HIPAA and FERPA often get confused because they are both national laws that protect private information. The main difference between them is that HIPAA protects patient information while FERPA protects student information. Although HIPAA and FERPA are stand-alone acts, they do have some points of intersection.
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a federal law that demands all organizations protect what’s considered “protected health information” (PHI) from being disclosed to unauthorized persons. Unless the state law is more stringent than federal law, HIPAA overrides state law regarding data privacy.
The HIPAA Privacy Rule requires safeguards to protect the privacy of PHI in any medium and applies to health plans, health care clearinghouses, and health care providers. The rule also sets limits on disclosures that can be made without patient consent and gives individuals rights to examine and obtain their health records at any time. Its goal is to balance the confidentiality, integrity, and availability of private health information.
According to The HIPAA Journal, employers most frequently run into HIPAA compliance issues due to:
For more information, check out our blog, “What Is HIPAA?”
The Family Educational Rights and Privacy Act (FERPA) of 1974 is a federal law administered by the U.S. Department of Education that protects student privacy at any government-funded educational institution. FERPA gives parents the right to review a student's educational records and request correction of records. These rights are transferred to the student when they turn 18 or enter an educational institution beyond high school.
FERPA also prohibits educational institutions from disclosing personally identifiable information in student records without the written consent of an eligible student (or the parents if the student is still a minor). However, there are a few exceptions to this FERPA rule. The institution can release information without consent if:
To ensure FERPA compliance, educational institutions should:
Educational institutions that do not comply with FERPA may lose their federal funding, and some states allow compensation to students for FERPA violations.
When education and healthcare intersect, it can become difficult to identify what falls under HIPAA versus FERPA jurisdiction. According to the Joint Guidance document on the Application of FERPA and HIPAA to Student Health Records, in a few instances, an agency or institution can be subject to both FERPA and HIPAA.
Let’s say an institution has its own clinic that’s also open to the public. In that case, they would be required to comply with FERPA with respect to the student patients, and with HIPAA with respect to their non-student patients. If both HIPAA and FERPA apply to your organization, patients can generally be categorized under one of the two laws. As a general rule, FERPA only applies to students.
FERPA covers student education records and student treatment or student Health Center records. Generally, university treatment records protected by FERPA are excluded from coverage under the HIPAA Privacy and Security Rules.
You can stay informed, educated, and up to date with important HR topics using BerniePortal’s comprehensive resources:
Community—the HR Party of One Community forum, a place devoted to HR professionals to ask questions, learn more, and help others