Are Education Records Under FERPA Excluded from HIPAA?

Short answer: yes. If a record meets the FERPA education records definition—or is a FERPA “treatment record” for eligible students—it is excluded from HIPAA’s definition of protected health information. Understanding where FERPA ends and HIPAA begins helps you design school health records compliance that protects student health information privacy without over- or under-applying rules.

Definition of Education Records Under FERPA

FERPA defines education records as records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the institution. This broad definition spans paper files, electronic databases, emails, photos, and audio/video if they identify a student.

What commonly counts under the FERPA education records definition:

• Academic records, attendance, and discipline files.
• Health information kept by the school (for example, nurse logs, immunization documentation received by the school, medication administration records, IEP/504 health components).
• Records maintained by contractors “acting for” the school (such as a hosted student information system or outsourced school nursing services).

Key exclusions from “education records” under FERPA include:

• Law enforcement unit records created and maintained by a school’s law enforcement unit.
• Employment records of school employees (when not contingent on student status).
• “Treatment records” of eligible students (18+ or postsecondary) maintained by a health professional and used only for treatment; if disclosed beyond treatment, they become education records.

HIPAA Coverage and Scope

HIPAA regulates covered entities—health plans, health care clearinghouses, and certain health care providers that conduct standard electronic transactions. It governs the use and disclosure of protected health information (PHI) and sets individual rights, administrative safeguards, and breach obligations.

Crucially, HIPAA exclusion criteria remove several categories from PHI, including:

• Education records governed by FERPA.
• FERPA “treatment records” for eligible students.
• Employment records held by a covered entity in its role as employer.
• De-identified data that meets HIPAA de-identification standards.

The net effect: most student health information privacy within schools is handled by FERPA, not HIPAA. HIPAA generally steps in only when a school is outside FERPA’s scope or when an external covered entity maintains the records.

Distinction Between School-Maintained and External Health Records

School-maintained records (FERPA-governed)

Health information that the school keeps in its files—nurse notes, screenings, immunization proofs submitted to the school, care plans, and medication logs—are typically FERPA education records. For school health records compliance, apply FERPA’s consent rules and access rights, document “legitimate educational interest,” and store data in the student record system with appropriate role-based access.

External provider records (HIPAA-governed)

When a community clinic, hospital, health department, or telehealth vendor operates on or near campus but is not acting for the school, its records are usually HIPAA PHI. This includes diagnoses, visit notes, and billing data maintained by that external provider. External provider record handling should follow HIPAA’s notice, authorization, and minimum-necessary standards plus any stricter state health clinic record regulations.

When copies move between systems

• If an external provider shares a record with the school, the copy in the school’s possession becomes a FERPA record; the provider’s original remains HIPAA PHI.
• If a school-employed nurse sends information to a student’s physician, the disclosure must meet FERPA rules; the physician’s copy is then HIPAA PHI.

Special case: private K–12 not subject to FERPA

Private elementary and secondary schools that do not receive U.S. Department of Education funds are generally outside FERPA. In those settings, a school-run clinic can be subject to HIPAA if it is a covered entity (for example, it bills electronically). If the clinic is not a HIPAA covered entity, state student privacy and medical confidentiality laws fill the gap.

Conditions for HIPAA Applicability on School Campuses

HIPAA applies on or near campus when one or more of the following conditions are true:

• An on-site clinic is operated by a separate covered entity (e.g., a hospital or FQHC) that maintains its own records and conducts standard electronic transactions.
• The school is not subject to FERPA (such as certain private K–12 schools) and its clinic qualifies as a HIPAA covered entity.
• A university medical center treats non-students (faculty, staff, or the public); those non-student records are HIPAA PHI even if student records at the same clinic are FERPA or FERPA “treatment records.”
• Vendors independently providing healthcare services to students keep their own files; their records are HIPAA PHI unless they are acting for the school as part of the education record system.

Operational implications when HIPAA applies:

• Issue a HIPAA Notice of Privacy Practices and obtain HIPAA-compliant authorizations when required.
• Execute Business Associate Agreements with service providers handling PHI on the clinic’s behalf.
• Segment systems so HIPAA PHI and FERPA records are stored and accessed under the correct rule set.

Legal Implications of FERPA and HIPAA Overlap

Access and disclosure rules

• Under FERPA, parents (K–12) or eligible students (18+ or postsecondary) generally have a right to inspect and review education records. FERPA usually requires prior written consent before disclosure, with defined exceptions.
• Under HIPAA, individuals generally have a right of access to PHI, but HIPAA does not apply to FERPA education records or FERPA treatment records. For treatment records, access is through the treating provider; if incorporated into the education record, FERPA access rules then apply.

Emergency and public health exceptions

• FERPA permits disclosures without consent during a health or safety emergency to appropriate parties who need the information to protect the student or others.
• HIPAA permits disclosures for treatment, public health reporting, and to prevent or lessen a serious and imminent threat, subject to minimum-necessary and state-law constraints.

Preemption and enforcement

• FERPA vs HIPAA jurisdiction depends on who maintains the record and for what purpose. FERPA controls education records, while HIPAA controls PHI held by covered entities outside FERPA.
• State laws may impose stricter privacy standards, especially for sensitive services; apply the stricter rule where it does not conflict with federal law.
• FERPA is enforced by the U.S. Department of Education; HIPAA by HHS Office for Civil Rights. Sanctions, complaint processes, and breach duties differ.

Conclusion

Education records under FERPA—including most school-kept health files—and FERPA “treatment records” are excluded from HIPAA. HIPAA applies when an external covered entity maintains the record, when a school is outside FERPA, or when treating non-students. Map data flows, identify the record custodian, and apply the correct rule set to ensure compliant, student-centered privacy practices. This overview is for general information and not legal advice.

FAQs

Are health records maintained by schools exempt from HIPAA?

Yes, when the school is subject to FERPA, health records it maintains are either education records or, for eligible students, FERPA treatment records—both are excluded from HIPAA. Exceptions arise in private K–12 schools not covered by FERPA or when an external provider, not acting for the school, maintains its own HIPAA PHI.

When does HIPAA apply to school-based health clinics?

HIPAA applies when the clinic is operated by a separate covered entity (such as a hospital, FQHC, or health department) that keeps its own records and conducts standard electronic transactions, when a school is outside FERPA and the clinic qualifies as a covered entity, or when the clinic treats non-students. In those situations, follow HIPAA’s health clinic record regulations in addition to any stricter state laws.

How does FERPA define education records?

Education records are records directly related to a student and maintained by an educational institution or a party acting for it. Common examples include academic files, discipline records, and school-kept health information. Exclusions include law enforcement unit records, certain employment records, alumni records, and FERPA “treatment records” kept solely for treatment by a health professional.

Can external health providers on campuses override FERPA protections?

No. External providers cannot override FERPA. Their own files are typically HIPAA PHI, but any copy they share with a school becomes a FERPA record in the school’s custody. Disclosures from the provider must satisfy HIPAA, and the school’s subsequent use and sharing must meet FERPA—each regime applies within its jurisdiction.