HIPAA Privacy Rule for Students: What You Need to Know and How It Differs from FERPA

HIPAA Privacy Rule Applicability to Schools

The HIPAA Privacy Rule governs protected health information (PHI) held by a HIPAA covered entity—health plans, health care clearinghouses, and health care providers that transmit standard electronic transactions. In schools, HIPAA usually does not apply because most student health records are governed by FERPA, and HIPAA expressly excludes FERPA “education records” and “treatment records” from PHI.

HIPAA may apply when a school operates or partners with a health care provider that bills electronically, such as certain student health clinics or a university hospital. In these cases, the provider component must comply with HIPAA for the PHI it maintains, while student records that qualify as FERPA education or treatment records remain outside HIPAA.

Typical scenarios

• K–12 nurse records maintained by the school are FERPA education records, not HIPAA.
• A university counseling or medical service that keeps records solely for treatment maintains FERPA treatment records, not HIPAA.
• A university hospital that treats the public is a HIPAA covered entity; non‑student patient records are HIPAA, while qualifying student records may fall under FERPA.
• A private school that receives no U.S. Department of Education funds is not under FERPA; if it runs a clinic that is a HIPAA covered entity, HIPAA applies to those health records.

FERPA Applicability to Schools

FERPA applies to educational agencies and institutions that receive U.S. Department of Education funds, which includes virtually all public K–12 districts and most colleges and universities. FERPA protects the privacy of student education records and grants rights to parents and, once students turn 18 or attend postsecondary school, to “eligible students.”

FERPA protected information includes any education records—records that are directly related to a student and maintained by the school or a party acting for the school. This can encompass nurse logs, medication administration records, and disability‑related documentation when maintained in the education record.

Core protections under FERPA

• Right to inspect and review education records.
• Right to seek amendments to inaccurate or misleading records.
• Consent requirement before disclosure, subject to defined exceptions (for example, to school officials with legitimate educational interests or in a health or safety emergency).
• Transfer of rights from parents to eligible students at age 18 or upon postsecondary enrollment.

Health Information in Education Records

When health details are kept in a student’s central file—such as nurse visits, care plans, or disability accommodations—they are education records under FERPA. The HIPAA Privacy Rule does not apply to these records because they are FERPA‑governed.

Schools should handle this data on a need‑to‑know basis consistent with FERPA’s “legitimate educational interest” standard. Limit internal access to staff who must use the information to educate, support, or protect the student, and maintain secure storage and clear retention practices per state and local requirements.

Access and disclosure under FERPA

• Parents (or eligible students) may review education records upon request within required timelines.
• Schools may share with officials who have a legitimate educational interest and with another school where the student seeks or intends to enroll.
• Disclosures may occur without consent in emergencies to protect the health or safety of the student or others, and as otherwise permitted by FERPA.

Health Information in Treatment Records

For postsecondary students, records made or maintained by campus clinicians and used only in connection with treatment are FERPA treatment records. They are not education records and are excluded from HIPAA’s definition of PHI. If these records are shared for non‑treatment purposes, they become education records and then fall under FERPA’s general rules.

Students generally do not have a right to inspect treatment records directly, but they may have them reviewed by a treating professional of their choice. Where campus providers also serve non‑students or operate as part of a broader HIPAA covered entity, non‑student patient files remain subject to HIPAA while student treatment records remain FERPA records.

Student health clinics and mixed settings

• Student health clinics that bill electronically may be part of a “hybrid entity.” The health care component complies with HIPAA for PHI it holds, while FERPA still governs student education or treatment records.
• Operationally, maintain separate record sets and access controls to avoid improper mingling of FERPA and HIPAA data.

Disclosure of Immunization Records

HIPAA permits a health care provider to send proof of immunization to a school that is required by law to have such documentation, based on a documented verbal or written agreement from the parent or from the student if an adult or emancipated minor. This targeted immunization records disclosure does not require a formal HIPAA authorization.

Once the school receives proof of immunization, it becomes part of the education record and is governed by FERPA. Schools may disclose this information without consent only under FERPA exceptions, such as a health or safety emergency or to another school upon transfer, and must also follow applicable state immunization laws.

Practical steps for schools and providers

• Confirm the legal requirement for proof of immunization and document the parent or eligible student agreement.
• Exchange only the information required by law (for example, vaccine type and dates).
• File the documentation within the education record and apply FERPA rules to any subsequent disclosure.

Joint Guidance on FERPA and HIPAA

Federal agencies have issued joint federal guidance to clarify how FERPA and HIPAA interact in school settings. The guidance explains which law applies to student health clinics, how education records and treatment records are defined, and when HIPAA permits disclosures to schools, such as for immunization verification.

Key takeaways from joint federal guidance

• Most student records in schools subject to FERPA are outside HIPAA’s scope.
• University hospitals and clinics may be HIPAA covered entities; however, qualifying student records can still be FERPA education or treatment records.
• HIPAA allows proof‑of‑immunization disclosures to schools that must collect them, based on a documented agreement.
• Clear governance, role‑based access, and separate systems help maintain compliance across both laws.

FERPA vs HIPAA Privacy Awareness

Building privacy awareness means helping staff quickly decide which rule applies and what steps to take. Train administrators, school nurses, counselors, coaches, and student health clinic personnel on the boundaries between FERPA protected information and HIPAA PHI.

Quick decision guide

• Who holds the record? School/district or postsecondary institution (likely FERPA) versus an external HIPAA covered entity.
• What type of record is it? Education records or treatment records under FERPA, or PHI held by a HIPAA covered entity.
• Why is disclosure sought? Apply FERPA exceptions or HIPAA permissions accordingly and document the rationale.
• Does state law require or permit sharing (for example, immunizations)? Follow the specific state requirement and record consent or agreement as needed.

Operational tips

• Use written policies that separate FERPA education/treatment records from HIPAA PHI.
• Limit access to staff with a legitimate educational interest; for HIPAA components, apply role‑based access and auditing.
• Document parent or eligible student consents, releases, or agreements, especially for immunization records disclosure.
• Coordinate across legal, nursing, counseling, athletics, and IT to keep workflows consistent and secure.

In short, the HIPAA Privacy Rule for Students intersects with FERPA based on who holds the record, the record’s purpose, and funding status. Most K–12 and many campus records are FERPA education or treatment records, while HIPAA applies to PHI held by covered health providers. Knowing which rule applies lets you share what is necessary, protect what is sensitive, and comply with both laws.

FAQs.

Does HIPAA apply to elementary and secondary schools?

Generally no. Most K–12 student health records are FERPA education records, which HIPAA excludes from PHI. HIPAA may apply only if a school operates a HIPAA covered entity (for example, a clinic that bills electronically) and then only to the PHI that clinic maintains, not to the school’s education records.

How does FERPA protect student health information?

FERPA protects privacy in education records by granting parents or eligible students rights to access, seek corrections, and generally require consent before disclosure. It permits limited disclosures without consent, such as to school officials with a legitimate educational interest, to another school upon transfer, or in a health or safety emergency.

When is student health information subject to HIPAA rather than FERPA?

Student health information is subject to HIPAA when it is held by a HIPAA covered entity that is not maintaining the information as a FERPA education or treatment record—for example, a university hospital treating the general public or a private school clinic that bills electronically and is not subject to FERPA. Non‑student patient files at such providers are HIPAA PHI.

Can schools disclose immunization records under HIPAA?

Schools themselves are usually governed by FERPA, not HIPAA. Under HIPAA, a health care provider may disclose proof of immunization to a school that is required by law to collect it, based on a documented verbal or written agreement from the parent or adult student. After the school receives it, FERPA controls any further disclosure.