Relationship to FERPA

The definition of "protected health information" under the Privacy Regulations (but not the Transaction Standards or the Security Regulations) contains an exception for education records covered under FERPA ("Family Educational Rights and Privacy", 20 U.S.C. 1232g). The designation of the "covered components" of the University therefore exclude those departments where the only records maintained contain student health information which is already protected by FERPA. However, if the department maintains both student and non-student protected health information, the department must comply with both regulations. FERPA and HIPAA have different requirements, so simply complying with one regulation does not ensure that compliance with the other regulation is not necessary.