In a recent webinar, the Nixon Peabody Higher Education team addressed the potential implications of HIPAA on colleges and universities, including in relation to their employer-sponsored health plans, student health clinics, and counseling programs.
Does HIPAA apply to student health centers? Laurie Cohen, Partner (Health Care, Albany)
In providing health care services to students, the college/university will be considered a health care provider under HIPAA (and thus a “covered entity”) if it submits claims electronically to a student’s health insurer or conducts any other covered transactions electronically.
Although the college/university may be considered a HIPAA-covered entity, the college/university will not, however, be required to comply with the HIPAA Privacy Rule to the extent that the health records maintained by the health center relate only to its students. HIPAA specifically excludes “education records” or “treatment records” from the definition of “protected health information (PHI).”
Instead, such student health records are governed by the Family Educational Rights and Privacy Act (FERPA). Although HIPAA does not apply to student health records, if the college or university meets the definition of a covered entity, HIPAA will apply to any PHI of non-students held by the college or university. To limit the application of HIPAA to specific components/departments, the college or university will want to determine whether to designate itself a “hybrid-covered” entity.
College/university-sponsored health plans are HIPAA-covered entities. Yelena Gray, Partner (Labor & Employment, Chicago)
College and university group health plan sponsors must amend their plan documents for compliance with HIPAA, certify to their plans that the sponsor will adhere to the HIPAA requirements, and establish a firewall between the sponsor’s personnel with access to PHI and the sponsor’s other workforce.
Colleges and universities must also identify plan vendors that are business associates and enter into business associate agreements with them to ensure maximum protection for plan participants and their covered dependents.
Is the college/university regulated as a HIPAA business associate? Valerie Breslin Montague, Partner (Health Care, Chicago)
Colleges and universities should continually review their operations to determine whether any of their services trigger HIPAA regulation as a business associate arrangement, such as a university providing administrative services to a physician faculty practice plan, where such an arrangement involves access to protected health information. If so, the organization should ensure that it enacts a HIPAA compliance plan and carefully reviews the provisions of all business associate agreements to ensure that the terms governing indemnification, notification, de-identification, and return of data, among others, are acceptable.
Assessing the applicability of HIPAA.
The consequences of noncompliance with HIPAA are significant. Nixon Peabody is able to assist colleges and universities to assess the applicability of HIPAA to its health center operations; its employer-sponsored health plan, as well as other components.
Please reach out to Laurie Cohen, Yelena Gray, or Valerie Montague for additional information.