HIPAA Compliance for School Counselors: What Applies Under FERPA vs. HIPAA and How to Stay Compliant

FERPA Overview and Applicability

FERPA is the primary federal law governing educational records privacy in U.S. schools that receive Department of Education funds. It protects “education records,” meaning records that are directly related to a student and maintained by the school or a party acting for the school.

Under FERPA, parents control access to their child’s education records until the student turns 18 or attends postsecondary education, at which point rights transfer to the “eligible student.” School counselors are considered school officials and may access records when they have a legitimate educational interest in fulfilling their professional duties.

Not every document a counselor creates becomes part of the education record. Sole-possession notes kept only as a personal memory aid and not shared are outside the record. Law-enforcement-unit records and employee records are also excluded. FERPA contains targeted exceptions that allow certain disclosures, which are covered later in this guide.

HIPAA Overview and Applicability

HIPAA protects individually identifiable health information, known as protected health information (PHI), when held or transmitted by covered entities under HIPAA—health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions (such as electronic billing).

Most K–12 schools themselves are not HIPAA covered entities. Critically, HIPAA excludes from PHI any records that are “education records” under FERPA or qualifying “treatment records” maintained by postsecondary institutions. HIPAA can apply in school settings when an external healthcare provider (for example, a hospital-operated school-based health center) delivers care and bills electronically.

If a school operates both educational functions and a clinic that bills electronically, it may designate the clinic as a HIPAA “health care component” (a hybrid entity). In that case, the clinic’s PHI is subject to HIPAA, while typical student records remain under FERPA. Vendors handling PHI for a HIPAA component generally require Business Associate Agreements.

Distinctions Between FERPA and HIPAA for Health Records

When FERPA governs

• School-employed healthcare provider records (for example, a school nurse or counselor employed by the district) that are maintained by the school are education records and fall under FERPA.
• Health information embedded in special education documentation (IEPs, 504 plans) or stored in the cumulative or confidential health folder is a FERPA education record.
• K–12 counseling notes shared beyond sole possession, or used to make decisions about a student, become part of the FERPA record.

When HIPAA governs

• Records maintained by outside providers who are covered entities under HIPAA—such as a hospital-run school-based clinic or a private therapist not employed by the school—are HIPAA records.
• Telehealth services delivered by an external provider to a student, where the provider bills electronically, create HIPAA PHI even if the session occurs on campus.
• If PHI from an external provider is shared with the school and placed in the student’s file, that copy becomes a FERPA education record while the provider’s original record remains HIPAA PHI.

Bottom line: FERPA usually controls records maintained by the school; HIPAA controls records held by external healthcare providers or a school’s HIPAA-covered clinic. The two laws are mutually exclusive for the same copy of a record.

Permissible Disclosures Without Consent

Under FERPA

FERPA’s disclosure without consent regulations allow targeted, need-to-know sharing. Key examples include:

• To school officials (including teachers and school counselors) with a legitimate educational interest.
• To another school where the student seeks or intends to enroll.
• To specified officials for audit or evaluation, and to organizations conducting studies for the school.
• To accrediting bodies and in connection with financial aid.
• To comply with a judicial order or subpoena (typically with prior notice).
• Directory information, if the family has not opted out.
• Health or safety emergency exceptions, allowing disclosure to appropriate parties when necessary to protect the student or others.

Under HIPAA

HIPAA permits use and disclosure of PHI without authorization for treatment, payment, and healthcare operations. Additional permissions relevant to schools include:

• When required by law (for example, certain reporting laws).
• To prevent or lessen a serious and imminent threat to health or safety.
• For public health activities, and reports of abuse or neglect consistent with law.
• To parents as a minor’s personal representative where permitted by state law.
• Immunization information to schools with appropriate parental agreement as allowed by HIPAA.

Whenever you disclose, share only the minimum necessary under HIPAA and document what was shared, with whom, and why. Under FERPA, share only what is relevant to the legitimate purpose and record the basis for emergency disclosures.

Compliance Strategies for School Counselors

• Map data flows: identify what information you collect, who creates and maintains it, and whether each record is a FERPA education record or HIPAA PHI.
• Define access by role: grant access to those with a legitimate educational interest; apply minimum necessary principles for any HIPAA-covered clinic or external-provider information.
• Standardize consent: use plain, specific authorization forms for routine sharing with external providers; refresh them annually or when circumstances change.
• Strengthen security: maintain locked physical files; use encrypted devices, strong authentication, and secure messaging for digital records.
• Prepare for emergencies: prewrite decision trees invoking health or safety emergency exceptions and train staff on when and how to disclose.
• Vendor and partner management: if a clinic or telehealth partner is a covered entity under HIPAA, ensure Business Associate Agreements (as needed) and clear data-sharing MOUs.
• Document diligently: maintain request logs, disclosure logs, and rationales for exceptional sharing; implement retention and destruction schedules consistent with district policy.
• Train annually: brief all staff handling student information on FERPA basics, HIPAA touchpoints, and local procedures for disclosure without consent regulations.

This guidance is informational and not legal advice; coordinate with your district counsel to tailor policies to state law and local practice.

Managing Health Records Within Schools

Build a clear record architecture

• Maintain a confidential health folder separate from the cumulative education file; include only information needed for educational decisions and student support.
• Keep sole-possession counseling notes separate and private; once shared for decision-making, they become education records under FERPA.
• Segregate any HIPAA clinic component’s PHI from FERPA records; do not commingle systems or user access.

Operational practices that reduce risk

• Use standardized intake forms that distinguish external-provider information from school-created notes.
• Adopt secure e-fax or secure messaging when exchanging information with outside providers; promptly file and label inbound documents.
• Apply data minimization: collect only what you need, share only what is necessary, and redact extraneous clinical detail when appropriate.
• Log parent and student requests, track response deadlines, and record any denials with reasons.
• When a student transfers, transmit only the FERPA education record portions required by receiving schools; keep a record of what was sent.

Responding to Health and Safety Emergencies

Make fast, defensible decisions

• Assess whether there is an articulable and significant threat to the health or safety of the student or others. If yes, FERPA’s health or safety emergency exceptions allow sharing with those who need the information to respond.
• Share promptly with first responders, threat assessment teams, administrators, and parents/guardians as appropriate; disclose only the details necessary to mitigate the threat.
• If information originates from an external HIPAA provider, HIPAA permits disclosure to avert a serious and imminent threat and when required by law; coordinate with the provider if time allows.
• Document the facts, recipients, information shared, and your rationale. After the incident, conduct a debrief and update protocols and training.

Conclusion

For school counselors, the practical rule is simple: records maintained by the school are typically FERPA records; records held by outside providers are typically HIPAA PHI. Know which law applies, limit access to those with a legitimate educational interest, disclose only what is necessary, and document every exception. With clear procedures and training, you can support student well-being while staying compliant.

FAQs.

When does FERPA apply instead of HIPAA for student records?

FERPA applies when records are maintained by a school or district receiving federal education funds, including most school-employed healthcare provider records. HIPAA generally does not apply to those education records, while external providers’ records remain HIPAA PHI.

How can school counselors identify applicable privacy laws?

Ask three questions: Who created and maintains the record? Why is it kept (education decision-making or clinical care)? Is the custodian a school (FERPA) or a covered entity under HIPAA? The answers usually reveal whether FERPA or HIPAA controls that specific copy.

What are the permitted disclosures under FERPA?

FERPA allows disclosure without consent to school officials with a legitimate educational interest, to another school for enrollment, for audits, studies, accreditation, financial aid, to comply with certain legal processes, directory information (if not opted out), and under health or safety emergency exceptions.

How should counselors handle health records maintained by external providers?

Treat them as HIPAA PHI unless and until information is placed in the student’s education record. Seek written authorization for routine sharing, exchange only what’s necessary, and memorialize roles with MOUs. Once incorporated into the school file, the shared copy becomes a FERPA education record.