March 28, 2018
We are sensitive to all security and privacy concerns. In fact, security and privacy are our top priorities in providing our services to hundreds of school districts throughout the United States. We are often asked if our service is subject to any federal privacy laws. Keep reading to learn how federal privacy laws apply to FinalForms.
The Health Insurance Portability and Accountability Act (“HIPAA”), 29 U.S.C. §1181, generally does not apply to our elementary or secondary school clients because such schools either (1) are not HIPAA covered entities, or (2) are HIPAA covered entities but maintain health information only on students in records that are, by definition, “education records” under the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. §1232g, and, therefore, are not subject to the “Privacy Rule” established by HIPAA.
The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. Even a school that employs a health care provider who conducts one or more covered transactions electronically is not required to comply with the HIPAA Privacy Rule if it maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. 45 CFR §160.103.
FinalForms is not a health care clearinghouse and does not conduct covered transactions under HIPAA. FinalForms simply replaces the paper documentation or the less capable online systems of our school clients.
Here are a few more points regarding FinalForms:
1. All data collected is requested or required by your school district, your district’s athletic department, your State's Department of Education, or your State's Revised Code.
2. All users with access to student data are provisioned by the school district, with specific levels of access.
Notes about 1 & 2: The information collected via FinalForms by your school district includes the same data previously collected on paper. Your school district may provide data access to the same personnel with the same permissions they had in any previous system, whether paper or online, and and your data will assuredly be even more secure!
3. To learn more about our other security practices, please click here: https://www.finalforms.org/security
TERMS OF SERVICE
- FinalForms TOS
These government websites provide more information about HIPAA and FERPA: