Do HIPAA Privacy & Security Laws Apply to College & University Student Health Clinics?

Dramatic changes in our national and local health care systems and insurance markets have raised a key question for nearly all colleges and universities: Do the ‘HIPAA Rules’ apply to student health clinics?

“Universities vary in their legal opinions on whether the Health Care Portability and Accountability Act of 1996 (HIPAA), including the new privacy and security rules in effect September, 2013, applies to student health clinics. One common position is that the Family Education Rights and Privacy Act (FERPA) applies and HIPAA does not. A second perspective takes the position that HIPAA does apply, though the rest of the campus, as a ‘Hybrid’ entity, may continue under FERPA. A third, less common, conclusion is that neither HIPAA nor FERPA apply due to an exemption given to student ‘treatment records,’ a position which we argue creates potential liability for the University.”

Why is this question important?

“If HIPAA Rules do apply to student health clinics, there are extensive administrative, physical and technical policies and safeguards required to protect the privacy interests of its students and, to the extent applicable, other patients. Failure to meet these requirements, even in a single instance, could result in significant financial penalties against the University. Universities operating under HIPAA are also responsible for affirming that ‘business associates,’ including EMR vendors, insurance companies, labs, etc. are compliant with HIPAA requirements. Additionally, as of September, 2013, business associates are independently liable for failure to maintain HIPAA Rules.”