HIPAA Doesn’t Apply to FERPA Education Records — Here’s Why

In schools, most student health information sits inside “education records.” Because HIPAA expressly excludes those records from protected health information, HIPAA generally does not govern them. Instead, FERPA sets the rules for education record privacy, consent requirements, and day-to-day handling across K–12 districts and higher education.

Legal Framework of HIPAA

What HIPAA Regulates

HIPAA establishes national standards for the privacy, security, and breach notification of protected health information (PHI). It applies to covered entities—health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions—and to their business associates. Its Privacy Rule defines how PHI may be used or disclosed; its Security Rule safeguards electronic PHI; its Breach Notification Rule dictates incident response.

Why HIPAA Doesn’t Apply to FERPA Education Records

HIPAA’s Privacy Rule excludes from PHI two FERPA-defined categories: education records and certain postsecondary treatment records. When a school (or a party acting for it) maintains student health information as part of the student’s education record, that data is governed by FERPA, not HIPAA. This exclusion is the core reason HIPAA doesn’t apply to FERPA education records.

Privacy Rule Exceptions Relevant to Schools

When HIPAA does apply (for example, in a hospital-run clinic on campus), the Privacy Rule allows limited disclosures without authorization—such as to avert a serious threat, for public health reporting, or as required by law. A provider may also disclose a student’s immunization status to a school with appropriate consent. These privacy rule exceptions do not convert FERPA records into HIPAA records; they simply permit specific disclosures by covered entities.

Scope of FERPA Education Records

What Counts as an Education Record

FERPA covers records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for it. In practice, this often includes nurse logs, immunization records submitted to the school, medication administration sheets, special education files, concussion clearance notes, and counseling documentation maintained by the school.

Treatment Records at Postsecondary Institutions

Postsecondary “treatment records” are made or maintained by a health professional, used only for treatment, and disclosed only to treatment providers. They are not “education records” unless disclosed beyond treatment. Even then, FERPA still applies, not HIPAA. Eligible students may request these records be reviewed by a provider of their choice, converting them to education records.

Access Rights and Consent Requirements

FERPA grants parents (and eligible students at age 18 or upon enrollment in postsecondary education) rights to inspect, seek amendment, and control disclosure of education records. Schools may share records internally with officials who have a legitimate educational interest and externally under defined exceptions, such as a health or safety emergency. Consent requirements under FERPA are thus central to education record privacy.

Distinctions Between HIPAA and FERPA

Who Is Covered

HIPAA regulates covered entities and their business associates. FERPA regulates educational agencies and institutions receiving U.S. Department of Education funds, along with their designated school officials and service providers acting on their behalf.

What Is Covered

HIPAA protects PHI held by covered entities. FERPA protects education records (and certain treatment records) maintained by schools. The same piece of student health information can be FERPA in the school’s student information system but HIPAA at an external clinic—context and custody determine the rule set.

Consent Models and Privacy Rule Exceptions

HIPAA generally requires an authorization for non–treatment, non–payment, non–operations uses of PHI, tempered by privacy rule exceptions. FERPA hinges on prior written consent for disclosures unless a specific exception applies (for example, legitimate educational interest or emergencies). Data segregation—keeping HIPAA and FERPA records distinct—is crucial to apply the correct consent requirements.

Enforcement and Remedies

HIPAA is enforced by HHS’s Office for Civil Rights and carries civil and criminal penalties. FERPA is overseen by the U.S. Department of Education; enforcement focuses on institutional compliance and education record privacy rather than monetary penalties against schools.

Implications for Educational Institutions

K–12 Districts

Student health information kept by a school nurse, counselor, or athletic department is typically an education record under FERPA. Schools must control access by legitimate educational interest, document consent when required, and align practices with education record privacy rather than HIPAA’s covered-entity framework.

Colleges and Universities

University health centers may be HIPAA covered entities if they bill electronically. Even so, records about students maintained by a university in its role as an educational institution are regulated by FERPA. Records about non-students (for example, employees or community patients) in the same clinic may be HIPAA, making role-based access and data segregation essential.

Employees, Contractors, and Non-Student Patients

Employee medical records are not student education records and may fall under HIPAA or employment laws. Contracted providers working in schools can create HIPAA records that never become FERPA unless shared with and maintained by the school. Clear scoping and regulatory compliance mapping avoid misclassification.

Operational Takeaway

Treat custody and purpose as your compass: where the record lives and why it was created drive whether HIPAA or FERPA applies. Build processes, systems, and training around that distinction.

Handling of Health Records in Schools

Day-to-Day Student Health Information

Schools routinely manage immunization compliance, medication administration, injury and illness logs, and IEP/504 health components. These are education records. Share them inside the institution only with officials who need them to support student success and safety.

Sharing with School Officials and Teachers

Under FERPA, you may share relevant student health information with teachers, coaches, or transportation staff who have a legitimate educational interest. Provide only what is necessary to meet the student’s needs—an operational analogue to HIPAA’s minimum-necessary principle.

Emergencies and Safety

FERPA permits disclosure of education records without consent when needed to address a health or safety emergency. Document the threat and the parties informed. If an outside provider is involved, HIPAA’s exception to prevent or lessen a serious and imminent threat may also permit disclosure on the provider side.

Working with External Providers

When a hospital-run school-based health center treats students, the clinic’s records are HIPAA. If the clinic shares information with the school, the copy the school maintains becomes a FERPA education record. Keep systems and workflows separate to maintain clean data segregation and correct consent pathways.

Compliance Strategies for FERPA and HIPAA

Map Roles, Records, and Systems

Inventory who creates student health information, where it is stored, and which rule set applies. Designate hybrid-entity components where applicable, and separate student information systems from HIPAA electronic health records to prevent commingling.

Strengthen Access and Disclosure Controls

Use role-based access, audit logs, and standardized disclosure workflows. Under FERPA, define “school official” and “legitimate educational interest.” Under HIPAA components, apply the minimum-necessary standard where it applies, and maintain business associate agreements for vendors handling PHI.

Consent Management and Notices

Maintain clear consent forms for FERPA disclosures and HIPAA authorizations where applicable. Provide required annual FERPA notices to parents and eligible students, and ensure HIPAA components issue a Notice of Privacy Practices. Verify identity before releasing records.

Training, Monitoring, and Incident Response

Train staff on the FERPA–HIPAA boundary, privacy rule exceptions, and breach reporting. Conduct periodic audits, reconcile directory information policies, and test incident response so you can act quickly while maintaining regulatory compliance.

Case Studies on FERPA-HIPAA Intersections

1) K–12 School Nurse Shares Allergy Plan with a Teacher

The allergy plan is an education record maintained by the school. Sharing it with a teacher who has a legitimate educational interest is permitted under FERPA. HIPAA does not apply because the record is not PHI held by a covered entity.

2) Hospital-Operated School-Based Health Center

The clinic is a HIPAA covered entity. Records it maintains are HIPAA. If it sends a care summary to the school, the clinic retains a HIPAA record, while the copy the school keeps becomes a FERPA education record. Each party applies its own rule set; data segregation prevents confusion.

3) University Counseling Center Within the Institution

Student counseling notes maintained by the university for treatment are FERPA treatment records, not HIPAA. If those notes are shared outside treatment—for example, with the dean—they become education records under FERPA. The university’s HIPAA obligations may apply only to non-student patients within a designated health care component.

4) Contracted Athletic Trainer

If the trainer is employed by the district, records about students are FERPA education records. If the trainer works for a hospital and documents in the hospital’s EHR, those records are HIPAA at the hospital. Any information the school receives and maintains becomes FERPA.

Conclusion

HIPAA doesn’t apply to FERPA education records because HIPAA expressly excludes them from PHI. Classify records by who maintains them and for what purpose, apply the right consent requirements, and keep HIPAA and FERPA systems and workflows cleanly separated to ensure student health information remains protected and compliant.

FAQs.

What is the difference between HIPAA and FERPA?

HIPAA protects PHI held by covered entities and their business associates, while FERPA protects student education records maintained by schools. If a student health record is maintained by the school as part of the education record, FERPA—not HIPAA—governs access and disclosure.

How are health records handled under FERPA?

Health records maintained by the school (for example, nurse logs, medication forms, IEP health sections) are education records. Schools share them internally only with officials who have a legitimate educational interest and externally with consent or under FERPA’s defined exceptions, such as a health or safety emergency.

When does HIPAA apply in educational settings?

HIPAA applies when a covered entity—like a hospital-run school clinic or a university’s designated health care component—creates or maintains the record. Even then, records about students that the school maintains as education or treatment records remain under FERPA, not HIPAA.

Can educational institutions share records without violating HIPAA or FERPA?

Yes. Under FERPA, schools may disclose without consent to officials with a legitimate educational interest or during a health or safety emergency, among other exceptions. When a HIPAA covered entity is involved, the Privacy Rule allows specific disclosures (for example, to prevent a serious threat) consistent with its exceptions. Careful data segregation and documentation keep both laws satisfied.