For the vast majority of records maintained by public schools, the Health Insurance Portability and Accountability Act (HIPAA) is not applicable. This is because most records that contain medical information related to a student and shared with the school will be considered an “education record” under the Family Educational Rights and Privacy Act (FERPA). In most cases, the privacy requirements of FERPA apply, rather than HIPAA. However, while FERPA’s broad reach provides protection for most school records, any school districts offering a group health plan for its employees remain responsible for compliance with the HIPAA rules even if they contract with a third-party administrator (TPA) to manage the plan.
Further, school districts, in their capacity as employers, are not subject to the HIPAA rules. However, due to their capacity as sponsors of health plans, they are subject to the HIPAA rules. HIPAA applies to “covered entities” and their “business associates.” Covered entities include "health plans, health care clearing houses, and health care providers who transmit health information in electronic form.” Within the definition of health plans are “non-federal governmental plans” which include plans that are sponsored by states, counties, school districts, and municipalities. As a result, any “protected health information” (PHI) a school district or other employer holds on a health plan’s behalf when the employer designs or administers the plan is subject to HIPAA.
HIPAA applies to health plans regardless of whether they are fully-insured or self-funded, but for most fully-insured plans, the insurance carrier assumes most of the responsibilities with respect to the plan. For self-insured and level-funded plans, the plan sponsor has actions they must take to comply with HIPAA. A self-insured health plan must develop detailed internal privacy and security policies and procedures to ensure that PHI is protected and that access to and use and disclosure of PHI are restricted in a manner consistent with HIPAA’s privacy and security protections. These procedures must include safeguards for sending PHI, receiving PHI for plan purposes, storing PHI and workstation safeguards for those that may have access to PHI. These policies must be customized to that employer’s IT systems, so a plan sponsor cannot rely upon the policies of their TPA.
In addition to HIPAA policies, plan sponsors must complete a risk assessment, train all employees that may have access to PHI, and they must distribute a notice of privacy practices to plan participants. The notice informs plan participants of their rights and the plan’s privacy practices related to the use and disclosure of PHI. If a privacy breach were to occur, the failure to create and implement these internal policies could lead to large financial penalties from the Department of Health and Human Services (HHS).
For 2024, HHS can issue a penalty of up to $68,928 per violation (and each required safeguard for which there is no policy will be a separate penalty). With increased enforcement activity and penalties from HHS, covered entities should regularly audit their policies and procedures to ensure that they are in compliance with all aspects of the rules. If you have questions or need assistance in creating or reviewing your plan’s HIPAA policies and procedures, please contact any member of the Bricker Graydon Employee Benefits team.