Does HIPAA Apply to School Physicals? What Parents and Schools Need to Know

HIPAA Applicability to Schools

Short answer: for school physicals, HIPAA usually protects the healthcare provider’s copy of the exam, while the copy kept by the school becomes an education record governed by FERPA. That distinction turns on where the information is maintained and the covered entity status of the organization handling it.

HIPAA applies to covered entities—health plans, clearinghouses, and healthcare providers that transmit standard electronic transactions. When a pediatrician performs a school physical, the exam notes and the form in the provider’s EHR are Protected Health Information (PHI) under HIPAA. Once a copy is submitted to the school and maintained in the student’s file, it is generally outside HIPAA and subject to FERPA’s health information privacy rules.

• At the doctor’s office: PHI under HIPAA.
• In the school’s student file: education record under FERPA.
• In a school-run clinic that bills insurers: clinic records are HIPAA; any copy placed in the student’s education record is FERPA.

FERPA Protection of Student Health Records

FERPA covers education records maintained by public K–12 schools and most school districts. That category typically includes student medical records the school keeps—immunization certificates, physical exam forms, medication administration logs, and school nurse notes.

Parents (and eligible students at age 18) have rights to access and request amendment of these student medical records. Disclosure generally requires parental consent unless a FERPA exception applies. School nurse compliance under FERPA means limiting access to personnel with a legitimate educational interest, securing files, and documenting disclosures.

HIPAA and Private Schools

Private schools that do not receive U.S. Department of Education funds may fall outside FERPA. HIPAA still applies only if the school—or a health service it operates—meets covered entity status (for example, a school clinic that bills electronically). In that case, the clinic’s records are PHI, while any copy placed in a student’s non-clinic education file is typically not HIPAA but may be protected by state student record or health privacy laws.

Many private K–12 schools neither receive federal education funds nor run billing clinics, so their student medical records are often governed primarily by state law. Always confirm which laws apply before setting policies or sharing information.

Health Services by External Providers

When outside providers deliver services—on campus or off—those providers’ files remain PHI under HIPAA. Examples include mobile health units conducting sports physicals, telehealth vendors evaluating a student, or a community clinic giving required immunizations. Their records stay in the provider’s system and are subject to HIPAA safeguards.

Sharing results with a school typically requires parental consent or must fit a HIPAA permission. Common pathways include a signed authorization, a disclosure for treatment to a school nurse or school physician, or proof of immunization shared with the school when state law requires it and the parent or guardian agrees (oral or written), with that agreement documented in the provider’s record.

Disclosure of Health Information in Schools

Under HIPAA

• Disclosures for treatment: A HIPAA-covered provider may share PHI with another healthcare provider, such as a school nurse, for treatment without written authorization.
• Proof of immunization: A provider may disclose required immunization status to a school with the parent’s or guardian’s agreement when state law mandates proof; the provider must note that agreement.
• Emergencies and public health: Limited disclosures are permitted to prevent or lessen a serious threat, or to comply with mandated reporting.
• Minimum necessary: Applies to most non-treatment disclosures; share only what the recipient needs to know.

Under FERPA

• Consent-first rule: Schools generally need parental consent before disclosing personally identifiable information from education records, including student medical records.
• Key exceptions: Health or safety emergencies, disclosures to school officials with a legitimate educational interest, to another school where the student is enrolling, or to comply with specific state reporting requirements.
• School nurse compliance: Restrict access to those who must know, keep records secure, and log non-exempt disclosures.

Coordination Between FERPA and HIPAA

• Map where records live: Provider systems (HIPAA/PHI) versus school education records (FERPA). The same information can switch regimes when it changes hands.
• Clarify roles in writing: Use MOUs or agreements outlining who is the discloser, the legal basis, and how each party safeguards health information privacy.
• Standardize forms: Create clear release/authorization templates that cover purpose, scope, recipients, expiration, and revocation.
• Segment files: Keep clinic medical records separate from education records to avoid accidental blending of HIPAA and FERPA data.
• Train and audit: Provide routine training for school nurse compliance, office staff, coaches, and administrators; review logs and practices annually.

Parental Consent Requirements

Under FERPA, parental consent must specify the records to be disclosed, the purpose, and the parties to whom disclosure may be made. Parents can generally revoke consent prospectively, and schools should maintain records of consents and disclosures.

Under HIPAA, a written authorization is required for most non-treatment disclosures. For minors, parents or guardians usually act as the child’s personal representative, but state laws may grant minors independent consent rights for certain services. Providers should verify decision-making authority before sharing information with schools.

Bottom line: For school physicals, the provider’s copy is PHI under HIPAA, while the school’s copy is an education record protected by FERPA. Identify who maintains each record, obtain parental consent when required, and align your processes so providers, school nurses, and administrators safeguard student medical records consistently.

FAQs.

Does HIPAA cover health records maintained by schools?

Usually no. Health information kept by a FERPA-covered school becomes part of the student’s education record and is protected by FERPA, not HIPAA. HIPAA still protects the provider’s copy of the exam and any PHI the provider retains.

When does FERPA apply instead of HIPAA?

FERPA applies when a public K–12 school or other FERPA-covered institution maintains the record. In that setting, student medical records in the education file are education records. For postsecondary students, certain treatment records are also excluded from HIPAA and handled under FERPA’s rules for treatment records.

Can healthcare providers share information with school nurses without consent?

Yes, when the disclosure is for treatment. A HIPAA-covered provider may share relevant PHI with a school nurse or school physician for treatment without written authorization. Providers may also share proof of immunization with parental agreement where state law requires it, and limited information in emergencies.

Do private schools have different HIPAA obligations?

They can. If a private school does not receive federal education funds, FERPA may not apply. HIPAA will apply if the school (or its clinic) is a covered entity, such as a clinic that submits electronic insurance claims. If neither FERPA nor HIPAA governs a record, state student record and health privacy laws typically fill the gap.