For most university-run clinics, records on currently enrolled students are FERPA treatment or education records and are excluded from the HIPAA Privacy Rule, per joint guidance from the U.S. Department of Education and HHS. However, the picture changes if your center treats non-students, faculty, or community members, or if it conducts standard electronic billing transactions with insurers, which can make it a HIPAA covered entity for those functions. Many campus health centers therefore live under both frameworks at the same time, and counseling records add state mental health confidentiality laws on top. Medical IT Company maps exactly which records fall under which law and configures access controls, encryption, and audit logging that satisfy the strictest applicable standard. That way a records request, an audit, or a breach never catches your director without a documented answer.


Leave A Comment