School Districts and IUs as "Health Care Providers" Under HIPAA: Fact or Fiction

We prepared this Memorandum after receiving many inquiries from clients and friends seeking guidance on the applicability of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to School Districts and Intermediate Units. At present, there are conflicting opinions regarding whether School Districts and Intermediate Units are required to comply with the HIPAA Privacy Regulations (“Regulations”) issued by the United States Department of Health and Human Services (“HHS”), as “health care providers.” As set forth in more detail below, we believe that, in certain circumstances, School Districts and Intermediate Units can be “health care providers”1 under HIPAA and obligated to comply with the Regulations in that capacity.

Recently, a document entitled “SBAP HIPAA Update” was distributed by Leader Services (“Leader”). Leader is the statewide vendor for the Pennsylvania Department of Education’s School-Based ACCESS Program. In its HIPAA Update, Leader states that “[i]t appears, based on current information available from the U.S. Department of Education’s Family Policy Compliance Office and a section concerning FERPA contained in the HIPAA Final Privacy Rules and Preamble, that public schools receiving federal funding are exempt from HIPAA Privacy requirements.”

Some districts have interpreted Leader’s update as concluding or opining that a School District or Intermediate Unit cannot be a health care provider under HIPAA, and therefore need not comply with HIPAA’s Privacy Regulations as a health care provider. Further, some districts have treated the position of Leader as essentially legal advice on HIPAA, despite an express notice on the update that it was for informational purposes only and “not legal advice.”

We do not necessarily disagree that the conclusion reached by Leader, if supported by HHS, would be desirable. However, it is our opinion that there are circumstances where a Pennsylvania School District or Intermediate Unit can be a “health care provider” under HIPAA and therefore required to comply with the Privacy Regulations.

An entity is a “health care provider” under HIPAA if it provides health care services and transmits data electronically with respect to a transaction covered by HIPAA. Health care is broadly defined and includes, among other things, speech therapy, physical therapy, and psychological counseling. Where an entity is a health care provider, it must comply with the privacy standards set forth in the Regulations, which govern how covered entities may use and disclose “protected health information” (“PHI”).

As applied to School Districts and Intermediate Units, the Regulations specifically exempt information contained in “education records” under the Family Educational Rights and Privacy Act (“FERPA”) from the definition of PHI. The theory behind the exemption is that HIPAA cannot interfere with or preempt FERPA.

To the extent that a School District or Intermediate Unit provides health care services and has records of a student that are not covered by FERPA (i.e., not an education record), that contain PHI, the School District or Intermediate Unit is likely a health care provider and must comply with the Regulations. We have identified a number of circumstances where a School District or Intermediate Unit could, in fact, be a “health care provider” under HIPAA:

A School District or Intermediate Unit may have records that contain PHI under HIPAA (and which are not education records under FERPA) in connection with the submission of a claim for reimbursement through ACCESS. The “bills” and other documents generated by either internal or external health professionals, which are either paid for by the School District or Intermediate Unit and/or used to create a submission for reimbursement through ACCESS, contain PHI and are often transmitted electronically. Such documents would not appear to qualify as education records under FERPA and, in fact, the districts we have consulted do not treat those documents as FERPA records.
Similarly, the definition of “education record” under FERPA specifically excludes “records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible to or revealed to any other person except a substitute.” 20 U.S.C. § 1232g(b)(4)(B)(i). Moreover, the United States Supreme Court has narrowly interpreted the definition of “education record” in Owasso Indep. School District v. Falvo, 534 U.S. 426, 434 (2002). Thus, for example, the notes maintained by certain health care professionals relating to the treatment of students would not be FERPA documents and, therefore, are not exempted from HIPAA.
If a School District or Intermediate Unit provides health care services to non-students or students from non-public schools, the records generated with regard to such services are likely not covered by FERPA. Accordingly, to the extent that the School District or Intermediate Unit transmits data associated with those records electronically (or transmits a paper claim to a third party who transmits the data electronically on its behalf), the School District or Intermediate Unit could be a “health care provider.”
The Regulations expressly provide that a school nurse can be a “health care provider” if the nurse or school engages in a HIPAA transaction and transmits data electronically. The issue becomes, of course, what data is transmitted. Some sources take the position that where a nurse is billing for services electronically, such a transaction is not exempted from HIPAA (because the record is not an educational record under FERPA), but where the school nurse is providing care pursuant to an IEP, such treatment does not render the nurse a health care provider.
A school-based health center may also qualify as a “health care provider.” Where such health centers are sponsored by entities outside the School District or Intermediate Unit (i.e., hospitals or community health centers), the health center will be required to comply with HIPAA. Those documents that are retained by the School District and which are education records under FERPA, would not be covered by HIPAA, but any documents retained by the health center would be covered by HIPAA.

Our research leads us to conclude that a substantial number of Intermediate Units, and many School Districts (1) provide heath care services; (2) receive and maintain documents containing PHI (as defined under HIPAA), but which are likely not “education records” under FERPA; and (3) transmit data associated with those records electronically. In those circumstances, the School District or Intermediate must comply with the Regulations as a health care provider.

We, and other interested parties, have been in contact with representatives of the Pennsylvania Department of Education and Department of Health, as well as HHS, in an effort to obtain additional guidance. However, unless there is a revision to the Regulations, or a clear pronouncement by HHS, there are, as set forth above, circumstances where a School District or Intermediate Unit can be required to comply with the Regulations as a health care provider.

Thus, we strongly recommend that each School District and Intermediate Unit undertake a careful evaluation of its particular circumstances and decide whether it may be a health care provider.2 We have advised our clients to take the necessary steps to comply with the Regulations if they fall within one of the areas set forth above. In that regard, each has identified itself as a “hybrid entity” under HIPAA, to narrowly tailor the scope of compliance to those particular aspects of the School District or Intermediate Unit that are, in fact, covered by HIPAA.

1 This Memorandum does not address the basic issues of HIPAA, nor does it address compliance as a “group health plan.” In sum, if a School District or Intermediate Unit receives PHI in connection with any of its health plans (including dental, vision, prescription, and FSA), it will likely be required to comply with all of the standards set forth in the Regulations. The compliance date for both group health plans and health care providers was April 14, 2003, except for “small group health plans” (less than $5 million), where the compliance date is April 14, 2004.

2 Each School District and Intermediate Unit must also evaluate whether it is required to comply based upon its status as sponsor of a “group health plan” under HIPAA. There is, without question, no exemption for districts based on their status as a group health plan covered entity.

Robert J. Tribeck is a partner in Rhoads & Sinon’s HIPAA Compliance Group and the firm’s Labor and Employment Law Group. Rhoads & Sinon offers a full range of HIPAA counseling and representation. If you have any questions about this issue, you can contact Mr. Tribeck via email at rtribeck@rhoads-sinon.com or by telephone at 717-233-5731. Feel free to contact Mr. Tribeck or any of our HIPAA attorneys directly for more information about our firm and its available services.