March 28, 2018
We are sensitive to all security and privacy concerns. In fact, security and privacy are our top priorities in providing our services to hundreds of school districts throughout the United States. We often receive questions about whether our service is subject to certain federal privacy laws. An explanation of the applicability of those laws to our service is set forth below.
The Health Insurance Portability and Accountability Act (“HIPAA”), 29 U.S.C. §1181, generally does not apply to our elementary or secondary school clients because such schools either: (1) are not HIPAA covered entities; or (2) are HIPAA covered entities but maintain health information only on students in records that are, by definition, “education records” under the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. §1232g, and, therefore, are not subject to the “Privacy Rule” established by HIPAA.
The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. Even a school that employs a health care provider who conducts one or more covered transactions electronically is not required to comply with the HIPAA Privacy Rule if it maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. 45 CFR §160.103.
FinalForms is not a health care clearinghouse and does not conduct covered transactions under HIPAA. FinalForms simply replaces the paper documentation, or the less capable online systems of our school clients, for whom HIPAA does not apply.
Here are a few more points regarding FinalForms:
1. All data collected is requested or required by your school district, your district’s athletic department, your State's Department of Education, or your State's Revised Code.
2. All users with access to student data are provisioned by the school district, with specific levels of access.
Notes about 1 & 2: The information collected via FinalForms by your school district includes the same data as was previously collected on paper. Your school district may provide access to the exact personnel with the exact permissions that existed with any previous system, paper or online, and it will positively be even more secure!
3. If you would like to read about other security practices, you can learn more here: https://www.finalforms.org/security
TERMS OF SERVICE
- FinalForms TOS
Here are a few links to government websites regarding both HIPAA and FERPA: