Blog

FERPA vs HIPAA: Key Differences

HIPAA
May 30, 2025
FERPA vs HIPAA: Key Differences: Understanding student privacy rights can feel overwhelming when education and health records intersect.

Understanding student privacy rights can feel overwhelming when education and health records intersect. With growing concerns about data security, parents, students, and educators often wonder whether FERPA or HIPAA applies to information managed by schools. Knowing the difference isn’t just helpful—it’s essential for protecting sensitive data in academic environments.

At the heart of education records privacy lies the Family Educational Rights and Privacy Act (FERPA), while the Health Insurance Portability and Accountability Act (HIPAA) governs health records in most healthcare settings. But what happens when a school also handles medical information, like immunization records or care from a school nurse? That’s where things get complicated—and where comparing FERPA and HIPAA becomes crucial, especially when considering HIPAA compliance and photography rules HIPAA Compliance & Photography Rules.

In this article, we’ll break down the scope of each law, the types of information protected, disclosure rules, enforcement agencies, and unique overlap scenarios—especially those that impact educational institution HIPAA compliance, including what is a Business Associate Agreement (BAA) Business Associate Agreement (BAA). Our goal is to make sure you have clear, practical guidance no matter which side of the schoolhouse door you’re on. For those managing health information electronically, understanding HIPAA compliant email providers and breaches is also essential: see our HIPAA Email Providers Guide & Breaches. For organizations seeking to demonstrate their commitment to privacy and compliance, obtaining the HIPAA Seal Of Compliance can provide added assurance to students, parents, and staff.

Scope of Each Law (Education vs Health)

The scope of FERPA and HIPAA is distinct, but sometimes their boundaries seem to blur—especially in schools where health and education records overlap. By clearly understanding what each law covers, we can better navigate student privacy rights and ensure compliance in educational settings.

FERPA covers education records in schools that receive federal funding, such as public K-12 schools and most colleges and universities. This includes grades, transcripts, disciplinary records, and personally identifiable information maintained by the institution. FERPA’s main focus is on education records privacy—protecting any data directly related to a student and maintained by the school or its agents.

HIPAA, on the other hand, applies to health care providers, health plans, and their business associates, but only when these entities transmit health information electronically in connection with certain transactions. For schools, HIPAA is relevant only if the institution operates a health clinic that bills electronically for its services and is not subject to FERPA. This is where Payment Card Industry Compliance Standards comes into play—but it’s rare in typical K-12 settings.

  • In most schools (public K-12 and many colleges), FERPA governs both education and health records maintained by the school, including records from school nurses or counselors. HIPAA specifically excludes these FERPA-covered records from its scope.
  • HIPAA may apply in certain private or non-traditional schools that don’t receive federal funding and run health clinics billing insurance electronically. In these cases, health records in schools may fall under HIPAA instead of FERPA.

Comparing FERPA and HIPAA reveals a clear line: FERPA covers education records (including most school-based health records), while HIPAA governs health records in schools only if those records are not protected by FERPA. Recognizing where one law ends and the other begins is crucial for protecting student privacy rights and ensuring that schools manage sensitive information responsibly. For a deeper understanding, you can read about the difference between Privacy and Security Rule as it relates to HIPAA compliance.

Protected Information Types

When it comes to student privacy rights, understanding which law protects which type of information is crucial. FERPA and HIPAA each cover different aspects of data privacy, and knowing how they classify protected information helps us ensure compliance and safeguard sensitive records within educational settings.

FERPA is focused on education records privacy. Under FERPA, “education records” are broadly defined as records that are directly related to a student and maintained by an educational agency or institution. These can include grades, transcripts, class schedules, disciplinary records, and even special education records. Essentially, if the information is maintained by the school and relates to a student, FERPA likely governs its privacy.

  • Academic records: Report cards, test scores, and transcripts.
  • Attendance records: Absences, tardies, and enrollment history.
  • Personal information: Addresses, Social Security numbers, and student ID numbers.
  • Disciplinary records: Notes on suspensions, expulsions, or behavioral incidents.
  • Special services: Records related to accommodations, Individualized Education Programs (IEPs), or counseling.

Health records in schools can be tricky, especially when comparing FERPA and HIPAA. Most health records maintained by a school are considered part of the student’s education record if the school receives federal funding. This means FERPA usually applies—even to immunization records, nurse’s office visits, or school-based counseling notes.

  • Immunization records kept by the school nurse.
  • Medication logs documenting doses given during the school day.
  • Health screenings performed as part of school programs.
  • Counseling notes maintained by school counselors or psychologists, unless kept separately for personal use and not shared with others.

HIPAA, on the other hand, protects “protected health information” (PHI), which includes medical records, billing data, and any individually identifiable health information held by HIPAA-covered entities such as hospitals, clinics, or private healthcare providers. However, most K-12 schools are not HIPAA-covered entities when it comes to student health information because that data is considered an education record under FERPA.

  • PHI under HIPAA includes diagnoses, treatment records, and health insurance information when managed by healthcare providers outside the school setting.
  • School-employed healthcare providers may fall under HIPAA only if they provide healthcare services outside the educational institution or if the school does not receive federal funding.

For educational institution HIPAA compliance, the line is clear: If health information is maintained by or for a school as part of the student’s education record, FERPA applies. If the information is handled by external healthcare providers not connected to the school, HIPAA governs. This distinction helps us protect sensitive information appropriately and ensures that both student education and health records receive the highest standard of privacy.

Disclosure Rules Compared

When it comes to disclosure rules, FERPA and HIPAA set very different boundaries for how and when personal information can be shared in educational environments. Understanding these differences is crucial for anyone navigating student privacy rights, especially as schools increasingly handle both education records and health records.

FERPA governs the privacy of education records, making it clear that schools must obtain written consent from parents or eligible students before disclosing personally identifiable information (PII) from these records. There are, however, a few well-defined exceptions, such as:

  • School Officials: Disclosure is allowed to school officials with legitimate educational interests.
  • Transfer of Schools: Records can be shared with another school where the student seeks to enroll.
  • Health and Safety Emergencies: If there’s an immediate threat, information can be released to appropriate parties to protect the student or others.
  • Certain Government Agencies: Some federal, state, and local authorities may access records as permitted by law.

HIPAA, on the other hand, sets strict standards for the use and disclosure of protected health information (PHI), especially when it comes to health records in schools that are not covered by FERPA. Under HIPAA:

  • Patient Authorization: Generally, written authorization is required before disclosing PHI, except in limited cases (such as treatment, payment, or healthcare operations).
  • Minimum Necessary Rule: Only the minimum amount of information necessary should be shared, even when disclosure is permitted.
  • Public Health and Safety: Like FERPA, HIPAA allows for certain disclosures without consent in emergencies or for public health activities, but these are narrowly defined.

Educational institution HIPAA compliance becomes relevant primarily in settings like college health clinics or private schools not subject to FERPA, where health records are managed separately from education records. In these cases, HIPAA’s stricter consent and disclosure standards apply, providing a higher level of privacy protection for health information.

In summary, FERPA typically offers broad protections for education records but includes specific exceptions for school operations and safety, while HIPAA imposes tighter controls on health information disclosure. Knowing which rule applies helps protect both education and health records in schools, ensuring that everyone’s privacy rights are respected.

Enforcement Agencies

When it comes to enforcing student privacy rights and the protection of sensitive information in schools, two main federal agencies play pivotal roles—each overseeing a different set of regulations. Understanding who’s responsible for enforcing FERPA and HIPAA helps us know where to turn if there’s a breach of education records privacy or health records in schools.

FERPA is enforced by the U.S. Department of Education, specifically through the Family Policy Compliance Office (FPCO). This agency ensures that schools receiving federal funding comply with FERPA’s requirements for protecting education records. When a potential violation of a student’s education records privacy is reported, the FPCO investigates and, if necessary, can require corrective action. However, FERPA does not allow for private lawsuits by individuals; instead, the Department of Education may withdraw federal funds from non-compliant institutions as a last resort.

HIPAA enforcement falls under the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR). The OCR investigates complaints related to improper handling of protected health information (PHI), including health records in schools when HIPAA applies. The OCR has the authority to impose substantial civil and even criminal penalties for HIPAA violations, which can include fines and mandatory corrective action plans. Unlike FERPA, individuals can file complaints directly with the OCR if they believe their health information privacy rights have been violated.

  • FERPA enforcement: U.S. Department of Education, Family Policy Compliance Office (FPCO)
  • HIPAA enforcement: U.S. Department of Health and Human Services, Office for Civil Rights (OCR)

Comparing FERPA and HIPAA reveals an important distinction: While both agencies are dedicated to safeguarding sensitive information, the enforcement mechanisms and potential penalties differ. FERPA focuses on education records privacy and compliance within educational settings, while HIPAA’s scope includes educational institution HIPAA compliance for any health-related records not covered by FERPA.

If you’re ever unsure which agency to contact about a privacy concern in your school or educational institution, consider whether the information in question is an education record or a health record—and whether your institution is subject to FERPA, HIPAA, or both. This clarity helps ensure the right protections are in place for all students and families.

Overlap Scenarios (e.g.

There are situations where student records contain both educational and health information, making it crucial to understand where FERPA ends and HIPAA begins. These overlap scenarios are common in schools, especially when student services involve both academic and healthcare elements.

Let’s break down the most frequent overlap scenarios:

  • School Nurses and On-Campus Health Clinics: When a student receives care from a school nurse or an on-site clinic operated by the school, their health records are typically considered part of their education records. In these instances, FERPA applies, not HIPAA, because the information is maintained by an educational institution and is directly related to the student.
  • Health Services Provided by Outside Entities: If a healthcare provider not employed by the school (such as a local hospital or independent practitioner) treats a student on school grounds, HIPAA may apply to those records, provided that the provider maintains the records separately from the school’s educational files.
  • Special Education Records: Health records created and maintained as part of a student’s Individualized Education Program (IEP) or other special education services are considered education records under FERPA. These records are not covered by HIPAA, even if they include medical diagnoses or treatments.
  • Dual Role Employees: Staff members who serve in both educational and healthcare roles—such as school psychologists or counselors—generally fall under FERPA for records they keep as part of the student’s education file. HIPAA only comes into play if the records are maintained separately and not shared with the school.
  • Postsecondary Institutions: In colleges and universities, student health clinic records are usually protected by FERPA. However, if a student is no longer enrolled or the care is provided outside the student health clinic, HIPAA may apply.

For educational institutions, HIPAA compliance is only required if the institution provides healthcare services and transmits health information electronically for specific transactions—otherwise, FERPA is the primary law. This distinction is vital for maintaining student privacy rights and ensuring the proper handling of both education and health records in schools.

Understanding these overlap scenarios helps educators and families navigate the complex landscape of education records privacy and health records in schools. By knowing when FERPA or HIPAA governs certain records, we can better protect students’ sensitive information and uphold their privacy rights.

School Nurse)

School nurses play a crucial role in safeguarding student health while navigating complex privacy laws. When it comes to health records in schools, understanding whether FERPA or HIPAA applies is essential for protecting student privacy rights.

In most K-12 public schools, FERPA—not HIPAA—governs the privacy of student health information maintained by the school nurse. This means that a student's medical details, immunization records, or medication logs held by the nurse are considered part of the student's education record. Under FERPA, schools must obtain written consent from parents or eligible students before disclosing personally identifiable information, except in specific circumstances such as emergencies or when required by law.

There are some important nuances that we should keep in mind:

  • FERPA covers health records maintained by a school nurse employed by the school. These records become part of the student’s education file and are protected under education records privacy rules.
  • HIPAA generally does not apply to public or private elementary and secondary schools because these institutions receive federal funding and are therefore subject to FERPA. HIPAA’s Privacy Rule specifically excludes education records already covered by FERPA.
  • Exceptions exist in certain situations, such as when a school nurse works for a private school that does not receive federal funding or operates within a health clinic not affiliated with the school. In these cases, HIPAA may apply, requiring the institution to meet educational institution HIPAA compliance standards.

Comparing FERPA and HIPAA in school health settings can be confusing, but the key distinction is this: FERPA protects student health information managed by the school nurse as part of the education record, while HIPAA applies only in rare, specific non-educational settings.

For parents, students, and staff, understanding these boundaries ensures that health records in schools are properly protected and shared only when legally permitted. If you’re uncertain, always ask your school’s administration or nurse how your information is stored and what privacy policies are in place—being proactive is the best way to uphold student privacy rights.

Navigating student privacy rights requires understanding how FERPA and HIPAA work together and where they diverge. While FERPA governs education records privacy for most K-12 and higher education institutions, HIPAA steps in for specific health records not maintained by schools. This distinction matters—especially as health and educational information increasingly overlap in today's learning environments.

Comparing FERPA and HIPAA shows us that each law serves a unique purpose, but both ultimately aim to protect sensitive data. FERPA empowers parents and eligible students to control access to education records, while HIPAA ensures the confidentiality of health records in schools only when managed by healthcare providers not bound by FERPA. Knowing which law applies helps us uphold the privacy and trust that families expect from educational institutions.

When it comes to educational institution HIPAA compliance, most schools must focus on adhering to FERPA, but exceptions exist. If a school operates its own healthcare clinic and transmits health data electronically, both FERPA and HIPAA requirements may come into play. Staying informed and proactive is the best way for schools, parents, and students to protect their rights and ensure privacy is never compromised.

In summary, understanding the differences between FERPA and HIPAA empowers us to better safeguard education and health records in schools. Awareness and education are our strongest tools for ensuring compliance and peace of mind for everyone involved in the academic journey.

FAQs

What is FERPA?

FERPA, or the Family Educational Rights and Privacy Act, is a federal law that protects student privacy rights by regulating access to and disclosure of education records. Enacted in 1974, FERPA applies to all schools that receive funding from the U.S. Department of Education, covering public schools, colleges, and universities.

Under FERPA, parents and eligible students (those over 18 or attending postsecondary institutions) have the right to access and request corrections to education records. Schools must obtain written consent before releasing personally identifiable information, with a few specific exceptions. This ensures strong education records privacy and gives families more control over student information.

It’s important to note that while FERPA safeguards education records, it also affects how health records in schools are handled. Most student health records maintained by schools fall under FERPA, not HIPAA. This distinction is crucial when comparing FERPA and HIPAA, especially for educational institution HIPAA compliance.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law designed to protect the privacy and security of individuals’ health information. Enacted in 1996, its main goal is to ensure that sensitive health data—known as protected health information (PHI)—remains confidential and is only shared when appropriate. This law applies to healthcare providers, health plans, and their business associates, establishing strict standards for handling health records.

When it comes to health records in schools and education records privacy, HIPAA often gets compared to FERPA (Family Educational Rights and Privacy Act). While FERPA protects student privacy rights for education records, HIPAA steps in if a school provides healthcare services and transmits health information electronically. Understanding the distinction and comparing FERPA and HIPAA helps educational institutions navigate compliance and safeguard both health and educational data.

For educational institution HIPAA compliance, it’s crucial to know when health records are covered by HIPAA, when FERPA applies, and how to uphold students’ rights in both areas. Ultimately, HIPAA sets the foundation for trustworthy and secure management of health information—benefitting students, families, and schools alike.

How do FERPA and HIPAA differ in protecting student health records?

FERPA and HIPAA are both crucial laws protecting sensitive information, but they serve different purposes when it comes to student health records in educational settings.

FERPA (Family Educational Rights and Privacy Act) safeguards student privacy rights by regulating who can access and share education records, which often include health records maintained by a school nurse or counselor. FERPA gives parents and eligible students the right to review and request corrections to these records, ensuring education records privacy within educational institutions.

HIPAA (Health Insurance Portability and Accountability Act), on the other hand, is designed to protect the privacy of medical information in healthcare settings. In schools, HIPAA generally does not apply to student health records if the school receives federal funding and the records are part of the student’s education file. Instead, these records are protected by FERPA, not HIPAA. However, if a school’s health clinic operates independently and does not share information with the school, HIPAA compliance may be required.

In summary, comparing FERPA and HIPAA shows that FERPA covers most health records in schools, while HIPAA applies in limited situations. Understanding which law applies helps both educators and families protect student privacy rights and ensures proper handling of sensitive information within educational institutions.

Which law applies to university student health clinics?

When it comes to university student health clinics, the primary law that applies is the Family Educational Rights and Privacy Act (FERPA), not HIPAA. FERPA protects the privacy of student education records, which often include health and counseling records maintained by a university. This is a key point for understanding student privacy rights in the context of higher education.

Unlike most healthcare providers, university health clinics are typically part of the educational institution. This means that student health records kept by the clinic are considered education records under FERPA, ensuring education records privacy instead of HIPAA’s health data protections. HIPAA generally does not apply to these records unless the clinic provides services to non-students or operates independently of the university.

Comparing FERPA and HIPAA in this context is crucial: FERPA gives students the right to access and request amendments to their records, while also restricting how those records can be disclosed. Understanding this distinction ensures both students and staff are aware of their responsibilities and rights regarding health records in schools.

If you’re part of a university or its health clinic, focusing on educational institution HIPAA compliance is only necessary if your clinic handles health information outside the scope of education records. Otherwise, FERPA is the law to follow for protecting student health information.

More from the Blog

HIPAA Encryption Requirements Explained
HIPAA

HIPAA Encryption Requirements Explained

HIPAA & Medical Debt on Credit Reports
HIPAA

HIPAA & Medical Debt on Credit Reports

Is Google Drive HIPAA Compliant?
HIPAA

Is Google Drive HIPAA Compliant?

Consequences of Not Following HIPAA Laws
HIPAA

Consequences of Not Following HIPAA Laws

HIPAA Compliant CRMs for Healthcare
HIPAA

HIPAA Compliant CRMs for Healthcare

Is Microsoft Teams HIPAA Compliant?
HIPAA

Is Microsoft Teams HIPAA Compliant?

HIPAA Compliance Consent Form
HIPAA

HIPAA Compliance Consent Form

Is WhatsApp HIPAA Compliant?
HIPAA

Is WhatsApp HIPAA Compliant?

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals
Get Started Free
Talk To An Expert
schedule accountable demo
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of Compliance
Solutions
HIPAA Compliance SolutionGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password
star iconstar iconstar iconstar iconstar icon

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
Terms of ServicePrivacy Policy