HIPAA and Section 504: What Applies to Student Privacy and 504 Plans

Understanding how HIPAA, FERPA, and Section 504 interact is essential for protecting student privacy while delivering accommodations. This guide clarifies what applies to student health information, how to handle records, and how to build compliant 504 plans in U.S. schools.

HIPAA Applicability to Schools

When HIPAA applies

HIPAA applies only when student information is held by a healthcare provider or organization that qualifies as a Covered Entity (for example, a hospital, public health department, or private clinic) and maintains Protected Health Information (PHI). In a school setting, this most often occurs when a school-based health center is operated by an outside medical provider rather than the school itself.

When HIPAA does not apply

For most K–12 schools, health information maintained by the school (such as nurse logs, medication administration records, and action plans) is part of the student’s education record and is governed by FERPA—not HIPAA. If a HIPAA Covered Entity shares health information with the school to support learning or safety, the copy the school keeps becomes an education record under FERPA.

Key implications

• Do not assume all medical details are PHI; in schools, they are usually education records protected by FERPA’s Educational Records Privacy rules.
• HIPAA’s “minimum necessary” standard guides healthcare providers; schools instead follow FERPA’s access limits based on Legitimate Educational Interest.

FERPA Applicability and Student Records

What FERPA covers

FERPA protects education records—any records directly related to a student and maintained by the school or its agents. This includes most health information kept by school personnel. Parents (and “eligible students” at age 18 or in postsecondary education) have rights to inspect, review, and request corrections to these records.

Access based on Legitimate Educational Interest

Schools may share information from education records without consent to school officials who have a Legitimate Educational Interest—those who need the data to fulfill professional responsibilities for the student’s instruction, safety, or services. This access standard is central to day-to-day practice and frames who may view sensitive health notes.

Section 504 Requirements for Schools

Coverage and nondiscrimination

Section 504 applies to entities receiving Federal Financial Assistance, which includes nearly all public schools and many private schools. It prohibits disability-based discrimination and requires Disability Discrimination Compliance across academics and nonacademic services.

FAPE through Section 504

Schools must provide a Free Appropriate Public Education (FAPE) to eligible students with disabilities. A Section 504 team—people knowledgeable about the student and the data—determines eligibility and documents needed aids, services, and accommodations in a 504 plan.

Core responsibilities

• Identify, locate, and evaluate students who may have disabilities impacting learning or access.
• Develop and implement 504 plans, train staff, and monitor effectiveness.
• Maintain grievance procedures and designate a 504 coordinator.

Handling Health Information in Education Records

Collect and keep only what is relevant

Gather health data necessary to determine eligibility or implement accommodations—no more. Typical items include physician notes confirming a condition, medication orders, and emergency or condition-specific action plans (e.g., asthma, diabetes, seizure).

Access and storage

• Limit access to personnel with a Legitimate Educational Interest (e.g., school nurse, relevant teachers, transportation staff, coaches).
• Store records securely, separating day-to-day nurse notes from the 504 plan and attaching only what the team needs to deliver services.
• Document parent/guardian consent for obtaining information from outside providers when appropriate.

Use within the school

Share health details on a need-to-know basis to implement accommodations and ensure safety. When provider documents enter the school system, they become education records and follow FERPA’s Educational Records Privacy protections.

Disclosure Rules Under FERPA and HIPAA

FERPA: disclosures without prior consent (key examples)

• To school officials with a Legitimate Educational Interest.
• To another school where the student seeks or intends to enroll.
• To appropriate parties during a health or safety emergency.
• To state or local education authorities for audits or evaluations.
• To comply with a judicial order or lawfully issued subpoena (with required notice, when applicable).
• Directory information, if the family has not opted out and the disclosure meets district policy.

HIPAA: disclosures relevant to schools

• For treatment, payment, or healthcare operations by the Covered Entity.
• As required by law or to public health authorities (e.g., reportable diseases).
• To avert a serious and imminent threat to health or safety.
• Proof of immunization to a school, consistent with HIPAA allowances, with appropriate parent/guardian agreement.

Once HIPAA-protected information is provided to and maintained by the school, it generally becomes a FERPA-governed education record.

Incorporating Health Data in Section 504 Plans

From diagnosis to educational impact

Translate clinical information into school-based needs. The 504 team should connect the condition’s functional impact to specific supports, documenting only the health data necessary to justify and implement accommodations.

Common health-related accommodations

• Medication administration, access to snacks/hydration, restroom and health breaks.
• Emergency action plans (e.g., hypoglycemia, seizures) and staff training.
• Testing adjustments (extended time, separate setting) when health symptoms affect performance.
• Flexible attendance or assignment deadlines during flare-ups or treatment.
• Access to the nurse, self-monitoring or self-carry of supplies when appropriate.

Process safeguards

• Obtain and record parent consent for sharing information with outside providers when needed.
• Identify which staff members receive specific health details, following Legitimate Educational Interest.
• Review and update the plan regularly, and whenever health status or school demands change.

Section 504 Protections for Extracurricular Activities

Equal opportunity beyond the classroom

Section 504 protections extend to athletics, clubs, field trips, performances, competitions, and other nonacademic services. Schools must remove barriers, provide reasonable modifications, and supply aids or services so students with disabilities can participate alongside peers.

Practical expectations

• Provide needed health supports during activities (e.g., trained staff for medication or emergency response).
• Offer policy modifications where appropriate (e.g., carrying medical supplies, snack access, rest periods).
• Make individualized, evidence-based safety decisions; do not exclude students based on generalizations about a disability.
• Ensure accessible transportation and facilities for events and trips.

Conclusion

In most K–12 settings, FERPA—not HIPAA—governs student health information held by schools, while HIPAA may apply to outside medical providers. Section 504 requires Disability Discrimination Compliance and FAPE, using relevant health data to drive accommodations. Handle records with FERPA’s Educational Records Privacy rules and share only with those who have a Legitimate Educational Interest.

FAQs

Does HIPAA apply to student health records in schools?

Typically no. Most student health information maintained by a school is an education record covered by FERPA. HIPAA may apply to records kept by an outside healthcare provider (a Covered Entity), but copies shared with the school become FERPA records.

What privacy protections does Section 504 provide for students?

Section 504 prohibits disability discrimination by recipients of Federal Financial Assistance and ensures a Free Appropriate Public Education. It requires schools to limit access to disability-related information to those with a Legitimate Educational Interest and to use health data only to implement necessary aids, services, and accommodations.

How does FERPA differ from HIPAA in schools?

FERPA governs education records and grants parents/eligible students rights to access, amend, and control disclosures. HIPAA governs Protected Health Information held by Covered Entities. In schools, FERPA usually controls; HIPAA mainly affects external providers and the information they maintain before it is shared with the school.