HIPAA Privacy Rule Exclusions Checklist: FERPA, Employment Records, De‑Identification

This HIPAA Privacy Rule Exclusions Checklist helps you quickly determine when information falls outside the Privacy Rule scope. Use it to distinguish Protected Health Information from records excluded by the Employer Records Exception, the Educational Records Exemption under FERPA, and properly De-Identification Methods, so your compliance decisions are precise and defensible.

Employment Records Exclusion

What counts as employment records

Employment records held by an employer in its role as employer are excluded from HIPAA. This Employer Records Exception covers HR files created or received for hiring, placement, compensation, benefits eligibility, or fitness-for-duty—not treatment, payment, or healthcare operations. Even if a healthcare provider created the document, it is not PHI once kept solely for employment purposes.

Common examples that are not PHI

• FMLA certifications, return-to-work notes, and work restrictions maintained by HR.
• Occupational injury logs, workers’ compensation documentation, and fit-for-duty or drug test results kept for workplace safety or compliance.
• Vaccination status or respirator clearance records retained for workplace requirements.

Boundary scenarios to check carefully

• If your hospital treats an employee as a patient, those clinical records are PHI; HR may not access them without an authorization or other valid basis.
• Occupational health clinics sometimes act for the employer (employment record) and sometimes as a provider billing a health plan (PHI). Maintain separate workflows and systems.
• Keep employment records out of the EHR used for patient care and store them in HR systems with role-based access.

Quick checklist

• Role: Is the holder acting as employer or as a HIPAA covered entity providing care?
• Purpose: Employment decision/compliance versus treatment, payment, or operations?
• System: Stored in HR/occupational files, or in the clinical EHR?
• Authorization: If HR needs patient PHI, do you have a valid authorization or other permitted pathway?

Education Records and FERPA

FERPA-covered records are not PHI

Education records maintained by a school or district subject to FERPA Regulations are excluded from HIPAA. This Educational Records Exemption generally includes K–12 school nurse files, immunization records maintained by the school, and other student health entries kept in the education record.

Treatment records for postsecondary students

At the postsecondary level, “treatment records” are made or maintained by a healthcare professional, used only for treatment of the student, and disclosed only to treatment providers. These records are governed by FERPA, not HIPAA, and are excluded from PHI unless they are shared outside treatment, at which point they become education records (still under FERPA).

Setting-specific tips

• K–12 schools receiving federal funds: Student health records are generally FERPA records, not PHI.
• University health centers: Student records usually fall under FERPA; non-student patients seen by the center may be HIPAA records—segregate systems and notices accordingly.
• Private schools not subject to FERPA: Assess HIPAA applicability based on whether the institution is a HIPAA covered entity and the nature of transactions.

Quick checklist

• Is the institution subject to FERPA Regulations?
• Is the individual a student, and is the record maintained by the school?
• Is the record used exclusively for treatment (postsecondary “treatment record”)?
• If FERPA does not apply, reassess under HIPAA Covered Entities rules.

De-Identification Standards

Two De‑Identification Methods under HIPAA

• Expert Determination: A qualified expert applies accepted statistical or scientific principles and determines the risk of re-identification is very small; the expert’s methods and results are documented.
• Safe Harbor: Remove specified identifiers and have no actual knowledge that the remaining information can identify an individual.

Core Safe Harbor identifiers to remove

• Names and all geographic subdivisions smaller than a state (except initial three-digit ZIP codes meeting population thresholds).
• All elements of dates (except year) directly related to an individual; ages over 89 aggregated to “age 90 or older.”
• Telephone, fax, email, and other contact numbers or addresses.
• Social Security, medical record, health plan beneficiary, and account numbers.
• Certificate/license numbers and vehicle identifiers (including license plates).
• Device identifiers and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (e.g., fingerprints, voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Risk management for de-identified data

• Use data governance controls such as cell-size suppression, date shifting, and geographic generalization.
• Document your chosen De-Identification Methods and maintain versioned artifacts for audits.
• If you need some identifiers, consider a Limited Data Set with a data use agreement rather than full de-identification.
• Do not generate re-identification codes from actual identifiers; store linkage keys securely.

Covered Entity Roles

Who is a covered entity

HIPAA Covered Entities include health plans, healthcare clearinghouses, and healthcare providers that transmit health information in standard transactions. Your obligations attach when you create, receive, maintain, or transmit PHI in these roles.

Role-based boundaries inside one organization

The same organization can be both a covered entity and an employer. When you act as an employer, employment records are outside HIPAA. When you act as a provider or health plan, records meeting the PHI definition are within HIPAA. Keep policies, systems, and access controls clearly separated to prevent commingling.

Business associates (context for handling PHI)

Vendors that handle PHI for or on behalf of a covered entity are business associates and require appropriate agreements. Business associate obligations do not apply to records excluded from HIPAA, such as pure employment records, but they do apply to PHI you disclose for permitted purposes.

Health Information Scope

What is Protected Health Information

PHI is individually identifiable health information, in any form, that relates to a person’s health status, the provision of care, or payment for care. It includes identifiers combined with health data created or held by a covered entity or its business associate.

Key exclusions from the Privacy Rule Scope

• Employment records held by an employer in its role as employer.
• Education records and eligible student treatment records subject to FERPA.
• Data that meet HIPAA’s de-identification standard via Expert Determination or Safe Harbor.

Practical implications

Always ask: Who is holding the information, in what role, and for what purpose? Those answers determine whether HIPAA applies, whether FERPA controls, or whether the information is outside both because it is de-identified or purely employment-related.

Regulatory Compliance Implications

Operational practices that reduce risk

• Maintain separate systems and access pathways for HR files versus PHI; avoid storing employment records in clinical EHRs.
• Use clear policies for when HR may request PHI and require documented authorizations where needed.
• Train staff on the distinctions among PHI, FERPA education/treatment records, and employment records.
• Implement a defensible de-identification program with expert documentation or Safe Harbor checklists.
• Map data flows, classify records by role and purpose, and log disclosures consistently.
• Align retention schedules with record type (HR, education, or PHI) and applicable regulations.

Documentation to have on hand

• Written rationale when invoking the Employer Records Exception or Educational Records Exemption.
• De-identification work papers or expert attestations, plus governance policies.
• Role-based access matrices and system segregation diagrams.
• Templates for authorizations, data use agreements, and business associate agreements.

Conclusion

Effective compliance hinges on role, purpose, and identifiability. By separating employment and education records from clinical PHI, applying the right De-Identification Methods, and clarifying covered entity responsibilities, you keep the Privacy Rule scope tight, protect individuals, and reduce organizational risk.

FAQs

What types of employment records are excluded from HIPAA?

Records an employer keeps in its role as employer—such as HR files, FMLA certifications, workers’ compensation documents, drug test results, fitness-for-duty clearances, and vaccination or respirator status kept for workplace compliance—are excluded from HIPAA and are not Protected Health Information. Clinical records about an employee as a patient remain PHI and must not be commingled with HR files.

How does FERPA interact with HIPAA exclusions?

Education records maintained by FERPA-covered institutions, and treatment records for postsecondary students used only for treatment, fall under FERPA and are excluded from HIPAA. In K–12 settings, student health records are typically FERPA records, not PHI. University health centers usually manage student records under FERPA, while non-student patient records may be HIPAA-governed and must be segregated.

What criteria define de-identified health information?

Information is de-identified if it either passes Expert Determination (a qualified expert finds a very small re-identification risk and documents the methodology) or meets Safe Harbor by removing specified identifiers—such as names, detailed geography, most dates, contact numbers, account and device IDs, biometric and facial images—and you have no actual knowledge that remaining data can identify an individual.