Do HIPAA Rules Apply to School Health Records? HIPAA vs. FERPA Explained

Overview of HIPAA and FERPA

HIPAA governs the privacy and security of Protected Health Information (PHI) held by HIPAA-covered entities—health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. FERPA, by contrast, protects Education Records Privacy at schools that receive U.S. Department of Education funds, placing student information within a distinct legal framework.

In practice, most K–12 student medical records kept by a school are FERPA records, not HIPAA PHI. This privacy regulation overlap is resolved by a simple rule of thumb: when a record is maintained by a school for educational purposes, FERPA applies; when a record is maintained by a separate health care provider acting as a covered entity, HIPAA applies.

• HIPAA = PHI held by HIPAA-covered entities and their business associates.
• FERPA = student education records (which often include student medical records) held by schools.
• Copies shared between a provider and a school take on the rules of the holder.

Definition of School Health Records

School health records are student medical records maintained by the school to support education, safety, or required services. They commonly include immunization certificates, nurse or athletic trainer notes, medication administration logs, screening results, and health components of IEPs or Section 504 plans.

Because the school maintains these files as part of the student’s education record, FERPA classifies them as education records. That status controls how they may be accessed, disclosed, and amended—regardless of whether a school nurse or other clinician created the information.

What is not a school health record?

• A community clinic’s chart created and retained by the clinic (PHI under HIPAA).
• Records a school receives about employees or non-students (typically not FERPA student records).
• Campus clinic records for non-student patients (usually HIPAA PHI).

HIPAA Applicability to School-Employed Providers

When a health professional is employed by the school, their documentation on students normally becomes part of the FERPA education record. Even if the clinician has a health care provider status, the school’s custody and purpose of the record keep it under FERPA rather than HIPAA.

There are edge cases to consider for HIPAA applicability:

• If the school (or its clinic) functions as a HIPAA-covered entity for some activities—such as electronically billing a health plan for services to non-students—those specific records can be HIPAA PHI. Student records the school keeps for educational purposes remain FERPA records.
• If a school-employed provider treats both students and staff, student entries are FERPA education records; staff patient entries may be HIPAA PHI if the clinic is a covered entity.
• If the provider also works for an external covered entity, the records created in that external role are HIPAA PHI; copies given to the school become FERPA records in the school file.

FERPA Protection of Student Records

FERPA compliance centers on parental (or eligible student) rights and limits on disclosure. Parents—and once a student turns 18 or attends postsecondary, the student—have a right to inspect, request amendment, and control most redisclosures of education records, including student medical records kept by the school.

FERPA allows sharing without consent in defined circumstances: to school officials with a legitimate educational interest, to another school where the student seeks to enroll, in a health or safety emergency, or as otherwise permitted by regulation. Schools must document certain disclosures and provide annual notices explaining rights and procedures.

Health Records in Postsecondary Institutions

For “eligible students” in higher education, records made or maintained by a campus clinician and used only for treatment are FERPA “treatment records.” They are not accessible to others at the institution except for treatment, and they are excluded from HIPAA’s PHI by definition. If these records are shared beyond treatment—for example, with the dean’s office—they become FERPA education records.

When a university hospital or affiliated clinic is a separate health care provider and a HIPAA-covered entity, its patient charts are HIPAA PHI. If those charts are for student patients, they remain HIPAA PHI in the clinic. Copies provided to the school, however, become FERPA records once maintained by the institution for educational purposes.

Distinctions for Non-School Health Providers

Non-school providers—such as hospital-run school-based health centers, community clinics, telehealth vendors, or contracted athletic trainers—hold HIPAA PHI when they are HIPAA-covered entities. Their disclosures to the school typically require a HIPAA-compliant authorization or must fit within a HIPAA permission (for example, a health or safety emergency).

Once the school receives information for its files, that copy falls under FERPA. The provider remains responsible for HIPAA compliance in its own system, while the school must follow FERPA for the received records. Understanding this handoff prevents gaps in protection during inter-agency coordination.

Compliance Requirements for Schools

To manage privacy regulation overlap effectively, you should map where student information originates, where it is stored, and under which law it sits. Clarify whether any campus clinic activity makes your institution—or a component of it—a HIPAA-covered entity, and separate workflows accordingly.

Practical steps

• Publish your annual FERPA notice and define “school official” and “legitimate educational interest.”
• Standardize consent and authorization forms that reflect FERPA rules; use HIPAA authorizations when requesting records from external providers.
• Train nurses, counselors, and coaches on FERPA access, health or safety emergency exceptions, and disclosure documentation.
• Implement secure recordkeeping for student medical records, with role-based access and audit trails.
• Establish MOUs with external providers to clarify routing of FERPA records versus HIPAA PHI and permitted exchanges.
• Plan for transitions: when students turn 18 or enroll in postsecondary education, rights shift to the eligible student.

Key takeaways

For most K–12 scenarios, school-held student medical records are FERPA education records, not HIPAA PHI. HIPAA generally governs only when a separate HIPAA-covered entity—such as an outside clinic—creates and maintains the record. If a copy enters the school’s file, FERPA controls that copy. Clear role definitions, careful consent practices, and aligned procedures keep you compliant.

FAQs

When do HIPAA rules apply to school health records?

HIPAA applies when a separate HIPAA-covered entity (for example, a hospital-run clinic, community provider, or telehealth vendor) creates and maintains the record as PHI. If the school receives a copy for its student file, that copy becomes a FERPA education record, while the provider’s original chart remains HIPAA PHI.

How does FERPA protect student health information?

FERPA protects student medical records maintained by the school by granting parents or eligible students rights to access and request amendments, and by restricting disclosure unless there is consent or a specific exception (such as legitimate educational interest or a health or safety emergency).

What distinguishes a HIPAA-covered entity from a school provider?

A HIPAA-covered entity is a health plan, clearinghouse, or health care provider that transmits health information in standard electronic transactions. A school-employed provider typically creates FERPA education records because the school maintains them for educational purposes, even though the provider is clinically licensed.

Are postsecondary student health records governed by FERPA or HIPAA?

It depends on who maintains the record and why. Campus clinicians’ charts used only for treatment are FERPA treatment records. Records held by a separate university hospital or outside clinic that is a HIPAA-covered entity are HIPAA PHI; once a copy is maintained by the school, that copy is governed by FERPA.