HIPAA and IDEA: A Practical Guide to Student Privacy and Special Education Services

FERPA Overview

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records maintained by schools. It covers records that are directly related to a student and kept by a school or a party acting for the school. These records include personally identifiable information in paper or digital formats.

What FERPA Covers

• Education records: transcripts, individualized education programs (IEPs), evaluations, discipline records, and health files maintained by the school nurse.
• Exclusions: sole-possession notes kept for personal memory, law-enforcement unit records, and employment records unrelated to student status.

Access and Disclosure

Parents and eligible students (at age 18 or in postsecondary settings) may inspect and review records and request corrections. Schools may share records without consent only with school officials who have legitimate educational interests and other narrowly defined exceptions.

Outside those exceptions, FERPA’s written consent requirements apply. A valid consent identifies the specific records, the purpose of the disclosure, and the recipient, and it can be revoked prospectively. Emergency disclosures are permitted when necessary to protect the health or safety of the student or others.

Directory Information

Schools may designate limited “directory information” (for example, name or participation in activities) but must notify families and provide an opt-out. Directory information cannot include Social Security numbers or sensitive identifiers.

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for health information privacy. It applies to covered entities such as healthcare providers that transmit certain transactions electronically, health plans, and healthcare clearinghouses.

When HIPAA Applies in School Contexts

• HIPAA generally does not apply to health records that are education records under FERPA; those are governed by FERPA.
• HIPAA may apply to services delivered by outside or affiliated clinics (for example, a hospital-run school-based health center) where records are not maintained by the school.
• Under HIPAA, providers may disclose protected health information for treatment, payment, and healthcare operations, and may make emergency disclosures to prevent or lessen a serious threat.

In short, FERPA usually governs school health files, while HIPAA governs health information privacy held by outside medical providers—not the school.

FERPA and Special Education

Special education records—evaluations, eligibility determinations, IEPs, progress reports, and related service notes—are education records protected by FERPA. Staff may access them only when they have legitimate educational interests in serving the student.

Key Practices

• Limit access to those who need the information to provide instruction, accommodations, or services.
• Store and transmit records securely; maintain audit trails of access and disclosures where feasible.
• Use parental consent when sharing with outside therapists, physicians, or agencies unless a FERPA exception applies.

Schools should distinguish formal records from sole-possession notes kept by a counselor or psychologist for personal reference; those notes are not shared and are not part of the education record unless disclosed beyond the maker.

IDEA Privacy Protections

The Individuals with Disabilities Education Act (IDEA) reinforces FERPA through confidentiality mandates specific to special education. It governs the collection, storage, disclosure, and destruction of data collected under IDEA.

Core IDEA Safeguards

• Notice to parents describing how personally identifiable information is used and protected.
• Parental consent for initial evaluations, initial provision of services, and most disclosures to parties other than officials participating in the student’s education.
• Right to inspect and review records, request amendments, and receive copies when failure to provide them would effectively prevent review.
• Data minimization and destruction of records that are no longer needed to provide services, with notice to parents prior to destruction.
• Age-of-majority transitions: rights transfer to the student at 18 in many states, with continued privacy protections.

FERPA vs. HIPAA in Schools

Quick Decision Guide

• Record kept by the school or a party acting for the school: FERPA applies, not HIPAA.
• Record kept by an external medical provider or hospital clinic: HIPAA applies to that provider’s records; FERPA applies once information is incorporated into the student’s education record at school.
• School nurse records maintained by the school: governed by FERPA, including emergency disclosures under FERPA’s health or safety exception.
• Telehealth by an outside provider: likely HIPAA for the provider’s records; any summaries placed in school files become FERPA records.

When uncertainty arises, ask who maintains the record, for what purpose, and under whose control. That determines whether FERPA or HIPAA governs the information.

Sharing Information Between Providers

Effective support often requires coordination between schools and healthcare providers. Align your process with both written consent requirements and minimum-necessary principles.

With Parental Consent

• Use a targeted, time-limited consent specifying what will be shared, with whom, and why.
• Exchange only information necessary to plan or deliver services; avoid full record transfers unless required.
• Document the disclosure and file the consent in the student’s record.

Without Consent

• FERPA permits disclosures to school officials with legitimate educational interests and in health or safety emergencies.
• Transfers to a new school where the student seeks or intends to enroll are allowed, consistent with local procedures.
• HIPAA allows treatment-related sharing between healthcare providers; however, disclosures from a provider to a school typically require authorization unless a specific HIPAA exception applies.

In all cases, apply clear confidentiality mandates, use secure channels, and avoid redisclosure beyond what consent or law permits.

Parental Rights Under FERPA

Parents have robust privacy rights. You can inspect and review your child’s records, request corrections of inaccurate or misleading entries, and provide or withhold parental consent for most disclosures outside the school.

• Receive annual notice of rights and the school’s procedures for accessing records.
• Know who qualifies as a school official and what constitutes legitimate educational interests.
• Opt out of directory information disclosures when offered by the school.
• Receive notice of certain disclosures, such as those made under a court order or subpoena, unless prohibited.

Conclusion

In schools, FERPA is the primary shield for education records, while HIPAA protects health information held by outside providers. IDEA adds special education–specific safeguards, emphasizing parental consent, careful handling of personally identifiable information, and prudent emergency disclosures. By aligning procedures with these frameworks, you protect student privacy while enabling effective services.

FAQs.

How does HIPAA differ from FERPA in schools?

FERPA governs education records maintained by schools, including most health files kept by school personnel. HIPAA governs health information privacy for covered healthcare entities, such as hospitals or outside clinics. If a clinic shares a summary with the school and it becomes part of the student’s file, that copy is protected by FERPA, while the clinic retains HIPAA obligations for its own records.

What rights do parents have under IDEA related to privacy?

IDEA reinforces confidentiality mandates for data collected to identify, evaluate, and serve students with disabilities. Parents have rights to notice, access, and amendment of records, and parental consent is required for many disclosures beyond officials involved in the student’s education. IDEA also supports data minimization and timely destruction of records that are no longer needed for services, with prior notice to families.

When can schools disclose special education records without consent?

FERPA permits limited disclosures without consent, including to school officials with legitimate educational interests, to a receiving school where the student seeks or intends to enroll, to address health or safety emergencies, to comply with certain court orders or subpoenas (with notice, when allowed), and to specified officials for audit, evaluation, or state law–authorized functions. Outside these exceptions, written consent is required before releasing special education records.