Does HIPAA Exclude Education Records Under FERPA? Yes—Here’s What It Means

Overview of HIPAA and FERPA

In schools, two federal privacy laws often intersect: HIPAA and FERPA. HIPAA protects Protected Health Information (PHI) handled by healthcare “Covered Entities” (like hospitals, clinics, and certain providers) for treatment, payment, and healthcare operations. FERPA, by contrast, safeguards Student Privacy within “Education Records” maintained by educational agencies and institutions that receive U.S. Department of Education funds.

Here’s the key takeaway: HIPAA expressly excludes from PHI any records that are “education records” under FERPA, as well as certain FERPA-defined treatment records at postsecondary institutions. When a record is covered by FERPA, HIPAA does not apply to that record. The challenge—and the compliance risk—is correctly classifying which law governs which record so your Health Clinic Compliance program applies the right rules.

Definition of Education Records

Under FERPA, Education Records are records that are: (1) directly related to a student and (2) maintained by an educational agency or institution—or a party acting for it. The format doesn’t matter; paper files, electronic systems, emails, videos, and nurse logs can all be Education Records if they meet these two elements.

Examples that usually are Education Records

• Enrollment files, transcripts, grades, attendance, disciplinary records, and Individualized Education Program (IEP) documents.
• K–12 nurse charts, immunization records provided to the school, medication administration logs, concussion evaluations, and care plans maintained by the school.
• Records created by a contractor acting for the school (for example, a third-party platform used by the district to store student health screenings).

Records that are not Education Records

• Law enforcement unit records created and maintained by the school’s law enforcement unit.
• Sole-possession notes kept by a staff member for personal memory aids and not shared with others.
• Employment records of students when employment is not tied to student status (e.g., a student employed by the district unrelated to enrollment).
• Postsecondary “treatment records” maintained by a campus clinician used only for treatment and not shared beyond treatment providers; if shared more broadly, they become Education Records.

Applicability of FERPA to Student Health Records

Most student health records maintained by K–12 schools—such as nurse assessments, screening results, immunization documentation held by the school, and medication logs—are Education Records under FERPA. Because of HIPAA’s exclusion, these records are not PHI, and HIPAA’s privacy rule does not govern them. Your obligations stem from FERPA’s rules for access, consent, and disclosure.

At the postsecondary level, on-campus treatment records kept solely for treatment by a university clinician fall under FERPA’s “treatment records” category. They are not Education Records unless disclosed beyond treatment, and they are still outside HIPAA. If those same records are shared with non-treatment personnel or the student requests a copy for inclusion in the academic file, they convert to Education Records and become subject to FERPA’s standard rules.

HIPAA Coverage of School Health Clinics

Whether HIPAA applies to a school health clinic depends on who operates it and how it transmits health information:

• School-operated clinics (including school nurses employed by the district): Records they maintain are Education Records under FERPA, not PHI. HIPAA does not apply to those records.
• Clinics run by external healthcare providers (e.g., a hospital, FQHC, or physician group) on or near campus: If the provider is a Covered Entity that conducts HIPAA-standard electronic transactions, records it maintains are PHI under HIPAA. Disclosures to the school require authorization unless a HIPAA exception applies (e.g., for treatment or certain public health purposes). Any copy the school receives and maintains becomes an Education Record under FERPA.
• Hybrid or co-located models: Keep operational and record systems distinct. The external provider’s chart remains subject to HIPAA; the school’s copy becomes FERPA-protected. Clear role definitions, authorizations, and data-sharing protocols are central to Health Clinic Compliance.

In short, HIPAA applies to Covered Entities’ clinical records; FERPA applies to records the school maintains. The same health information can be governed by different laws depending on who holds the record.

Disclosure Requirements for Education Records

FERPA generally requires Written Consent before disclosing personally identifiable information from Education Records. The consent should specify the records to be disclosed, the purpose, and the recipients, and it must be signed and dated by the parent or eligible student.

Common FERPA disclosure exceptions (no consent required)

• School officials with a legitimate educational interest (including contractors performing institutional services under school control).
• Health or safety emergencies, where disclosure is necessary to protect the student or others.
• Transfers to another school where the student seeks or intends to enroll.
• Compliance with a judicial order or lawfully issued subpoena (with required notice to the parent or eligible student, unless excepted).
• Designated “directory information” if the school has provided public notice and the parent or eligible student has not opted out.
• Certain audits, evaluations, or studies conducted on behalf of the school or educational authorities under strict safeguards.

Schools must also maintain a record of most requests for and disclosures from Education Records. While HIPAA’s “minimum necessary” standard does not apply to FERPA, adopting a need-to-know practice helps minimize risk and supports Student Privacy.

Differences in Consent Requirements

• Under HIPAA, Covered Entities may use and disclose PHI without authorization for treatment, payment, and healthcare operations. Written authorization is needed for most other purposes.
• Under FERPA, the default is Written Consent for disclosures of Education Records, with targeted exceptions (e.g., legitimate educational interest, emergencies, transfers, court orders, authorized studies).
• Parents control FERPA rights for minor students; at age 18 or upon postsecondary enrollment, rights transfer to the eligible student. HIPAA treats parents as personal representatives for minor children in many scenarios, but state laws (e.g., for reproductive health, mental health, or substance use services) can alter who must consent.
• Authorization forms differ: HIPAA authorizations have specific required elements; FERPA consents must clearly identify records, purpose, recipients, and include a signature and date.

Practical tip: When a school needs information from an external clinic, obtain a HIPAA-compliant authorization. When a clinic needs to send information into the school’s file, make sure the family understands that once maintained by the school, the copy becomes an Education Record under FERPA.

Handling Non-Student Health Records in Schools

Non-student records are not Education Records and trigger different rules. Employee medical records maintained by the employer are not PHI under HIPAA and are outside FERPA. They are generally governed by employment and workplace-safety laws. If a district operates an employee clinic that is a HIPAA Covered Entity, records in that clinic’s system are PHI; once transferred into HR employment files, they are no longer PHI.

For visitors, contractors, and volunteers, incident reports or first-aid logs held by the school are not Education Records. If an external provider treats a non-student on campus and is a Covered Entity, those clinical records are PHI and remain subject to HIPAA unless shared with the school under a valid exception or authorization.

To manage mixed environments, separate systems and clearly label records. Train staff to route student information to FERPA repositories and non-student or external-provider information to the proper HIPAA or employment channels. This segregation reduces compliance drift and protects Student Privacy.

Conclusion

Does HIPAA exclude Education Records under FERPA? Yes—and that distinction drives how schools, nurses, and school-based clinics manage data. When the school maintains the record, FERPA governs; when an external Covered Entity maintains the clinical chart, HIPAA governs. Keep records separate, secure Written Consent when required, and align procedures so both laws support safe care, efficient Healthcare Operations, and strong Health Clinic Compliance.

FAQs.

What types of records does FERPA protect?

FERPA protects Education Records—any records directly related to a student and maintained by the school or a party acting for it. This includes academic files, discipline, special education documents, and most K–12 health records kept by school nurses. It excludes law enforcement unit records, sole-possession notes, certain employment records, and postsecondary treatment records used only for treatment unless they are disclosed beyond treatment providers.

How does HIPAA apply to school health clinics?

If the clinic is operated by the school, its student records are Education Records under FERPA, not PHI, so HIPAA does not apply to those records. If an external provider (e.g., a hospital, FQHC, or physician practice) runs the clinic and is a HIPAA Covered Entity, the clinic’s charts are PHI under HIPAA. Sharing those records with the school generally requires authorization or a HIPAA-permitted disclosure, and any copy the school maintains becomes FERPA-protected.

When is parental consent required for health record disclosure?

Under FERPA, parental Written Consent is required to disclose a minor student’s Education Records unless a FERPA exception applies (such as a health or safety emergency, school officials with legitimate educational interest, transfers to another school, or certain subpoenas). At age 18 or upon postsecondary enrollment, the student’s consent is required. For HIPAA-covered external clinics, parental consent may not be needed for disclosures for treatment, payment, or healthcare operations, but authorizations are typically required to share with the school; state minor-consent laws can further affect who must consent.