HIPAA Privacy Rule for Students: A Clear, Quick Summary of PHI, Rights, and Responsibilities

HIPAA Privacy Rule Scope

The HIPAA Privacy Rule sets national standards for how health information is used and disclosed. As a student, you encounter it when you access patient data in clinics, hospitals, or school-based health settings. The rule applies to Covered Entities and, in many cases, to their workforce, which includes students during clinical experiences.

Covered Entities are health plans, health care clearinghouses, and health care providers that conduct certain electronic transactions. A school or university may not be a covered entity as a whole, but a campus health clinic or school-based health center can be a covered provider or a hybrid entity with a designated health care component. During Clinical Rotations, you function under that component’s policies and are expected to follow HIPAA just like staff.

Not all student records fall under HIPAA. Many records maintained by educational institutions are governed by FERPA instead. Understanding whether HIPAA or FERPA applies is the first step to handling information correctly.

Protected Health Information

Protected Health Information, or PHI, is Individually Identifiable Health Information created or received by a covered entity or its business associate that relates to a person’s health, care, or payment for care. If an individual can be identified, and the information is held by a covered entity, it is likely PHI.

• Common PHI elements include names, addresses, contact information, dates related to care, full-face photos, medical record numbers, diagnoses, medications, lab results, and insurance details.
• De-identified data is not PHI. Remove direct identifiers and ensure no reasonable basis exists to identify the person. Use only the minimum necessary PHI for your task; the minimum necessary standard does not apply to disclosures for treatment.

FERPA Exemption and Relationship

HIPAA expressly excludes from PHI any information defined as Education Records or Treatment Records under FERPA. In K–12 settings, health records maintained by the school (for example, by the school nurse) are typically Education Records and therefore not subject to HIPAA.

In colleges and universities, medical or counseling records for students maintained by the institution for treatment are FERPA Treatment Records, not HIPAA PHI, unless shared beyond treatment in ways that convert them to Education Records. Records for non-students treated at a university clinic can be HIPAA PHI.

Parental Consent rules differ under FERPA and HIPAA. Under FERPA, parental consent is generally required to disclose Education Records, with specific exceptions. Under HIPAA, a parent is usually the minor’s personal representative, but state laws may grant minors control over certain services, limiting parental access. Always follow the stricter applicable rule and your site’s policy.

Disclosure to School Health Personnel

Under HIPAA, disclosures without an authorization are permitted for treatment, payment, and health care operations; to avert a serious threat to health or safety; for certain public health activities; for child abuse or neglect reporting; and when required by law. A health care provider may disclose proof of immunization to a school with a parent’s or eligible student’s agreement, which can be oral if documented.

If your school clinic is a covered component, sharing PHI with teachers or administrators generally requires the patient’s authorization unless an exception applies. For minors, parents often receive information as personal representatives, but state-specific minor consent rules may limit that access. When in doubt, consult your preceptor or privacy officer before disclosing.

Student Rights Under HIPAA

When you are a patient of a covered entity, you have HIPAA rights. These include the right to access and obtain a copy of your PHI, request amendments to inaccurate information, receive an accounting of certain disclosures, request restrictions and confidential communications, and obtain a Notice of Privacy Practices.

These HIPAA rights apply to PHI held by covered entities. If your records are Education Records or Treatment Records under FERPA, your rights arise under FERPA instead. Ask which law governs your records so you can exercise the correct set of rights.

Student Responsibilities Under HIPAA

• Use only the minimum necessary PHI to perform your role, and access records only for patients involved in your care or learning assignment.
• Do not share PHI with classmates, faculty, or school staff unless they are part of the patient’s care or permitted under policy. Never post PHI to social media or messaging apps.
• Secure PHI at all times: log off shared workstations, avoid downloading PHI to personal devices, encrypt approved devices, and store papers in locked areas.
• De-identify case presentations. Remove names, dates, images, and unique identifiers. Do not take patient photos or recordings without explicit, documented authorization.
• Verify identity before disclosures, speak quietly in public spaces, and avoid discussing cases in hallways or elevators.
• Complete required privacy training before Clinical Rotations, follow site policies, wear your badge, and immediately report a suspected breach or misdirected fax/email.

Compliance with HIPAA

Covered entities safeguard PHI through policies, training, role-based access, audit logs, and administrative, physical, and technical controls. As part of the workforce, you must follow those safeguards, document as required, and cooperate with investigations of privacy incidents.

Violations can trigger Civil Penalties enforced by the Office for Civil Rights and, for willful misuse such as obtaining PHI under false pretenses or for personal gain, possible Criminal Penalties. Schools and clinical sites may also impose disciplinary actions, including removal from a rotation or program consequences.

Conclusion

Know whether HIPAA or FERPA applies, limit access to the minimum necessary, disclose PHI only when permitted, and secure information at every step. These habits keep patients safe, protect you during training, and support a culture of privacy and trust.

FAQs

What types of information are protected under HIPAA?

HIPAA protects PHI held by covered entities or their business associates. PHI is Individually Identifiable Health Information about a person’s health, care, or payment that can identify the individual. Examples include names, contact details, dates, medical record numbers, diagnoses, medications, lab results, imaging, and insurance information. Properly de-identified data is not PHI.

How does FERPA interact with HIPAA for student records?

HIPAA excludes FERPA Education Records and FERPA Treatment Records from its definition of PHI. In K–12 schools and most campus settings, student health records are governed by FERPA, not HIPAA. University clinics may handle non-student patients under HIPAA while student records remain under FERPA. Determine which law applies before using or disclosing information.

What rights do students have under the HIPAA Privacy Rule?

As patients of covered entities, students can request access to their PHI, seek corrections, receive an accounting of certain disclosures, request restrictions, ask for confidential communications, and obtain a Notice of Privacy Practices. If the record is an Education Record or Treatment Record under FERPA, the FERPA rights framework applies instead.

How can students ensure compliance during clinical internships?

Complete privacy training, follow site policies, use the minimum necessary PHI, and keep information secure on screens, paper, and devices. Verify identities before sharing, de-identify case work, avoid social media disclosures, and report incidents immediately. During Clinical Rotations, treat yourself as part of the covered entity’s workforce and act accordingly.