HIPAA for Students: A Simple Definition and Why It Matters

Understanding HIPAA for Students helps you know when your health details are protected, who may see them, and how school records differ from medical files. This guide explains Protected Health Information, Education Records, and how privacy regulations apply so you can make informed choices about your student health data.

HIPAA Overview

Simple definition

HIPAA (the Health Insurance Portability and Accountability Act) sets national rules for how health care organizations use, share, and safeguard Protected Health Information. It includes the Privacy Rule, Security Rule, Breach Notification Rule, and standards for Electronic Health Transactions.

Key terms you should know

• Protected Health Information (PHI): Any individually identifiable health information about your past, present, or future physical or mental health, care received, or payment for care.
• Covered Entities: Health plans, health care clearinghouses, and health care providers that conduct Electronic Health Transactions (for example, electronic billing). These organizations must follow HIPAA.
• Business Associates: Vendors that handle PHI for a covered entity (such as cloud storage or billing services). They must protect PHI through contracts and security safeguards.

What HIPAA gives you

• The right to access and get copies of your medical records held by covered entities.
• The right to request corrections to inaccurate information.
• Limits on how your PHI is used and shared, with most uses requiring your authorization.

What HIPAA does not cover

HIPAA generally does not apply to education records protected by FERPA. When your information is part of a school’s Education Records, different privacy regulations govern access and disclosures.

FERPA Overview

What FERPA is

FERPA (the Family Educational Rights and Privacy Act) protects the privacy of Education Records at schools that receive U.S. Department of Education funds. It defines who may access records and when consent is required to share them.

What counts as Education Records

• Records directly related to a student and maintained by the school or a school official, including many kinds of student health data kept by K–12 schools (such as immunization records, nurse logs, medication administration records, and IEP-related health information).
• At colleges and universities, certain counseling or campus clinic notes may be kept as “treatment records” used only for treatment; they are still governed by FERPA, not HIPAA, unless handled by a separate covered health care component.

Your FERPA rights

• Inspect and review Education Records; parents hold these rights until a student turns 18 or attends postsecondary education (then the student becomes an “eligible student”).
• Request amendment of inaccurate or misleading records.
• Consent to most disclosures, with limited exceptions (for example, health or safety emergencies and legitimate educational interests).

HIPAA and FERPA Relationship

HIPAA and FERPA are complementary privacy regulations. HIPAA’s Privacy Rule specifically excludes FERPA-protected Education Records (and postsecondary treatment records) from PHI. That means most health information kept by a school is not subject to HIPAA; it is protected by FERPA instead.

Quick rule of thumb

• K–12 student health records kept by the school: FERPA applies; HIPAA does not.
• Care you receive from an outside provider (doctor’s office, telehealth service): HIPAA applies to the provider’s records.
• University or district clinic that operates as a HIPAA covered entity and conducts Electronic Health Transactions: HIPAA applies to that clinic’s records; once information is placed in the school’s Education Records, FERPA governs that copy.

Sharing between providers and schools

A HIPAA-covered provider may share necessary information with a school nurse or school official when permitted by HIPAA (for example, for treatment, to comply with immunization documentation requirements, or with appropriate consent). After the school receives the information, it becomes part of the Education Records and is protected under FERPA.

HIPAA Application in Schools

When HIPAA does apply

• School-based clinics run by a hospital, health department, or university that bill insurance electronically are covered entities; their records are PHI and must meet HIPAA’s privacy and security standards.
• Telehealth or athletic training services provided by outside covered entities to students, when those entities conduct Electronic Health Transactions.
• Universities designated as “hybrid entities” where the health care component (such as a medical center) follows HIPAA, even if the rest of the institution follows FERPA.

When HIPAA generally does not apply

• School nurse records, counseling notes used for educational purposes, medication logs, and IEP health documentation maintained by a K–12 school are Education Records under FERPA, not PHI.
• Copies of outside medical records placed in a student’s school file are governed by FERPA once maintained by the school.

Why Electronic Health Transactions matter

If a provider or clinic transmits standard electronic claims, eligibility checks, or other covered transactions, it becomes a HIPAA covered entity. That status triggers strict safeguards for Protected Health Information and formal Health Privacy Compliance obligations.

FERPA Application in Schools

K–12 settings

• Most student health data maintained by the school—nurse visits, immunizations, emergency care plans, and medication administration—are FERPA Education Records.
• Schools may share information without consent in limited cases, such as a health or safety emergency or with school officials who have a legitimate educational interest.

Higher education settings

• Counseling center or campus health service records used only for treatment are “treatment records” under FERPA. They are not accessible to others except for treatment or as otherwise permitted by law; if used for non-treatment purposes, they become Education Records.
• If a university clinic is a HIPAA covered entity, its clinical records are governed by HIPAA; academic records remain under FERPA.

Practical implications

Ask whether the service you’re using is part of the school (FERPA) or a separate covered entity (HIPAA). Knowing this determines how you access records, who may see them, and which consent rules apply.

Health Information in Schools

Best practices for Health Privacy Compliance

• Identify which records fall under FERPA versus HIPAA and store them separately.
• Use written consent forms for non-exempt disclosures and keep a record of when and why information is shared.
• Limit access to student health data to staff with a legitimate educational or treatment need.
• Protect electronic files with strong authentication and encryption, especially when handling Electronic Health Transactions.
• Work with vendors under appropriate agreements to safeguard student health data.

What students and families can do

• Ask who maintains your records and which privacy regulations apply.
• Request copies of your records and review them for accuracy.
• Set preferences for how the school or clinic may contact you about health matters.

Conclusion

In short, HIPAA for Students matters because your privacy rights change depending on where your information lives. Health care providers that are covered entities must protect PHI under HIPAA, while schools protect Education Records under FERPA. Knowing the difference helps you navigate consent, access your records, and keep your student health data private.

FAQs

What is HIPAA and who does it protect?

HIPAA is a federal law that protects the privacy and security of Protected Health Information held by covered entities (health plans, clearinghouses, and providers that conduct Electronic Health Transactions) and their business associates. It gives patients rights over their medical records and limits how PHI can be used and disclosed.

How does FERPA differ from HIPAA in schools?

FERPA protects Education Records maintained by schools, which often include student health data in K–12 settings. HIPAA generally does not apply to those school records. HIPAA applies to records kept by covered health care providers or clinics—such as a hospital-run school clinic—especially when they bill electronically.

When does HIPAA apply to student health information?

HIPAA applies when your information is held by a covered health care entity, like a doctor’s office, telehealth service, or a school-based clinic operated by a hospital or health department that conducts Electronic Health Transactions. Once those records are maintained by the school as part of your Education Records, FERPA governs that copy.

Are school health clinics subject to HIPAA?

It depends on how the clinic is organized. If the clinic is part of a covered entity (for example, run by a hospital or health department) and bills electronically, HIPAA applies to its records. If the clinic is operated by the school and records are kept by the school, those records are typically Education Records protected by FERPA, not HIPAA.