HIPAA Excludes Education Records Covered by FERPA: What’s Included and What Isn’t

When student information includes health details, you must decide whether FERPA or HIPAA controls the record. This guide clarifies how FERPA defines Education Records, what it leaves out, and why HIPAA’s Privacy Rule generally does not apply to FERPA-covered files—so you can classify and disclose data correctly.

FERPA Definition of Education Records

Under FERPA, Education Records are records that are directly related to a student and maintained by an educational agency or institution (or a party acting for it). The format does not matter; paper files, databases, emails, photos, audio, and video can all be Education Records if they meet this standard.

Typical Education Records include:

• Transcripts, report cards, grades, and academic progress notes
• Class schedules, enrollment histories, and attendance logs
• Advising files, disciplinary records, and financial aid information
• Student housing, disability services documentation, and scholarship files

Parents hold FERPA rights in K–12. At age 18 or when a student attends a postsecondary institution, those rights transfer to the student—known as Eligible Student Rights. These include the right to inspect and review records, request amendments to inaccurate data, and consent to most disclosures of personally identifiable information.

FERPA Exclusions and Exceptions

Several categories are not Education Records under FERPA. Key exclusions include:

• Law Enforcement Unit Records created and maintained by a school’s law enforcement unit for a law-enforcement purpose
• Sole possession notes used only as a personal memory aid and not shared (except with a temporary substitute)
• Employment records of individuals who are not students; for student employees, records are excluded only if the job is unrelated to student status
• Alumni records that relate exclusively to a person after they are no longer a student
• Treatment Records for a student who is 18 or older or attending a postsecondary institution, made or maintained by a recognized health professional solely for treatment and disclosed only to persons providing that treatment; if disclosed for non-treatment purposes, they become Education Records

FERPA also contains narrow disclosure exceptions that permit sharing without consent in specific situations (for example, to school officials with Legitimate Educational Interests or during a health or safety emergency). A fuller list appears below under “Disclosure and Access Rights under FERPA.”

HIPAA Exclusion for FERPA-Covered Records

HIPAA’s Privacy Rule protects Protected Health Information (PHI), which is a subset of Individually Identifiable Health Information created or received by a HIPAA covered entity in connection with treatment, payment, or healthcare operations. Crucially, HIPAA excludes from PHI both Education Records covered by FERPA and FERPA-defined Treatment Records for postsecondary students.

As a result, the following are not PHI under HIPAA because FERPA governs them:

• K–12 nurse logs and immunization records maintained by the school
• University counseling center or student health center files maintained solely for treating enrolled students
• Student accommodation and disability documentation kept by the institution

HIPAA still applies in education-adjacent contexts when records are not FERPA-covered, such as care provided to non-students by a campus clinic that bills electronically, services at a separate university hospital, or telehealth delivered by an outside provider. Note that employment records held by an employer are not PHI under HIPAA even if they contain health information, though the provider’s clinical records about that employee-patient are PHI.

Applicability of FERPA in Educational Institutions

FERPA applies to educational agencies and institutions that receive funds from U.S. Department of Education programs. That includes most public K–12 districts and public colleges, as well as many private institutions that accept federal funds.

Within an institution, access to Education Records without consent is limited to school officials with Legitimate Educational Interests—meaning they need the information to perform instructional, supervisory, advisory, or support duties. Contractors, consultants, and service providers can also be considered school officials when they are performing institutional services under the institution’s direct control.

Vendors that store or process Education Records on the institution’s behalf are subject to FERPA requirements through contracts. Regardless of where the data sits, if it is maintained for the school and directly relates to a student, FERPA applies.

Applicability of HIPAA in Healthcare Settings

HIPAA applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions (for example, electronic billing). Many healthcare organizations designate themselves as “hybrid entities,” applying HIPAA only to their healthcare components; Business Associates that handle PHI for covered entities must also safeguard it.

In and around schools, HIPAA typically applies when:

• A campus or affiliated hospital, physician practice, or counseling clinic operates as a separate covered entity and treats patients (students or non-students) while billing electronically
• Outside providers deliver telehealth or on-site services on campus and keep their own patient records
• Non-student patients (faculty, staff, visitors) receive care from a covered provider

By contrast, student clinical files maintained by a school’s own health or counseling center for treatment are governed by FERPA (as Education Records or Treatment Records) and are excluded from HIPAA.

Overlap Between FERPA and HIPAA in Postsecondary Institutions

In universities, both laws may be present, but the same record is never subject to both at once. Use these rules of thumb:

• If the university maintains the record for a student and it directly relates to that student, it is usually an Education Record under FERPA.
• If the record is a postsecondary student’s Treatment Record used solely for treatment by recognized health professionals, FERPA governs it as a Treatment Record and HIPAA excludes it.
• If a separate, HIPAA-covered provider (for example, an affiliated but distinct hospital) creates and maintains the record, HIPAA governs it as PHI.
• If a Treatment Record is disclosed for non-treatment purposes, it becomes an Education Record and FERPA’s access and disclosure rules apply.

Scenarios: A student seen at the campus counseling center—FERPA. The same student later seen at a separate university hospital—HIPAA. An athletic trainer’s treatment notes for a student-athlete—FERPA Treatment Records; if shared with coaches for non-treatment reasons, they become Education Records.

Disclosure and Access Rights under FERPA

FERPA sets a default rule of consent for disclosures of personally identifiable information from Education Records. Parents (K–12) and eligible students (postsecondary or age 18+) have the right to inspect and review Education Records within a reasonable period (up to 45 days), request amendments to inaccurate or misleading information, and file complaints about violations.

Common disclosures permitted without prior consent include:

• To school officials with Legitimate Educational Interests
• To another school where the student seeks or intends to enroll
• To specified officials for audit or evaluation of education programs
• To organizations conducting studies for or on behalf of the institution
• To accrediting organizations
• To comply with a judicial order or lawfully issued subpoena (with required notice, when applicable)
• In a health or safety emergency, to appropriate parties whose knowledge is necessary to protect health or safety
• To parents of a dependent student as defined by federal tax law
• Directory information the institution has designated, provided the student has not opted out
• To a victim of a crime of violence or non-forcible sex offense regarding the final results of a disciplinary proceeding; in certain cases, final results may be disclosed more broadly

Remember: Law Enforcement Unit Records are not Education Records; they may be shared by the law enforcement unit without implicating FERPA, though copies of Education Records provided to that unit remain subject to FERPA at their source.

Bottom line: If a student record is covered by FERPA (including Treatment Records), HIPAA does not apply. HIPAA governs only when a separate covered healthcare entity creates and maintains patient records outside FERPA. Classifying the record first—by who maintains it, for what purpose, and under which authority—ensures you apply the right rule every time.

FAQs.

What types of education records are excluded under FERPA?

Exclusions include Law Enforcement Unit Records kept for a law-enforcement purpose; sole possession notes not shared; employment records of non-student employees (and student-employee records only when the job is unrelated to student status); alumni records about individuals after attendance; and postsecondary Treatment Records kept solely for treatment by recognized health professionals and disclosed only to treatment providers.

How does HIPAA define Protected Health Information in education settings?

Protected Health Information (PHI) is Individually Identifiable Health Information held by a HIPAA covered entity in connection with treatment, payment, or healthcare operations. In education settings, HIPAA expressly excludes FERPA-covered Education Records and FERPA-defined Treatment Records. Student files maintained by a school health or counseling center are therefore not PHI, while records kept by a separate hospital or outside clinician are PHI.

When does HIPAA apply instead of FERPA in postsecondary institutions?

HIPAA applies when a separate covered provider (for example, an affiliated hospital or outside telehealth service) creates and maintains the record, when non-students receive care from a covered provider, or when clinical services operate as a distinct HIPAA-covered component. If the university itself maintains student records for educational or treatment purposes, FERPA governs and HIPAA does not.

What are the disclosure exceptions for education records under FERPA?

Without prior consent, schools may disclose to officials with Legitimate Educational Interests; to another school for enrollment; to auditors, evaluators, and organizations conducting studies; to accrediting bodies; to comply with subpoenas or court orders (with required notice, when applicable); in a health or safety emergency; to parents of dependent students; and for designated directory information if the student has not opted out. Certain disciplinary outcomes may also be shared with victims or, in limited cases, more broadly.