Formstack Blog

FERPA vs. HIPAA Compliance: What You Need to Know

Healthcare and education are two very different industries, but one commonality between them is the mandate to comply with certain government regulations.

If you work in the healthcare industry in the United States, you’re probably familiar with the Health Information Portability and Accountability Act of 1996 (HIPAA). If you work in the education industry, you might be familiar with the Family Educational Rights and Privacy Act of 1974 (FERPA). In short, both regulations are in place to protect privacy and security of individuals.

What is HIPAA?

HIPAA provides privacy and security for protected health information (PHI). Failure to comply with HIPAA can result in severe consequences for organizations and individuals alike. In broad terms, the U.S. Department of Health & Human Services (HHS) explains that the HIPAA Privacy Rule protects sensitive patient information by establishing a set of patient rights and standards that apply to healthcare providers collecting and storing patient information electronically or otherwise.

What is FERPA?

The Records Office at Adams State University explains that FERPA is in place to protect the privacy of student education records, giving a set of rights to students and their parents. According to the U.S. Department of Education, education records include academic report cards, transcripts, and class schedules; disciplinary records; and contact and family information. FERPA rights are transferred to the student when the student turns 18 years old or begins a postsecondary education.

How do FERPA and HIPAA overlap?

In the most simple terms, FERPA and HIPAA are both designed to protect the information of individuals and prevent anyone without authorization from accessing the information. While health records and education records generally differ in nature, there’s some overlap between the two acts.

The HIPAA Privacy Rule generally does not apply to primary and secondary schools (K-12). A K-12 student’s health records (including immunizations, records obtained by a school nurse, and records on services provided to special education students) are also defined as education records, either because the school is not a HIPAA covered entity, or because student health information in the education records is protected under FERPA. For more information on the intersection of FERPA and HIPAA, check out section IV of this joint guidance doc.

There is also overlap in the case of healthcare clinics and facilities at higher education institutions. The HSS explains how FERPA and HIPAA generally apply with health clinics at higher education institutions:

FERPA applies to most public and private postsecondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity. (HHS.gov)

Health records from students at a university hospital, on the other hand, are generally subject to the HIPAA privacy rule.

How can I stay FERPA and HIPAA compliant when collecting sensitive information?

Whether your institution is currently subject to these regulations or not, it’s important to understand the rights of students and patients, and who is (or is not) entitled to their information.

One of the best security measures you can take when collecting sensitive information of any kind is to encrypt your data. Here are three precautions you should take to keep your data secure:

  1. Collect sensitive information using a secure solution like Formstack.
  2. Use security features like data encryption and user logging. If a security breach occurs, you will know who accessed information and when they accessed it.
  3. Avoid sending sensitive information to non-compliant third parties or unauthorized individuals.

Safeguarded by encryption and other advanced security measures, Formstack’s HIPAA compliant solution allows users to collect sensitive information, accept electronic signatures, and securely store files and export submissions all through easy-to-use online forms. Click below to learn more.