Some school districts are starting to mandate students get vaccinated against COVID-19 to attend in-person classes.
One group opposed to a vaccine mandate by the San Diego Unified School District posted a picture on Instagram, claiming the district is using syringe icons next to students’ names to track vaccination status. The post has almost 2,000 likes.
The group claims the system violates their rights under the Health Insurance Portability and Accountability Act of 1996 – better known as HIPAA.
Are school districts generally subject to HIPAA rules?
No, school districts generally are not subject to HIPAA rules.
WHAT WE FOUND
HIPAA is a federal law that protects people’s sensitive health information from being shared without their knowledge, according to the Department of Health and Human Services (HHS) and Centers for Disease Control and Prevention (CDC). “Individually identifiable health information” related to a person’s past, present or future is protected under HIPAA, the HHS says.
The part of HIPAA that sets standards for sharing medical records is called the privacy rule.
The privacy rule applies to three groups that are known as covered entities, according to the HHS. One group is health care providers, such as doctors, clinics and dentists. Health plans, including health insurance companies and government programs such as Medicare and Medicaid, are the second group of covered entities. The third group is health care clearinghouses like billing companies.
HHS says the privacy rule also applies to business associates, essentially a person or group that uses protected health information as part of a service it provides to a covered entity.
Because school districts generally are not covered entities, HIPAA’s privacy rule does not apply to them. And typically, when school districts are considered a covered entity, the HHS says student health records are considered “education records” under the Family Educational Rights and Privacy Act, also known as FERPA, “and, thus, not ‘protected health information’ under HIPAA.”
An exception would be when schools are not subject to FERPA, which can be the case for private schools that don’t receive money from the U.S. Department of Education, but are considered a covered entity under HIPAA.
“For example, if a private elementary school that is not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity), the school is required to comply with the HIPAA Privacy Rule with respect to the individually identifiable health information of its patients,” the HHS explains.
Schools are also subject to state and local privacy laws regarding the sharing of student health records. But, generally, school districts are not subject to HIPAA.