There are many different data security standards and regulations telling us how to deal with personal data.
They are, however, often described in complex bureaucratic lingo and sometimes intersect so much they can lead us into an incomprehensible mess.
For Americans, two of them, HIPAA and FERPA, are probably the most confusing.
There are many questions that exist about their features, fields, and use cases for application, intersections of both laws, and their core differences.
Let’s delve deeper into the privacy regulations world and learn all the crucial aspects of these two regulative acts.
The difference between HIPAA and FERPA briefly
First of all, let’s take a closer look at these two regulatory acts to understand more about each one and its respective history.
It will help us comprehend how they’re being applied and how not to get confused.
Both laws are federal and apply equally across the USA. They are aimed at keeping personal records private and safe from third-party access.
- FERPA was released by the U.S. Department of Education and covers educational personal data
- HIPAA was issued by the U.S. Department of Health and Human Services and is related to personal electronic health records (EHR).
This doesn’t mean that these two acts are completely independent of each other — there are some intersections between them.
We’ll detail these intersections below in a separate block.
What is FERPA?
FERPA stands for the Family Educational Rights and Privacy Act, issued in 1974.
In the 1970s, there wasn’t much personal data in digital form; federal law originally describes how to approach student education records in paper form only.
Despite this, FERPA includes a prohibition of personal data sharing using personal delivery, verbal communication, fax, mail, or any electronic method.
The act is obligatory for schools and some other educational institutions funded by the U.S. Department of Education and holding their students’ personal data.
These items are called educational agencies or institutions. Among them are:
- Public or private elementary schools
- Public or private secondary schools
- Post-secondary schools (universities and colleges)
- Both state and local educational agencies
- Those who act as agents of educational agencies.
The act doesn’t apply to elementary and secondary private or religious schools that do not receive any funding from the U.S. government.
Here are the essentials of FERPA in a few words:
1. The act prohibits educational institutions from disclosing, without written permission, any identifiable personal data from student records.
2. FERPA also gives eligible persons (parents or legal guardians for the students under 18 years old, and the students themselves if older) access to the personal records with the permission of disclosing the data contained at their discretion.
3. Students and their legal guardians are entitled to review their educational records, ask for reasonable corrections, and control the list of those who have an access to these records.
This is a set of four rights FERPA grants to its beneficiaries:
- To inspect the related records which are maintained by the school.
- To request changes in the corresponding records.
- To give written permission to disclose personal data protected by FERPA, except in the cases where this permission isn’t required.
What is HIPAA?
HIPAA means the Health Insurance Portability and Accountability Act of 1996. HIPAA was issued more than two decades after FERPA by the Clinton administration.
The act was created as an answer to the challenges of mass digitization, despite the fact that digitizing everything was just an upcoming trend at that time.
The act protects specific parts of U.S. patients’ medical records (protected health information — PHI) from any attempts of disclosure until and unless the patient permits it.
It is obligatory for the following covered entities:
- All the medical institutions that use the electronic transmission of patient records
- Healthcare data storage and clearinghouses
- Healthcare insurance programs (health plans)
- Any other healthcare providers and organizations acting on behalf of patients protected by the act
- Health information that is included in educational reports.
The 1996 HIPAA version wasn’t the last; in fact, it was just the beginning.
Within the next two decades, the act was substantially updated with new rules several times — in 1998 (Security and Electronic Signature Standards Rule), 2003 (HIPAA Privacy Rule), 2009 (Health Information Technology for Economic and Clinical Health Act (HITECH), and the last one in 2013 (Omnibus Rule).
For the current HIPAA version, these statements hold true:
- The main purpose is to offer a workflow for electronically sharing of the private medical information required for efficient care, while at the same time protecting these data records from unauthorized access.
- Along with keeping personal medical data protected, HIPAA also allows patients or their eligible persons to review their records on demand.
Here is a full list of rights HIPAA currently grants to patients:
- To get a notice of privacy practices employed by the medical institutions serving them.
- To review and copy related medical records.
- To ask for updating their EHR.
- To restrict any disclosures of your protected personal data.
- To know who receives copies of their EHR.
- To file a complaint in case of any HIPAA violation.
- To sue the related HIPAA-covered entity in case of violation.
How HIPAA and FERPA intersect
Despite the fact that HIPAA and FERPA cover very different areas, and originated from different governmental agencies, there are certain intersections between them where education meets healthcare.
We did our best to make this part as clear and simple to understand as it was possible.
Below are examples of such cases, where the entity after a symbol → means that act is the one that such a case falls under.
You can also check this informative joint guidance doc by the U.S. government about how to deal with both regulatory acts with respect to student health records.
Areas of data secured
FERPA covers the next areas of personal data:
- Personal data — first and last names, addresses, birth date, and social security number of a student.
- Educational data related to certain persons.
- Medical data from school nurses which are considered educational.
- Directory information — address, birth date, phone number, awards list, attendance schedule, and other general data — could be disclosed without written permission yet eligible persons must be informed and they have the right to disallow this action.
HIPAA’s personal data areas coverage:
- Numbers of account, phone, fax, internet protocol, social security, certificate or license, or any other number that can identify the patient.
- Any biometric identifier.
- Photos with the face visible and comparable ones.
- Geographic data about entities smaller than the name of the U.S. state (country, city, etc.).
- Related dates.
- Any other personally identifiable information belonging to a patient.
What data can be disclosed without permission?
There are some types of personal data which could be disclosed without any permission obtained.
In theory, release of this data should not help or allow any third-party entities to identify the patient or student.
|Specified officials for audit or evaluation purposes
|Uses and disclosures with the opportunity to agree or object by asking the individual or giving an opportunity to agree or object
|School officials and personnel
|Incident to an otherwise permitted use and disclosure
|Appropriate parties in connection with financial aid to a student
|Treatment, payment, and healthcare operations
|Schools to which a student is transferring
|Limited dataset for the purposes of research, public health, or healthcare operations
|Organizations conducting certain studies for or on behalf of the school
|To the individual
|Official persons in cases of health and safety emergencies
|Public interest and benefit activities (e.g., public health activities, victims of abuse or neglect, decedents, research, law enforcement purposes, serious threat to health and safety)
|State and local authorities within a juvenile justice system, pursuant to specific state law
|De-identified health information
|Health information held in an educationrecord subject to FERPA
|In the case of judicial order
|Communications that are not recorded in anyform, such as the contents of a conversationbetween a teacher and student in a hallway
|Records that are kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to any other person except a temporary substitute for the maker of the record
|Treatment records of a student 18yrs and older when used only in connection with treatment
If we speak about HIPAA, it additionally allows the covered entity to disclose any piece of personal information from the EHR, but only in exceptional circumstances.
These circumstances include two mandatory points:
- The patient’s health or life is under a serious threat that could be negated or reduced by disclosing their personal data.
- The person to whom this data is disclosed is rationally able to mitigate or eliminate the threat with the help of this data.
Situations where personal data access is withheld or limited
Cases when eligible persons cannot get access to the information or have only limited access also exist.
When a parent consents to the child’s health services, the parent, as a personal representative, generally has a right to access the records unless there is a court order limiting that access.
However, even when a parent would otherwise have a right of access under HIPAA, there are some exceptions.
For example, HIPAA defers to state law if it limits access and HIPAA gives the healthcare professional discretion to withhold the child’s health record — cases such as when the health provider in their professional judgment believes disclosure may put a patient in danger.
It is also important to check corresponding state laws from time to time.
With respect to FERPA, the educational agencies or institutions can limit or withhold access to the data in cases of a court order, state statute, or legally binding document relating to such matters as divorce, separation, or custody that specifically revokes these rights.
Violations and penalties
We’ve gathered several illustrative examples of violations of each of these two acts.
Presented in a table form with columns, both differences and similarities of these acts will be understood much better.
We’ve also added data about the different degrees of penalties for violations.
|A teacher sends someone a letter of recommendation regarding a student, without written permission
|Data isn’t encrypted or encrypted poorly
|A professor left an unattended laptop turned on in a lecture hall with students
|PHI is sent to the wrong patient
|A lecturer sends email to multiple students using CC: instead of BCC:
|A notebook or smartphone with access to the medical system was stolen or lost
|Several professors discuss their students’ academic successes and failures in a bar or other public setting full of unknown people
|A careless medical staff member speaks about the facts from a patient’s PHI outside the clinic
|A teacher, telling parents about the successes and failures of their child, actively compares that child with the other students’ results (and speaks about these results openly)
|Medical records weren’t correctly deleted and a secondary party found them
|Someone gives the example of a student’s performance over other students
|A malicious software infected the system
|An educational staff member kept access credentials unsafe and they were stolen by students
|A cyberattack lead to an unauthorized access
An unconscious violation by inattention:
$100—$10.000 fine per episode, up to $1,500,000 yearly
The person was aware of what they did, or at least should have been:
$1000—$50.000 fine per episode, up to $1,500,000 yearly
|2. Criminal prosecution
The violation was made intentionally but effects were eliminated within 30 days:
$10,000—$50.000 fine per episode, up to $1,500,000 yearly
|3. Dismissal or termination
The violation was made intentionally with no shift to correct:
$50.000 fine per episode, up to $1,500,000 yearly
|4. Federal funding cessation
Both HIPAA and FERPA are quite complicated and voluminous.
Moreover, they’re slightly changing over time, as well as tied to other, different laws and regulations.
All these make their in-depth understanding somewhat of a challenging artform that exists for professionals.
With that being said, now that we’ve discussed them in detail, here are some final takeaways.
- The acts look frightening for non-lawyer, adhering to their rules isn’t what is super hard. There is a set of more or less simple and quite feasible rules to follow. The parts initially looked the most disturbingly, like intersections, turned out to be among the easiest and unambiguous.
- Probably the hardest part of HIPAA or FERPA implementation is staff training. Namely, because, your staff are or will be potentially the main violators here, as you can judge from the violation examples above.
- Violation penalties look horrible but for those who are attentive and diligent, the penalties are much more restrained.
- To minimize violations risk, train your staff and set up a secure environment:
- First, your staff members need to learn the things they must always avoid by heart.
- Second, all the hardware used to access your education or medical system must be polished in terms of security — the latest anti-malware tools must be up and running, and all suspicious software must be excluded, etc.
- Then, you must choose the right software for (digitized and electronic) paperwork where your documents will always be secure.
- Even though remote work is acceptable for some roles in almost every company or institution these days, keep in mind that each and every access to the system outside the office produces a significant risk of security violation issues.
We hope your doubts about HIPAA and FERPA have now disappeared, or have at least become substantially reduced. If any serious questions still remain, feel free to get in touch!
Stay HIPAA compliant with PandaDoc
We’re certain none of our readers wants breaches to happen with their data.
For some industries, including healthcare, such breaches can have a serious, possibly irreversible effect on business.
That’s why choosing the right environment, including properly secure and effective software, is so crucial.
When we speak about the right software suite for your paperwork, PandaDoc comes to a rescue. Our software offers super-secure storing and sharing of your documents.
With PandaDoc, you won’t have to spend so much time thinking about compliance — all your actions within the platform are fully HIPAA-compliant if adhering to the software use correctly.
And adding a document tracking feature makes you aware of each episode of access — should a breach occur, you’ll instantly become aware of it.
Frequently asked questions
Both of them are U.S. federal laws, protecting privacy information of the U.S. citizens from third-party access.
No. FERPA is for the Family Educational Rights and Privacy Act, released in 1974 and geared toward protecting the personal data of students. HIPAA means the Health Insurance Portability and Accountability Act, released in 1996 and structured to protect the personal data of patients of healthcare institutions.
FERPA acts as the main protecting act for students’ personal data of both public or private primary and secondary schools receiving funds from the U. S. government. In some cases, when we speak about medical aid within the school, HIPAA comes into play as well.