Do HIPAA Protections Apply to School Health Records? What Parents and Schools Should Know

FERPA Applicability to School Health Records

In most K–12 settings, school health records are governed by FERPA privacy protections, not HIPAA. When a school nurse, counselor, psychologist, or athletic trainer creates or maintains a record for a student, that record is typically an “education record” under FERPA, even though it contains health details.

Education records definition

Under FERPA, education records are records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for it. Examples include immunization forms kept by the school, medication administration logs, individualized healthcare plans, and health information embedded in IEP or Section 504 documentation.

Postsecondary “treatment records”

At colleges and universities, records kept by campus health or counseling services solely for the student’s medical or psychological treatment are “treatment records” under FERPA. They are excluded from the education records category but remain outside HIPAA and may be shared only with those providing treatment unless the student authorizes another use.

Access to FERPA-governed health information must be limited to school officials with a legitimate educational interest—meaning staff who need the information to do their jobs and support the student’s education or safety.

HIPAA Coverage and Its Limitations

HIPAA applies to HIPAA covered entities—health plans, health care clearinghouses, and health care providers who conduct certain electronic transactions. HIPAA protects “protected health information (PHI),” but it expressly excludes FERPA education records and postsecondary treatment records from the PHI definition.

When HIPAA does apply around schools

• External providers: A child’s pediatrician, therapist, hospital, or urgent care center maintains HIPAA PHI for that patient.
• Private schools with no federal funding: If not subject to FERPA and they operate a clinic that bills electronically, the clinic’s records may be HIPAA PHI.
• University health clinics serving non‑students: Records for staff, faculty, or community patients are HIPAA PHI; student treatment records remain under FERPA.
• School‑based health centers run by a hospital or health system: The clinic’s records are HIPAA PHI, but copies maintained by the school become FERPA education records.

The key limitation: once a record qualifies as a FERPA education record, HIPAA does not apply to that copy.

Distinguishing School and Non-School Health Records

Ask two questions: Who maintains the record, and for what purpose? If the school (or its agent) maintains the record for educational purposes, FERPA applies. If an outside health care provider maintains the record in the course of clinical care, HIPAA applies.

• Maintained by school: An asthma action plan kept by the school nurse is a FERPA education record.
• Maintained by provider: The same plan in the pediatrician’s chart is HIPAA PHI.
• Shared copies: When a provider sends a form to the school, the provider’s copy stays HIPAA; the school’s copy becomes FERPA.

This distinction drives consent, access, and permitted disclosures. FERPA rules control downstream sharing from the school file; HIPAA rules control sharing from the provider’s chart.

Parental Consent Requirements

Under FERPA, parental consent under FERPA is generally required before disclosing personally identifiable information from education records, unless an exception applies. Consent must be signed and dated and specify the records to be disclosed, the purpose, and the recipient. Rights transfer to the student at age 18 or when the student attends a postsecondary institution.

• No consent needed for sharing with school officials who have a legitimate educational interest.
• No consent needed during a health or safety emergency if disclosure is necessary to protect the student or others.
• Consent is typically required to send detailed school records to an outside provider, unless an emergency exists.

Under HIPAA, a parent or guardian usually acts as the minor’s personal representative for authorizations. However, state laws can let minors control certain sensitive services (for example, mental health, reproductive care, or substance use treatment). HIPAA also allows providers to disclose proof of immunization to a school if required by law and with a parent’s or eligible student’s agreement, even without a formal HIPAA authorization.

Disclosure Rules under FERPA and HIPAA

FERPA permitted disclosures

• To school officials with a legitimate educational interest, using reasonable methods to ensure only appropriate staff access records.
• To another school where the student seeks or intends to enroll.
• To appropriate parties in a health or safety emergency, considering immediacy and severity of the threat.
• To state or federal officials for audits or evaluations of education programs.
• In response to a judicial order or lawfully issued subpoena (with required notice, unless prohibited).
• Directory information, if designated and the family has not opted out; health details are rarely designated as directory information.

HIPAA permitted disclosures

• For treatment, payment, and health care operations without authorization.
• With a valid authorization for uses not otherwise permitted.
• To public health authorities for disease reporting and other public health activities.
• To avert a serious threat to health or safety, to appropriate persons able to lessen the threat.
• For abuse, neglect, or domestic violence reporting when authorized or required by law.
• Proof of immunization to schools when required by law with a parent’s or eligible student’s agreement.

HIPAA’s minimum necessary standard applies to most non‑treatment disclosures; under FERPA, schools should similarly limit what they share to what is reasonably necessary for the purpose.

Protecting Student Privacy in Schools

Governance and policy

• Define education records and who qualifies as a school official with a legitimate educational interest.
• Adopt written procedures for consent, permitted disclosures, record retention, and incident response.
• Vet vendors carefully; ensure contracts make vendors “school officials” under FERPA when appropriate.

Secure collection, storage, and transmission

• Use role‑based access controls for electronic health modules in student information systems.
• Encrypt devices, use secure messaging with outside providers, and maintain audit logs.
• Separate health information from discipline files; avoid over‑collection.

Staff training and practice

• Train all staff annually on FERPA privacy protections and need‑to‑know sharing.
• Provide scripts and forms for parental consent under FERPA and for provider requests.
• Use de‑identified summaries when full records are unnecessary.

Emergency planning and special education

• Prepare individualized healthcare plans and emergency action plans for students with medical needs.
• Pre‑identify which roles (nurse, administrator, teacher, coach, bus driver) should receive limited, purpose‑specific information.

School Staff Access to Health Information

Access should be narrowly tailored to staff with a legitimate educational interest. A nurse may share an allergy action plan with the classroom teacher and bus driver who supervise the student, but not the student’s full medical file. Coaches may receive return‑to‑play restrictions; counselors and special education teams may access health details needed for 504 or IEP planning.

In postsecondary settings, campus health or counseling staff generally keep treatment records separate; faculty or residence life staff see only what the student authorizes, unless a true health or safety emergency requires disclosure.

Summary

• School‑maintained health records are usually FERPA education records; HIPAA typically does not apply to those copies.
• HIPAA governs records held by external providers and certain school‑adjacent clinics; FERPA and HIPAA never apply to the same record at the same time.
• Disclosures hinge on permitted disclosures and legitimate educational interest; when in doubt, obtain written consent.
• Strong policies, role‑based access, and targeted communication protect privacy while supporting student safety.

FAQs

Do HIPAA regulations apply directly to school health records?

Generally, no. Health information maintained by a school or district about a student is an education record under FERPA, so HIPAA’s PHI rules do not apply to that copy. HIPAA may apply to records held by outside providers, to private schools not subject to FERPA, or to university clinics when they treat non‑students.

How does FERPA protect student health information?

FERPA sets the education records definition, limits access to school officials with a legitimate educational interest, and requires parental consent for most disclosures. It also permits necessary sharing in specific situations, such as health or safety emergencies or transfers to another school, while encouraging schools to disclose only what is needed.

When is parental consent required for sharing school health records?

Parental consent under FERPA is required before disclosing personally identifiable information from a student’s education records unless a FERPA exception applies. Common exceptions include disclosures to school officials with a legitimate educational interest and emergency disclosures to protect health or safety. At age 18 or in college, consent rights transfer to the student.

Can healthcare providers share health information with schools without consent?

Under HIPAA, providers may share information for treatment purposes with another provider—such as a school nurse—without a HIPAA authorization, and may provide proof of immunization to a school when required by law with a parent’s or eligible student’s agreement. For broader sharing with non‑provider school staff, providers typically need written authorization unless another HIPAA exception applies.