I saw some interesting news from the OS OCR Privacy List listserve. If you are with an education institution or a healthcare covered entity, take some time to read the new guidance about the relationship between FERPA and HIPAA…
“The Departments of Education and Health and Human Services have jointly released guidance to explain the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, and to address apparent confusion on the part of school administrators, health care professionals, and others as to how these two laws apply to student health records. The guidance also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those disclosures related to health and safety emergency situations. The guidance was developed in response to the “Report to the President on Issues Raised by the Virginia Tech Tragedy” (June 13, 2007, http://www.hhs.gov/vtreport.html), as well as to address questions the respective Departments have heard generally from stakeholders regarding the intersection of the HIPAA Privacy Rule and FERPA.
The Departments of Health and Human Services and Education are committed to a continuing dialogue with school officials and other professionals on these important matters affecting the safety and security of our nation’s schools. While this guidance seeks to answer many questions that school officials and others have had about the intersection of these federal laws, ongoing discussions may cause more issues to emerge. Contact information for submitting additional questions or suggestions for purposes of informing future guidance is provided at the end of the guidance document.
FERPA is a Federal law that protects the privacy of students’ “education records.” (See 20 U.S.C. ยง 1232g; 34 CFR Part 99). The HIPAA Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information and gives patients rights over their health information.
The guidance is available at http://www.hhs.gov/ocr/hipaa.”
The direct link is http://www.hhs.gov/ocr/hipaa/HIPAAFERPAjointguide.pdf
Tags: awareness and training, Department of Education, FERPA, HHS, HIPAA, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training