HIPAA vs. FERPA: Secondary Use of Student Health Records at Postsecondary Institutions
Whenever UC Berkeley researchers plan to conduct secondary research involving use of protected health information (PHI) from medical records at a covered entity (CE), researchers must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with regard to accessing or obtaining the data.
However, researchers should be aware that student health records at postsecondary institutions receiving funding from the U.S. Department of Education (DOEd) are considered “education records” under FERPA (see below, under What is FERPA?) and thus, are not subject to HIPAA. Any researcher who wishes to access identifiable student health records at a postsecondary institution where FERPA applies, must be knowledgeable of and comply with FERPA.
Of note, many postsecondary educational institutions have clinics that also provide health services to non-student patients, such as faculty and staff. Non-student health records at these clinics, if they are covered entities, are subject to HIPAA. For example, UC Berkeley’s covered entities are the University Health Services (including health care services on behalf of Intercollegiate Athletics), and the Optometry Clinic. At these sites, student records are subject to FERPA (because UC Berkeley receives DOEd funding), while non-student records are subject to HIPAA.
What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) is a federal law that applies to all educational institutions (primary, secondary, and postsecondary schools) receiving funds under any applicable program of the DOEd. FERPA was put in place to protect the privacy of student education records, which are records that:
- Are directly related to the student, and
- Are maintained by an educational agency or institution, or by a party acting for the agency or institution.
For minors, FERPA gives parents rights with respect to their children’s education records. These rights are automatically transferred to the student:
- Once the student turns 18, or
- Once the student attends a postsecondary educational institution (i.e. beyond high school). The student assumes responsibility for the record once a Statement of Intent to Register is submitted to the postsecondary educational institution.
Non-minor students and those who attend postsecondary educational institutions are considered “eligible students” who have full rights under FERPA with respect to their education records.
How does FERPA affect researchers?
With some exception, FERPA prevents schools from releasing identifiable student education records to third parties without prior written consent of the eligible student. (For non-eligible students, student education records cannot be released without prior written permission of parents/guardians.) Therefore, any researcher who intends to access or obtain identifiable student health records (i.e. education records) at or from a postsecondary educational institution receiving funding from the DOEd must obtain prior written consent from the eligible students.
Examples, when prior consent is required:
SCENARIO 1: A UCB researcher would like to obtain identifiable data from undergraduate student health records at UC Berkeley’s Tang Center. Because FERPA applies, the researcher must obtain written consent from the students prior to accessing their data. The researcher must submit a non-Exempt application to CPHS/OPHS for review and approval prior to consenting subjects and obtaining the data. Note that the IRB cannot approve a consent waiver for access to FERPA-protected data.
SCENARIO 2: A UCB researcher would like to obtain identifiable student and non-student data (adults) from health records at the UC Berkeley Optometry Clinic. For student records protected by FERPA, the researcher must obtain prior written consent to obtain the data. For non-student records protected under HIPAA, the researcher must either obtain written consent via a HIPAA Authorization form, or request a Waiver/Alteration of HIPAA Authorization prior to obtaining the data. The researcher must submit a non-Exempt application to CPHS/OPHS for review and approval prior to consenting subjects and obtaining the data.
Example, when prior consent may not be required:
SCENARIO 1: A UCB researcher plans to receive de-identified health information from UC Berkeley’s University Health Services. When data are de-identified prior to research use, neither FERPA nor HIPAA apply. The researcher must contact OPHS (email@example.com) to confirm that data are de-identified, prior to obtaining the data.
NOTE: Limited data sets under HIPAA are considered PHI. Please review the CPHS Guidelines on HIPAA and Human Subjects Research for guidance on research involving limited data sets. If the limited data set includes student data (subject to FERPA), the researcher must contact OPHS to determine whether student data included in the limited data set are de-identified.