As I’ve often noted on PogoWasRight.org, student health records are generally covered under FERPA, not HIPAA. When a school district provides a health center, however, the student’s health records may be covered by HIPAA, as seems to be the case with the St. Martin Parish School Based Health Centers in Louisiana. They notified HHS last week of a breach affecting 3,000 patients. The incident was coded as “theft,” with the location of the PHI coded as “Desktop Computer, Electronic Medical Record, Laptop.”
Unfortunately, I have not found anything on their web site to explain what happened, when, or how.
But if you want to see how much sensitive info is collected on students for the health centers, just take a look at the consent form.