Are Medical Education Records Subject to HIPAA? FERPA vs. HIPAA Explained

If you work in a school, university, clinic, or hospital, you’ve likely wondered whether medical education records fall under HIPAA or FERPA. The short answer: most student health and education records held by schools are governed by FERPA, not HIPAA. HIPAA usually applies only when a separate health care provider or hospital handles the records as a HIPAA covered entity.

This guide clarifies the line between FERPA education records and protected health information under HIPAA, so you can handle health information disclosure correctly in K–12 and higher education settings.

FERPA Definition and Scope

FERPA (the Family Educational Rights and Privacy Act) protects the privacy of “education records” maintained by an educational agency or institution, or by a party acting for the institution. If your school receives federal funds, FERPA almost certainly applies.

What counts as a FERPA education record

• Records directly related to a student and maintained by the school: grades, transcripts, disciplinary files, disability services documentation, and many K–12 health entries kept in the cumulative file.
• Health information kept by the school nurse or district (e.g., immunizations, medication logs) when maintained by the school or its agent for educational purposes.

Core FERPA rights

• Right to inspect and request amendment of education records.
• Consent requirement before disclosure, with defined exceptions.
• Access for school officials with legitimate educational interests.

HIPAA Definition and Covered Entities

HIPAA (the Health Insurance Portability and Accountability Act) protects “protected health information” (PHI) held by HIPAA covered entities and their business associates. Covered entities include health plans, health care clearinghouses, and health care providers who conduct standard electronic transactions (such as electronic billing).

HIPAA focuses on PHI within the health care system—diagnoses, treatments, and billing data tied to an individual—rather than on the broader category of education records. If your organization is not a HIPAA covered entity, HIPAA’s Privacy Rule generally does not apply to the records you keep.

Distinction Between FERPA and HIPAA

Think of FERPA and HIPAA as two separate circles that rarely overlap. FERPA covers student education records maintained by schools; HIPAA covers PHI maintained by health care entities. Critically, HIPAA excludes from PHI both FERPA education records and the special category of student “treatment records” described below.

Quick scenario map

• K–12 school nurse records kept by the district: Typically FERPA, not HIPAA.
• School-based health centers run by the school: FERPA governs those student records.
• School-based health centers operated by an outside clinic or hospital: Those clinical records are HIPAA PHI; the school’s copy (if any) is a FERPA education record.
• University student health services integrated with the institution: Records are FERPA education records or fall within the treatment records exclusion; HIPAA does not apply to those specific student records.
• University hospitals or external providers: Their clinical records are HIPAA PHI, even when the patient is a student.

Student Health Records Under FERPA

When a school or district maintains student health information—vision screenings, allergy plans, immunization proof, medication administration logs—those files are FERPA education records. Staff may access them only for legitimate educational interests, and you generally need consent before sharing outside the exceptions FERPA allows.

In higher education, counseling or disability services notes that are shared beyond the treating professionals (for accommodation decisions, conduct matters, or academic interventions) become FERPA education records. Once part of the education record, HIPAA’s rules no longer apply; FERPA controls access and disclosure.

Treatment Records Exclusion at Postsecondary Institutions

FERPA contains a treatment records exclusion for postsecondary students. Records are “treatment records” if they are:

• Made or maintained by a physician, psychologist, counselor, or other recognized professional;
• Used only for treatment of the student; and
• Disclosed only to those providing treatment.

These treatment records are excluded from FERPA’s education record definition and, by design, are also not PHI under HIPAA. However, the moment such records are used for non-treatment purposes (for example, shared with conduct officers or academic administrators), they become FERPA education records and are handled under FERPA’s access and disclosure rules.

This “treatment records exclusion” commonly applies to university counseling centers and student health clinics that keep records solely for ongoing clinical care within the institution.

Health Records in University Hospitals

University hospitals and academic medical centers typically operate as HIPAA covered entities. Clinical records they maintain—diagnoses, imaging, lab results, billing—are protected health information under HIPAA, even when the patient is also a student. In these settings, HIPAA’s authorization and disclosure standards govern the hospital’s files.

Some universities designate their health care components (e.g., medical center, dental clinics, specialty practices) as HIPAA entities within a hybrid university structure. In that case, records within the health care component are HIPAA PHI, while records maintained by the educational side remain under FERPA. Sharing between the hospital and the school requires either the patient’s authorization or a HIPAA-permitted disclosure; “legitimate educational interests” under FERPA does not, by itself, permit a HIPAA entity to transmit PHI to the registrar or dean.

Disclosure Rules Under FERPA and HIPAA

FERPA disclosure framework

• Consent is the default for releasing education records.
• Key exceptions: school officials with legitimate educational interests; health or safety emergencies; disclosures to another school where the student seeks or intends to enroll; certain audits, evaluations, and financial aid processes; subpoenas or court orders; and limited “directory information” unless opted out.
• Parents have rights in K–12; rights transfer to the student at age 18 or when attending a postsecondary institution.

HIPAA disclosure framework

• Authorization is the default for releasing PHI.
• Permitted uses/disclosures without authorization: treatment, payment, and health care operations; certain public health activities; oversight; specific law enforcement or court orders; research under defined conditions; and to prevent or lessen a serious and imminent threat.
• For minors, parental access under HIPAA depends on state law and the nature of services. In schools, remember that FERPA—not HIPAA—typically governs the education record copy.

School-based health centers and cross-walking rules

• If the center is operated by the school, its student records are FERPA education records.
• If operated by an external HIPAA covered clinic, the clinic’s chart is HIPAA PHI. Sharing with the school requires HIPAA-compliant authorization or a specific HIPAA permission (e.g., public health reporting). The school’s copy, once received, becomes a FERPA education record.

Summary

• Are medical education records subject to HIPAA? Generally no—if they are FERPA education records or postsecondary treatment records, HIPAA does not apply.
• HIPAA applies when a HIPAA covered entity (such as a university hospital or outside clinic) maintains the records.
• Identify who maintains the record and for what purpose; that determines whether FERPA or HIPAA governs health information disclosure.

FAQs.

What records does FERPA protect?

FERPA protects education records—documents directly related to a student and maintained by a school or a party acting for the school. This includes most academic files and many school-maintained health entries (e.g., immunizations, medication logs, care plans) when kept by the institution for educational purposes.

When does HIPAA apply in educational settings?

HIPAA applies when a HIPAA covered entity—such as an outside clinic, community provider, or university hospital—maintains the records as part of health care services. Those records are protected health information. By contrast, records maintained by the school itself are typically governed by FERPA, not HIPAA.

How do FERPA and HIPAA overlap?

They rarely overlap. HIPAA expressly excludes FERPA education records and postsecondary “treatment records” from its definition of PHI. If a record is maintained by the school (or its agent) for educational purposes, FERPA controls; if maintained by a health care entity, HIPAA controls.

What are the disclosure rules under FERPA and HIPAA?

Under FERPA, you generally need consent to disclose education records, with exceptions for legitimate educational interests, health or safety emergencies, certain transfers, audits, and court orders. Under HIPAA, you generally need authorization, with permitted uses and disclosures for treatment, payment, operations, public health, oversight, and other defined circumstances.