Share Your Feedback

The REMS TA Center seeks your feedback to ensure that the Website is continually enhanced to meet your needs.

1.How helpful did you find this Web page?

Extremely helpful

Very helpful

Somewhat helpful

Not helpful

2.Will you use the information and resources from this Web page to develop or enhance your emergency operations plan?

Yes

Unsure

3.What else would you like to see on this Web page?

Public Burden Statement

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. The valid OMB control number for this information collection is 1880-0542, expiration 12/31/2023. Public reporting burden for this collection of information is estimated to average 2 minutes per response, including time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The obligation to respond to this collection is voluntary. If you have any comments concerning the accuracy of the time estimate, suggestions for improving this individual collection, or if you have comments or concerns regarding the status of your individual form, application or survey, please contact Cindy Savage, Contracting Officer, Office of Elementary and Secondary Education, cindy.savage@ed.gov directly.

Please check the box below to proceed.

Thank You!

Your responses have been submitted to the REMS TA Center. We appreciate your feedback.

Previous Next Close

Higher Ed Emergency Management Planning

Information Sharing: Health Insurance Portability and Accountability Act of 1996 (HIPAA)

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule, protect the privacy and security of individually identifiable health information, called “protected health information” or “PHI.” Such information is held by health plans, health care clearinghouses, and most health care providers, collectively known as “covered entities,” and their business associates (entities that have access to individuals’ health information to perform work on behalf of a covered entity).

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards to protect the privacy of individuals’ identifiable health information. In doing so, the Privacy Rule sets forth the circumstances under which covered entities and their business associates may use or disclose an individual’s health information, requires safeguards to protect the information, and gives individuals rights, including rights to examine and obtain a copy of their health records and to request corrections.

A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care, and to protect the public's health and well-being. Given that the health care marketplace is diverse, the Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting health information that is held or transferred in electronic form. The Security Rule sets out the technical, administrative, and physical safeguards that covered entities and business associates must put in place to secure individuals’ electronic health information. The Security Rule is designed to be flexible and scalable, and technology neutral, so a covered entity or business associate can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ electronic health information. The U.S. Department of Health and Human Services Office for Civil Rights has responsibility for administering and enforcing the Privacy and Security Rules.

How Does HIPAA Apply in Institutions of Higher Education?

Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

Generally, HIPAA does not apply to health information in student records maintained by an IHE. While IHEs may maintain student health records, these records are in most cases not protected by HIPAA. Rather, student health information maintained at an IHE would be considered education or treatment records protected by FERPA.

HIPAA may apply, however, to patient records at a university hospital, which may include records on students and non-students, or to the health records of non-students at a university health clinic.

During the emergency planning process, if you believe health information to which access may be needed is covered by HIPAA, you should consult the guidance and resources section for further information about how HIPAA applies.

HIPAA Guidance and Resources

The Office for Civil Rights has developed, and continues to develop, extensive guidance pertaining to the implementation of HIPAA Privacy Rule and emergency situations. The Office for Civil Rights website has guidance about the intersection between HIPAA and FERPA, and the release of PHI for common emergency preparedness issues and public health purposes, such as terrorism preparedness and outbreak investigations. For more detailed information or additional guidance, please see the Office for Civil Rights website at https://www.hhs.gov/hipaa/index.html.

Previous Next