HIPAA Compliance for School-Based Health Centers: Requirements, FERPA vs HIPAA, and Best Practices

School-based health centers (SBHCs) sit at the intersection of education and healthcare, where Protected Health Information (PHI) and student records often coexist. This guide clarifies HIPAA compliance for school-based health centers, explains where FERPA or HIPAA applies, and outlines best practices you can implement across policies, people, facilities, and technology—especially when Electronic Health Records (EHR) and other Health Information Technology are involved.

HIPAA Regulatory Requirements

If your SBHC provides healthcare services and transmits standard electronic transactions (such as claims or eligibility checks), it is typically a HIPAA covered entity. Many SBHCs within a school district operate as a “hybrid entity,” formally designating the health center as the covered healthcare component and separating it from purely educational functions.

Core rules you must meet

• Privacy Rule: Establish how PHI is used and disclosed, apply the minimum necessary standard, provide a Notice of Privacy Practices, and honor individual rights (access, amendments, and accounting of disclosures).
• Security Rule: Protect electronic PHI (ePHI) with administrative, physical, and technical safeguards proportionate to your risks.
• Breach Notification Rule: Investigate potential incidents, perform risk assessments, and notify affected individuals (and regulators, when required) without unreasonable delay and no later than 60 days after discovery.

Operational expectations for SBHCs

• Define PHI within your environment (including paper records, EHR data, voicemail, and images) and document a designated record set.
• Appoint a privacy official and a security official; maintain policies, procedures, and sanctions; and retain documentation for at least six years.
• Execute Business Associate Agreements with vendors who handle PHI (EHR providers, telehealth platforms, billing services).
• Embed HIPAA controls in daily workflows—registration, consent, treatment, billing, referrals, and record requests.

FERPA and HIPAA Differences

FERPA protects “education records” maintained by schools, while HIPAA protects PHI held by covered healthcare entities. Which law applies depends on who creates and maintains the record and for what purpose.

Which law applies when

• SBHC operated by the school/district: Most records maintained by the school are “education records” under FERPA and are not PHI for HIPAA purposes.
• SBHC operated by an external clinic or hospital: Records kept by that provider are PHI under HIPAA; separate records retained by the school remain under FERPA.
• Treatment records under FERPA: Records used only for a student’s treatment by a physician or other professional and not shared for other purposes are “treatment records” under FERPA; once shared beyond treatment, they become education records.

Sharing between a HIPAA-covered SBHC and the school often requires Written Authorization unless an exception applies. Certain limited exchanges—such as proof of immunization to schools where required by law—may proceed with parental or eligible student agreement consistent with the Privacy Rule.

Administrative Safeguards

Risk-based governance

• Conduct an enterprise-wide risk analysis covering EHR, paper workflows, mobile devices, and third parties; update it when services, systems, or locations change.
• Implement a risk management plan with prioritized remediations, owners, and deadlines; review progress at least quarterly.

Policies, people, and processes

• Maintain policies for access management, minimum necessary, retention, release of information, incident response, and contingency planning.
• Train your workforce on the Privacy Rule and Security Rule at onboarding and at least annually, with role-specific modules for clinicians, front desk, billing, and IT.
• Establish sanctions for violations and a confidential reporting channel for privacy or security concerns.
• Map data flows (intake, referrals, telehealth, billing) to ensure PHI is safeguarded end-to-end.
• Vet vendors and sign Business Associate Agreements; verify security controls and audit rights.

Physical Security Measures

• Control facility access with keys or badges; maintain visitor logs and escort policies for non-staff.
• Secure workstations with privacy screens and automatic logoff; position monitors away from public view.
• Lock file rooms and cabinets; use clean-desk practices; store and rotate off-site backups securely.
• Protect devices: inventory, cable locking, secure storage for laptops/tablets, and signed checkout procedures.
• Dispose of PHI safely using locked shred bins and certified media destruction for drives and memory cards.

Technical Protection Strategies

• Access controls: unique user IDs, multi-factor authentication, role-based permissions, and automatic session timeouts.
• Encryption: protect ePHI in transit (TLS) and at rest (full-disk/database encryption), including on mobile devices.
• Audit controls: enable detailed EHR audit logs; review for inappropriate access; retain logs per policy.
• Integrity and availability: patch management, endpoint protection, secure configuration baselines, and tested backups with recovery time objectives.
• Secure communications: use HIPAA-capable secure messaging/telehealth; prohibit unencrypted texting or email of PHI unless appropriately safeguarded.
• Network safeguards: segmentation for clinical systems, VPN for remote access, firewall rules, and intrusion detection.
• Data loss prevention: restrict external drives, manage printing, and use MDM for smartphones and tablets.
• Health Information Technology integrations: apply API security, minimum necessary data exchange, and periodic third-party security assessments.

Authorization and Disclosure Policies

• Uses and disclosures without authorization: treatment, payment, and healthcare operations (TPO) may proceed without Written Authorization, applying the minimum necessary standard except for treatment.
• Written Authorization: required for non-TPO purposes (e.g., marketing, most disclosures to the school by a HIPAA-covered SBHC); include scope, purpose, expiration, and revocation rights.
• Emergency Disclosure Provisions: disclose PHI as needed to avert a serious and imminent threat, to public health authorities, or as required by law (e.g., abuse/neglect reporting), documenting your rationale.
• Parents and minors: under HIPAA, a parent is typically a minor’s personal representative unless state law or special circumstances limit access; align processes with applicable state consent rules.
• Special protections: apply heightened rules to psychotherapy notes and, where applicable, substance use disorder information (e.g., 42 CFR Part 2).
• Release-of-information operations: verify identity, log disclosures, use standardized forms, and fulfill access requests within required timelines.

Ongoing Compliance and Training

• Education cadence: onboarding within the first weeks of hire, annual refreshers, and ad hoc training after policy or system changes.
• Exercises and monitoring: run phishing simulations and tabletop breach drills; monitor EHR audit reports and track corrective actions.
• Program maintenance: update risk analyses at least annually, review Business Associate performance, and revise policies to reflect new services or technologies.
• Metrics and oversight: maintain a privacy and security dashboard (incidents, training completion, access reviews) reported to leadership.
• Documentation: retain policies, risk assessments, BAAs, training records, and breach files for at least six years.

Conclusion

By distinguishing FERPA from HIPAA, implementing the Privacy Rule and Security Rule through practical safeguards, and standardizing Written Authorization and Emergency Disclosure Provisions, your SBHC can protect PHI while supporting student care. Build compliance into daily workflows, leverage secure EHR and Health Information Technology, and sustain the program with training, auditing, and continuous improvement.

FAQs

What records are covered under HIPAA versus FERPA in school health centers?

Records maintained by a school or district are generally FERPA “education records” and not PHI. If an external clinic or hospital runs the SBHC, records it keeps are PHI under HIPAA. Some records used solely for treatment within the school environment may be FERPA “treatment records,” which become education records if shared beyond treatment.

How can school-based health centers ensure HIPAA compliance?

Determine covered entity status and, if needed, designate a hybrid entity. Implement policies for the Privacy Rule and Security Rule, complete a risk analysis, train staff, execute Business Associate Agreements, harden facilities and systems, and operationalize release-of-information, incident response, and auditing within your EHR and related workflows.

When is PHI disclosure allowed without consent?

HIPAA permits disclosures without Written Authorization for treatment, payment, and healthcare operations, and when required by law. Other permitted disclosures include certain public health activities, to avert a serious threat to health or safety, and specific law enforcement or oversight purposes—always applying the minimum necessary standard and documenting the basis.

What are the key administrative safeguards required by HIPAA?

Conduct and maintain a risk analysis and risk management plan; assign privacy and security officials; adopt and enforce written policies; train the workforce; apply sanctions for violations; manage vendors with BAAs; create contingency and incident response plans; and retain all required documentation for at least six years.