Are there circumstances in which the HIPAA Privacy Rule might apply to an elementary or secondary school?
There are some circumstances in which an elementary or secondary school would be subject to the HIPAA Privacy Rule, such as where the school is a HIPAA covered entity and is not subject to FERPA. As explained previously, most private schools at the elementary and secondary school levels typically do not receive funding from the U.S. Department of Education and, therefore, are not subject to FERPA.
A school that is not subject to FERPA and is a HIPAA covered entity must comply with the HIPAA Privacy Rule with respect to any individually identifiable health information it has about students and others to whom it provides health care. For example, if a private elementary school that is not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity), the school is required to comply with the HIPAA Privacy Rule with respect to the individually identifiable health information of its patients. The only exception would be where the school, despite not being subject to FERPA, has education records on one or more students to whom it provides services on behalf of a school or school district that is subject to FERPA. In this exceptional case, the education records of only those publicly-placed students held by the private school would be subject to FERPA, while the remaining student health records would be subject to the HIPAA Privacy Rule.