Are the health records of an individual who is both a student and an employee of a university at which the person receives health care subject to the privacy provisions of FERPA or those of HIPAA?
The individual’s health records would be considered “education records” protected under FERPA and, thus, excluded from coverage under the HIPAA Privacy Rule. FERPA defines “education records” as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR § 99.3 (“education records”). While FERPA excludes from this definition certain records relating to employees of the educational institution, to fall within this exclusion, such records must, among other things, relate exclusively to the individual in his or her capacity as an employee, such as records that were created in connection with health services that are available only to employees. Thus, the health or medical records that are maintained by a university as part of its provision of health care to a student who is also an employee of a university are covered by FERPA and not the HIPAA Privacy Rule.