Comment: A few commenters supported the exclusion of "education records" from the definition of "protected health information." However, one commenter requested that "treatment records" of students who are 18 years or older attending post-secondary education institutions be excluded from the definition of "protected health information" as well to avoid confusion.
Response: We agree with these commenters. See "Relationship to Other Federal Laws" for a description of our exclusion of FERPA "education records" and records defined at 20 U.S.C. 1232g(a)(4)(B)(iv), commonly referred to as "treatment records," from the definition of "protected health information."
Comment: One comment suggested that the regulation should not apply to any health information that is part of an "education record" in any educational agency or institution, regardless of its FERPA status.
Response: We disagree. As noted in our discussion of "Relationship of Other Federal Laws," we exclude education records from the definition of protected health information because Congress expressly provided privacy protections for these records and explained how these records should be treated in FERPA.
Comment: One commenter suggested eliminating the preamble language that describes school nurses and on-site clinics as acting as providers and subject to the privacy regulation, noting that this language is confusing and inconsistent with the statements provided in the preamble explicitly stating that HIPAA does not preempt FERPA.
Response: We agree that this language may have been confusing. We have provided a clearer expression of when schools may be required to comply with the privacy regulation in the "Relationship to Other Federal Laws" section of the preamble.
Comment: One commenter suggested adding a discussion of FERPA to the "Relationship to Other Federal Laws" section of the preamble.
Response: We agree and have added FERPA to the list of federal laws discussed in "Relationship to Other Federal Laws" section of the preamble.
Comment: One commenter stated that school clinics should not have to comply with the "ancillary" administrative requirements, such as designating a privacy official, maintaining documentation of their policies and procedures, and providing the Secretary of HHS with access.
Response: We disagree. Because we have excluded education records and records described at 20 U.S.C. 1232g(a)(4)(B)(iv) held by educational agencies and institutions subject to FERPA from the definition of protected health information, only non-FERPA schools would be subject to the administrative requirements. Most of these school clinics will also not be covered entities because they are not engaged in HIPAA transactions and these administrative requirements will not apply to them. However, to the extent a school clinic is within the definition of a health care provider, as Congress defined the term, and the school clinic is engaged in HIPAA transactions, it will be a covered entity and must comply with the rules below.
Comment: Several commenters expressed concern that the privacy regulation would eliminate the parents' ability to have access to information in their children's school health records. Because the proposed regulation suggests that school-based clinics keep health records separate from other educational files, these comments argued that the regulation is contrary to the spirit of FERPA, which provides parents with access rights to their children's educational files.
Response: As noted in the "Relationship to Other Federal Laws" provision of the preamble, to the extent information in school-based clinics is not protected health information because it is an education record, the FERPA access requirements apply and this regulation does not. For more detail regarding the rule's application to unemancipated minors, see the preamble discussion about "Personal Represenatives."