to handling student medical records.
Performing regular monitoring and assessment
Implementing policies to prevent data breaches and other potential violations of HIPAA regulations is critical for universities. Covered entities that provide health services to students must conduct regular monitoring and risk assessments to identify vulnerabilities and develop effective strategies to minimize potential risks. It is the responsibility of the HIPAA committee at the school to take necessary action and ensure compliance with these regulations.
HIPAA training and education
Like healthcare providers, university staff responsible for student medical records must also be mindful of HIPAA regulations. These rules go beyond protecting personal health information and involve complicated components with legal consequences.
Comprehensive HIPAA compliance training is essential for university staff to ensure the proper implementation of HIPAA regulations. The administrative staff and students must also take joint responsibility for compliance with HIPAA procedures in the university setting. Failure to comply with HIPAA regulations can result in severe consequences, which is why all university staff and students must receive regular HIPAA compliance training.