HIPAA and Schools: When HIPAA Applies—and When FERPA Protects Student Records
Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA HIPAA and Schools: When HIPAA Applies—and When FERPA Protects Student Records

HIPAA and Schools: When HIPAA Applies—and When FERPA Protects Student Records

Kevin Henry

HIPAA

April 07, 2026

6 minutes read
Share this article
HIPAA and Schools: When HIPAA Applies—and When FERPA Protects Student Records

FERPA Overview

The Family Educational Rights and Privacy Act (FERPA) is the baseline federal privacy law for schools that receive U.S. Department of Education funds. FERPA ties privacy obligations to federal funding compliance and gives parents—and, at age 18 or attendance at a postsecondary institution, eligible students—rights to access and seek amendment of education records.

Education Records include any records that are directly related to a student and maintained by the school or a party acting for the school. Access without consent is limited to school officials who have legitimate educational interests, which generally means they need the information to fulfill professional responsibilities supporting the student’s education, safety, or services.

FERPA permits, but does not require, certain disclosures without consent in defined circumstances. Outside those exceptions, schools must obtain prior written consent before sharing personally identifiable information from education records.

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of Protected Health Information held by covered entities—health plans, healthcare clearinghouses, and healthcare providers that conduct Electronic Health Transactions such as claims, eligibility checks, or referrals. HIPAA also extends to business associates that handle PHI on behalf of covered entities.

Critically for schools, HIPAA’s Privacy Rule excludes from PHI any information contained in FERPA-protected education records or in FERPA treatment records at postsecondary institutions. In practice, this means HIPAA often steps back where FERPA already applies.

Some institutions operate as “hybrid entities” by designating healthcare components (for example, a university medical center). HIPAA then applies within those designated components, while FERPA continues to govern student education records maintained by the school.

FERPA and Student Health Records

Most student health records kept by schools are governed by FERPA, not HIPAA. When school-employed health professionals—such as school nurses, athletic trainers, psychologists, or counselors—create or maintain records for K–12 students, those records are education records. As such, their use and disclosure follow FERPA’s rules, including access for staff with legitimate educational interests.

At postsecondary institutions, health or counseling center records of students may qualify as FERPA treatment records when they are maintained solely for treatment and used only by treatment providers. If these records are shared for any purpose other than treatment, or with individuals beyond the treating providers, they become education records and FERPA’s general rules apply.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

  • Examples typically covered by FERPA: immunization documentation submitted to the school, medication administration logs, individualized health plans tied to IEPs, nursing notes maintained in the student file, and return-to-play clearances kept by the athletics department.
  • Personal notes kept solely by a provider for their own use and not shared (often called “sole possession” notes) are not education records until they are shared or maintained as part of the student file.

HIPAA and Student Health Records

HIPAA applies in school settings only in specific scenarios. If a school-based health center is operated by an external healthcare provider that is a HIPAA covered entity—and the center transmits Electronic Health Transactions—then the center’s patient records are HIPAA PHI. Similarly, a university hospital or external telehealth provider treating students as patients will handle those records under HIPAA, unless the records fall within FERPA’s education or treatment records categories.

Where HIPAA applies, disclosures of PHI generally require written authorization unless a Privacy Rule permission applies (for example, disclosures for treatment, payment, or healthcare operations; when required by law; to public health authorities; or to address a serious and imminent threat). If a HIPAA-covered clinic shares information with the school, the copy received by the school becomes an education record under FERPA.

  • HIPAA likely applies: external hospital-run school clinics; university medical centers legally distinct from the educational institution; third-party telehealth providers billing insurers through Electronic Health Transactions.
  • HIPAA typically does not apply: K–12 records created and maintained by school-employed health professionals; postsecondary treatment records maintained solely for treatment within a school-operated clinic; any information already classified as FERPA education records.

Disclosure of Student Health Information

Under FERPA: Schools may disclose without consent to school officials with legitimate educational interests, to another school where the student seeks or intends to enroll, to appropriate parties during a health or safety emergency, to state or local educational authorities for audits or evaluations, and to parents of dependent students for tax purposes. Directory information may be disclosed unless the parent or eligible student opts out. Otherwise, written consent is required before sharing personally identifiable information from education records.

Under HIPAA: HIPAA-covered providers may disclose PHI without authorization for treatment, payment, and healthcare operations; when required by law; to public health authorities (for example, communicable disease reporting); and to prevent or lessen a serious and imminent threat. Disclosures to schools for non-treatment purposes usually require authorization, though limited exceptions exist (such as providing proof of immunization with the parent’s or guardian’s agreement where permitted by HIPAA).

Joint Guidance on FERPA and HIPAA

Federal agencies have issued joint guidance to clarify how FERPA and HIPAA interact in schools. The key takeaway is that FERPA is the default rule for student education records, including most student health records maintained by schools, while HIPAA governs only those records held by separate covered healthcare entities that conduct Electronic Health Transactions.

  • K–12: Records kept by the school or district are education records under FERPA. HIPAA does not apply to those same records.
  • School-based health centers run by outside providers: Clinic records are HIPAA PHI at the clinic, but any copy shared with the school becomes a FERPA education record in the school’s possession.
  • Postsecondary: Student health or counseling center records used solely for treatment are FERPA treatment records, not HIPAA PHI. Non-student patient records at university hospitals remain subject to HIPAA.

Bottom line: In the context of HIPAA and schools, FERPA protects most student health and education records maintained by the school, while HIPAA applies only in defined healthcare settings separate from the school’s education record system.

FAQs.

When does HIPAA apply to student health records in schools?

HIPAA applies when a separate covered healthcare provider—such as a hospital-operated school clinic or an external telehealth service—maintains the records and conducts Electronic Health Transactions. If the information resides in the school’s student file, it is typically governed by FERPA instead.

How does FERPA protect student education records?

FERPA limits disclosure of education records to defined exceptions, requires consent for most other sharing, and grants rights to access and request corrections. It also restricts access to school officials with legitimate educational interests and ties compliance to federal funding.

What is the difference between FERPA and HIPAA in school settings?

FERPA generally governs student education records, including most health records kept by school-employed health professionals. HIPAA governs Protected Health Information held by covered healthcare entities, but it excludes FERPA education records and FERPA treatment records, so HIPAA only applies in specific, healthcare-only contexts.

Under FERPA, schools may disclose without consent to school officials with legitimate educational interests, during a health or safety emergency, to another school for enrollment, and in other limited cases defined by law. HIPAA-covered providers may disclose without authorization for treatment, payment, operations, or as required by law; otherwise, authorization is typically needed to share with the school.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...