Do Schools Need HIPAA Compliance? When HIPAA vs. FERPA Applies to Student Health Records

FERPA Applicability to Schools

In most K–12 settings, student health information is protected as education records under FERPA. If you work in a school nurse’s office, athletics, counseling, or special education, records you create and maintain for students at federally funded educational institutions are generally FERPA records, not HIPAA records.

Because these files are education records, you may share them internally only with school officials who have legitimate educational interests. This typically includes staff who need the information to support instruction, services, safety, or compliance—never out of curiosity or convenience.

For postsecondary institutions, FERPA also applies to education records. Some health records for adult students may qualify as “treatment records” (explained below), but they are still governed by FERPA unless disclosed for purposes beyond treatment.

HIPAA Coverage of School Health Clinics

HIPAA applies when a school-operated clinic functions as a covered entity—that is, it provides healthcare and conducts electronic health information transmission in standard transactions (such as electronic billing to health plans). In that case, the clinic must meet HIPAA Privacy and Security Rule requirements.

However, many school clinics only serve enrolled students and maintain their files as part of the school record system. When that’s true, those records are usually subject to FERPA and excluded from HIPAA. If your clinic treats non-students, bills insurers electronically, or is run by an outside hospital or health system, the clinic’s records are more likely to be HIPAA records.

Districts that operate both educational functions and a billing clinic can designate the district as a “hybrid entity,” isolating the HIPAA-covered health care component while the rest of the district remains under FERPA.

Distinction Between Education and Medical Records

Education records are any records directly related to a student and maintained by the school or its agent. Student health notes, medication logs, immunization documentation provided to the school, and special education health assessments typically fall here.

Medical records, in the HIPAA sense, are protected health information created or received by a covered entity. If your school clinic meets HIPAA’s covered entity test, clinical documentation it creates and keeps for patients is HIPAA PHI, even if the patient is also a student.

FERPA also recognizes “treatment records” for students 18 or older or those in postsecondary education. These are made or maintained by a health professional, used only for treatment, and not disclosed to others. If they are disclosed beyond treatment, they become education records under FERPA.

Parental Access to Student Health Information

Under FERPA, parents (or eligible students once they turn 18 or attend postsecondary education) have a right to inspect and review education records within a reasonable period, typically within 45 days of a request. Schools may charge a reasonable copy fee but cannot charge for searching or retrieving.

When HIPAA applies, a parent is generally the minor’s personal representative and may access the child’s PHI, subject to state laws and exceptions (for example, when a minor may consent to certain services, or access would risk harm). In K–12 settings where FERPA governs, follow FERPA’s access rules rather than HIPAA’s.

Coordination Between FERPA and HIPAA

For the same record, it’s almost always one or the other: education records under FERPA are excluded from HIPAA. Still, a district can hold both FERPA and HIPAA records if it operates a covered health clinic alongside educational services.

Coordinate by defining who is a school official, clarifying legitimate educational interests, and mapping data flows among the nurse’s office, athletics, counseling, special education, and any HIPAA-covered clinic. Use role-based access, document-sharing protocols, and data-sharing agreements with outside providers to ensure each disclosure fits the correct rule set.

Compliance Obligations for Schools

When FERPA governs

• Publish annual FERPA notices describing rights, directory information, and how to opt out.
• Define school officials and legitimate educational interests in policy; train staff accordingly.
• Maintain secure recordkeeping, audit trails of disclosures, and timely access/ amendment processes.
• Limit internal access to those with a need to know; store and transmit student health information securely.

When HIPAA applies to a clinic

• Confirm covered entity status based on electronic health information transmission (e.g., electronic claims or eligibility checks).
• Designate a privacy and security official, issue a Notice of Privacy Practices, and implement workforce training.
• Complete a security risk analysis; apply safeguards for ePHI (access controls, encryption, device/media handling).
• Execute Business Associate Agreements with vendors that handle PHI; implement breach notification procedures.
• If the district is a hybrid entity, formally designate the HIPAA health care component and segregate its records from FERPA systems.

Disclosure Rules for Student Health Records

Under FERPA

• With written consent from the parent or eligible student, you may disclose education records as specified.
• Without consent, you may disclose to school officials with legitimate educational interests.
• You may disclose to another school where the student seeks or intends to enroll.
• Parents of tax-dependent students may receive information, even if the student is 18 or older (subject to FERPA rules).
• In a health and safety emergency, you may disclose to appropriate parties whose knowledge is necessary to protect health or safety; document the threat and recipients.
• Directory information may be shared if you’ve provided prior notice and no opt-out applies.
• Other limited exceptions include certain audits, evaluations, financial aid, and court orders or subpoenas with required notices.

When HIPAA applies

• Use or disclose PHI for treatment, payment, and healthcare operations; apply the minimum necessary standard for most non-treatment uses.
• Disclose without authorization when required by law or to address a serious and imminent threat to health or safety, consistent with state law.
• For routine sharing with the school, obtain an authorization unless another HIPAA permission applies.

Key Takeaway

Most student health records you keep inside a school setting are FERPA education records. HIPAA kicks in only for records created or kept by a school health clinic that is a covered entity involved in electronic health information transmission. Map which rule governs each record set, train staff, and align your disclosures to the correct framework.

FAQs.

When does FERPA apply instead of HIPAA to student health records?

FERPA applies when the records are maintained by a school or district that receives federal education funds and relate directly to a student—such as nurse logs, immunizations provided to the school, and special education health information. Those education records are excluded from HIPAA.

Are school-operated health clinics subject to HIPAA compliance?

Yes, if the clinic is a covered entity—for example, it treats patients and conducts electronic health information transmission in standard transactions like billing insurers. If a clinic only serves students and its files are maintained as part of the school record system, FERPA usually governs instead.

How can parents access their child's health records under FERPA?

Submit a written request to the school to inspect and review education records. The school must provide access within a reasonable time (often within 45 days) and may charge only reasonable copy fees. Rights transfer to the student at age 18 or upon attending postsecondary education.

What are the disclosure rules for student health information in emergencies?

Under FERPA, schools may disclose to appropriate parties without consent during a health and safety emergency when knowledge is necessary to protect health or safety, and must document the basis and recipients. When HIPAA applies, disclosures may be made to prevent or lessen a serious and imminent threat, consistent with law.