HIPAA Compliance Checklist for Student Health Centers

FERPA and HIPAA Applicability

Start by mapping which privacy law governs each record set. Most student medical and counseling records maintained by a school are protected by FERPA, not HIPAA. HIPAA can still apply to the student health center when it functions as a covered health care provider and to records of non‑students (for example, employees or dependents) that meet the definition of protected health information, including electronic protected health information (ePHI).

Practical checklist

• Classify populations served (students, employees, dependents, visitors) and tag which records are FERPA “education” or “treatment” records versus HIPAA PHI.
• Confirm whether the clinic performs standard electronic transactions (billing/eligibility); if yes, it is a HIPAA covered provider for HIPAA‑governed records.
• Apply the minimum necessary standard to HIPAA disclosures outside treatment, payment, and health care operations (TPO), and document authorization requirements for non‑TPO uses.
• Define pathways for lawful FERPA disclosures (e.g., written consent or specific exceptions) separate from HIPAA pathways to avoid commingling rules.
• Train staff to recognize when a single visit can generate both FERPA and HIPAA records and how to file each correctly.

Hybrid Entity Status

Universities often qualify as HIPAA hybrid entities. Designate the student health center, counseling services, pharmacy, and any on‑campus laboratory as the “health care component.” HIPAA applies to that component and its business associates, while other university units remain outside HIPAA.

Practical checklist

• Issue a written hybrid‑entity designation that identifies covered functions and the health care component’s workforce.
• Create administrative “firewalls” so non‑covered university units cannot access PHI without a permissible basis.
• Appoint a privacy officer and security official for the health care component and define reporting lines.
• Inventory vendors that create, receive, maintain, or transmit ePHI and execute Business Associate Agreements before any data exchange.
• Segment systems, shared drives, and ticketing tools so PHI never flows to non‑covered components by default.

Risk Assessment Practices

A formal risk analysis under the HIPAA Security Rule is foundational. It identifies where ePHI lives, the threats and vulnerabilities affecting it, and the likelihood and impact of adverse events so you can prioritize controls.

How to perform and maintain the risk analysis

• Asset and data flow inventory: chart every system, device, app, and vendor that creates or touches ePHI.
• Threat/vulnerability identification: include phishing, ransomware, lost devices, misdirected email, misconfigured cloud storage, and insider error.
• Risk evaluation: rate likelihood and impact, then rank risks in a living risk register with owners and due dates.
• Risk management: select safeguards, document rationale, and track remediation to closure.
• Testing and review: tabletop your incident response plan and reassess at least annually or upon major changes.
• Third‑party oversight: assess vendors handling ePHI and verify controls promised in their Business Associate Agreements.

Administrative Safeguards

Administrative safeguards translate policy into daily practice. They set who may access PHI, under what conditions, and how you respond when something goes wrong.

Your core policies and procedures

• Security management process: document your risk analysis and risk management plan; maintain a sanctions policy for violations.
• Assigned roles: name a privacy officer and security official with authority and resources to act.
• Workforce security and training: provision/deprovision access promptly; provide orientation and periodic refreshers with phishing awareness.
• Information access management: implement role‑based access and written authorization requirements for non‑TPO uses; enforce the minimum necessary standard.
• Security incident procedures: define intake, triage, forensics, containment, and documentation steps.
• Contingency planning: create and test data backup, disaster recovery, and emergency mode operation procedures for critical clinical systems.
• Evaluation and documentation: review policies regularly, keep decisions and evidence of training, and retain required records.
• Business Associate Agreements: execute and monitor BAAs for billing, EHR hosting, telehealth, secure messaging, and shredding/destruction services.

Technical Safeguards

Technical safeguards protect systems and data. Prioritize controls that restrict access, record activity, preserve integrity, and secure transmissions.

Controls to implement

• Access controls: unique user IDs, role‑based provisioning, multi‑factor authentication, automatic logoff, and emergency access procedures.
• Audit controls: centralized log collection for EHR, e‑prescribing, email, VPN, and cloud apps; enable alerts for anomalous access and regularly review audit logs.
• Integrity protections: verified backups, checksums or hashing where applicable, and change control for EHR configurations.
• Transmission security: encrypt data in transit (e.g., TLS/VPN), restrict insecure channels, and secure telehealth sessions.
• Encryption of ePHI at rest: full‑disk encryption for laptops and mobile devices; encrypt databases and managed cloud storage.
• Endpoint and vulnerability management: timely patching, anti‑malware/EDR, device inventory, and restricted administrative privileges.
• Data loss prevention and email safeguards: outbound filtering, approved secure messaging/portal for PHI, and safeguards for misdirected email.

Physical Safeguards

Physical safeguards protect facilities, workstations, and media so PHI is not exposed through loss, theft, or shoulder surfing.

Facilities and devices

• Facility access controls: locked clinical areas, badge or key management, visitor sign‑in, and after‑hours procedures.
• Workstation use and security: locate screens away from public view, use privacy filters, and enable automatic screen lock.
• Device and media controls: track hardware, encrypt and remotely wipe laptops and phones, and document disposal and media re‑use.
• Secure printing and scanning: require release codes, clear print trays promptly, and shred PHI using approved methods.
• Environmental protections: safeguard network closets and servers with access logs and tamper detection.

Breach Notification Policies

Build procedures aligned to the HIPAA breach notification rule. Not every incident is a breach; first assess whether there is a low probability that PHI was compromised based on the nature of the data, who received it, whether it was actually viewed, and mitigation performed.

Determine and document

• Secure the incident, preserve logs, and complete a documented risk assessment for each event.
• If the analysis shows notification is required, prepare notices that describe what happened, the types of information involved, steps individuals should take, your mitigation, and contact information.

If notification is required

• Notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery.
• If a breach affects 500 or more residents of a state or jurisdiction, notify the Secretary of HHS and prominent media within 60 calendar days.
• For breaches affecting fewer than 500 individuals, log them and report to the Secretary of HHS no later than 60 days after the end of the calendar year in which they were discovered.
• Coordinate with FERPA obligations for education records and with applicable state data‑breach laws when they impose additional or shorter deadlines.

Conclusion

To operationalize HIPAA compliance in a student health center, classify which records are governed by FERPA versus HIPAA, formalize hybrid‑entity boundaries, complete and act on a risk analysis, and implement administrative, technical, and physical safeguards. Maintain solid Business Associate Agreements, enforce access and audit controls, and rehearse breach notification steps so you can respond quickly and lawfully.

FAQs

How does FERPA affect HIPAA compliance at student health centers?

FERPA generally governs student medical and counseling records kept by the school, so those records are not HIPAA PHI. HIPAA still applies to the health center’s HIPAA‑covered operations and to PHI for non‑students (such as employees or dependents). The result is a dual‑framework environment: apply FERPA rules to student education and treatment records, and apply HIPAA—including the minimum necessary standard and authorization requirements—to HIPAA‑governed PHI.

What are the key administrative safeguards required under HIPAA?

Key safeguards include a documented risk analysis and risk management plan, designated privacy and security leaders, workforce training and sanctions, information access management with role‑based access, authorization requirements for non‑TPO uses, incident response procedures, contingency plans (backup, disaster recovery, emergency operations), periodic evaluations, and executed Business Associate Agreements with all vendors handling ePHI.

When must a breach be reported to the Secretary of Health and Human Services?

Under the breach notification rule, if a breach affects 500 or more individuals, you must notify the Secretary of HHS without unreasonable delay and no later than 60 calendar days from discovery. If a breach affects fewer than 500 individuals, you must log it and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.