HIPAA Excludes Education Records Under FERPA: What You Need to Know

If you manage student information or provide care in a school setting, you need to know how FERPA and HIPAA intersect. The HIPAA Privacy Rule excludes FERPA education records—and certain treatment records—from the scope of HIPAA protected health information (PHI). This guide clarifies what that means in practice so you can stay compliant.

You’ll learn FERPA’s scope, which records it covers, the treatment records exclusion, and how the laws apply in K–12 and higher education, including school-based health clinics compliance and university hospital record access.

FERPA Definition and Scope

FERPA (the Family Educational Rights and Privacy Act) protects personally identifiable information in student records maintained by educational agencies and institutions that receive educational agencies federal funding from the U.S. Department of Education. It applies broadly across most public K–12 districts and postsecondary institutions.

FERPA grants parents—and “eligible students” once they turn 18 or attend postsecondary institutions—key rights:

• Inspect and review education records.
• Request amendment of inaccurate or misleading information.
• Control disclosure of personally identifiable information from education records.
• File a complaint with the U.S. Department of Education for violations.

Private schools that do not receive federal funds generally fall outside FERPA. In those cases, other laws or institutional policies govern privacy, and HIPAA may apply if a provider is a covered entity.

Education Records Covered by FERPA

Education records are records that are directly related to a student and maintained by an educational agency or institution (or a party acting for it). Common examples include:

• Admissions, enrollment, transcripts, grades, attendance, and class schedules.
• Special education records (IEPs, Section 504 plans) and related service notes.
• School nurse logs, medication administration records, immunization documentation, and screening results.
• Advising, counseling, and disciplinary records; housing and student conduct files.
• Directory information when designated by the school (e.g., name, major), subject to opt-out.

Not all student-related documents are education records. Exclusions include law enforcement unit records, a school employee’s non-student employment records, alumni records, “sole possession” notes, and certain postsecondary treatment records (explained below).

HIPAA Privacy Rule Overview

HIPAA establishes national standards for privacy and security of health information handled by covered entities (health plans, health care clearinghouses, and most health care providers that conduct standard electronic transactions) and their business associates. It protects PHI in any form—paper, electronic, or oral.

Under HIPAA, individuals generally have rights to access, obtain copies, request amendments, and receive an accounting of certain disclosures of their PHI. However, HIPAA’s definition of PHI excludes specific FERPA-governed student records.

FERPA Exclusion from HIPAA

The HIPAA Privacy Rule expressly excludes from PHI: (1) education records covered by FERPA and (2) postsecondary treatment records (as defined by FERPA). When a school subject to FERPA maintains a student record—even if it contains health information—HIPAA does not apply to that record.

Where HIPAA does not apply

• K–12 student health records maintained by the school or district (nurse logs, immunizations, care plans).
• Most campus counseling or student health center records maintained by the institution (often FERPA treatment records).
• Athletic trainer or team physician records maintained by the school for student-athletes, when used for treatment or educational purposes.

When HIPAA may apply in school settings

• A school-based clinic operated by a hospital or independent provider that is a HIPAA covered entity and not acting for the school.
• A university medical center or affiliated hospital that treats students (especially as part of a hybrid HIPAA entity).
• Private schools outside FERPA where a provider is a HIPAA covered entity.

Map out data flows and custodianship to ensure school-based health clinics compliance. If the school maintains a copy received from a HIPAA provider, that copy becomes a FERPA education record at the school.

Treatment Records Under FERPA

At postsecondary institutions, treatment records are records of an eligible student made or maintained by a physician, psychiatrist, psychologist, or other recognized professional, used only in connection with treatment, and disclosed only to individuals providing that treatment. These records are excluded from “education records,” yet FERPA protects them.

• Use and disclosure: Only for treatment and only to treating providers. If disclosed for non-treatment purposes, they become education records.
• Student access: Typically, students do not have a direct right to inspect treatment records, but they may designate a qualified professional to review them. Institutions often provide access through established processes.
• HIPAA interplay: Because of the treatment records exclusion under FERPA, these records are not HIPAA PHI when maintained by the institution.

FERPA and HIPAA in Postsecondary Institutions

Universities may function both as educational institutions (subject to FERPA) and health care providers (subject to HIPAA). Many designate health-care components (e.g., a university hospital) as a HIPAA “hybrid entity.” Understanding which component maintains the record determines which law applies.

• Student health or counseling center maintained by the institution: Records are FERPA treatment records, not HIPAA PHI.
• University hospital or external clinic treating a student: Records are typically HIPAA PHI maintained by the provider. HIPAA access rights apply, and the provider needs proper authorization or a permitted basis to share with the school.
• Athletics and sports medicine: If the trainers or team physicians are school employees maintaining student-athlete files, those are FERPA education records or treatment records, not HIPAA PHI. Sharing within the institution must follow FERPA.

Clarify university hospital record access procedures for students versus non-students, and document cross-entity sharing rules. Use written agreements to define roles, ensure minimum necessary disclosures, and align FERPA and HIPAA requirements across units.

Disclosure Requirements for Education Records

As a default, schools must obtain prior written consent from the parent or eligible student before disclosing personally identifiable information from education records. A valid consent specifies the records to be disclosed, the purpose, and the recipient; it is signed and dated (electronic signatures are acceptable if authenticated).

FERPA written consent exceptions

FERPA allows certain disclosures without consent in defined circumstances, including:

• To school officials (including contractors/consultants) with legitimate educational interests.
• To another school where the student seeks or intends to enroll, or is already enrolled.
• To specified officials for audit or evaluation purposes.
• In connection with financial aid (eligibility, amount, conditions, or enforcement).
• To organizations conducting studies for or on behalf of the school.
• To accrediting organizations.
• To comply with a judicial order or lawfully issued subpoena (with required notice).
• To appropriate officials in a health or safety emergency.
• To state and local authorities within a juvenile justice system, as allowed by state law.
• To parents of a dependent student (as defined by the IRS).
• Directory information, if the student has not opted out.
• Certain disciplinary outcomes for crimes of violence or nonforcible sex offenses, as permitted by FERPA.

Schools must keep a record of most disclosures, train staff on role-based access, and routinely review directory information designations. Clear consent forms and standardized processes reduce risk and improve compliance.

Conclusion

In short, when a school maintains student records, FERPA—not HIPAA—almost always governs, and HIPAA expressly excludes those records. Identify who maintains each record, limit disclosures to what FERPA permits, and coordinate with any HIPAA-covered clinics or hospitals to ensure compliant, need-to-know sharing.

FAQs.

What types of records are excluded from HIPAA under FERPA?

Two categories are outside HIPAA: (1) FERPA education records maintained by a school (e.g., K–12 nurse logs, immunizations, care plans, IEPs) and (2) postsecondary treatment records used only for treatment and disclosed only to treating providers. These records are protected by FERPA, not HIPAA.

How does FERPA protect education records?

FERPA gives you rights to access and seek amendment, restricts disclosure of personally identifiable information without consent, and requires schools to follow defined exceptions and recordkeeping rules. It applies to institutions receiving federal education funds and covers a wide range of academic and student services records.

When does HIPAA apply instead of FERPA?

HIPAA applies when a HIPAA covered health care provider—not acting for the school—maintains the record, such as a university hospital or outside clinic treating a student, or at private schools outside FERPA where the provider is a covered entity. In those cases, records are PHI and HIPAA access and disclosure rules control.

What are the consent requirements for disclosing education records under FERPA?

Written consent must identify the specific records, state the purpose, and name the recipient; it must be signed and dated (including authenticated electronic signatures). FERPA written consent exceptions allow certain disclosures without consent—such as to school officials with legitimate educational interests, to another school for enrollment, for audits, in health or safety emergencies, and for directory information if not opted out.