Follow ACC Docket Online:  

This Week in Privacy: Are University Health Centers Covered under HIPAA?

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email k@heartofprivacy.com with “This Week in Privacy" in the subject line.

Q: Are university health centers covered under HIPAA?


A: Not all medical centers or doctors fall under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, along with its subsequent amendments. Entities must be engaged in a covered activity, most of which are related to filing insurance claims. If the university center does not engage in these activities, then HIPAA does not apply to them — and if it did, it would only apply to non-students.

Family Educational Rights and Privacy Act (FERPA) at 20 U.S.C. 1230 et seq. governs student records at most postsecondary institutions, and includes school health centers. As such, the records are likely treatment records and excluded from HIPAA. The definition of “protected health information” at 45 CFR § 160.103 includes notable exceptions: “(2) Protected health information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv).

“Treatment records” are records on a student who is 18 years of age or older, or is attending an institution of postsecondary education. These records are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in their professional or paraprofessional capacity, or assisting in that capacity, and are made, maintained, or used only in connection with the provision of treatment to the student. Furthermore, they are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice. If the records are disclosed for purposes other than treatment, they are no longer excluded as “education records” and would then fall under all the other FERPA requirements.

About the Author

K Royal is a technology columnist for ACCDocket.com, and director at TrustArc. @heartofprivacykroyal


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.