HIPAA Rules for School Nurses: What Applies, What Falls Under FERPA, and How to Stay Compliant
Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA HIPAA Rules for School Nurses: What Applies, What Falls Under FERPA, and How to Stay Compliant

HIPAA Rules for School Nurses: What Applies, What Falls Under FERPA, and How to Stay Compliant

Kevin Henry

HIPAA

February 09, 2026

8 minutes read
Share this article
HIPAA Rules for School Nurses: What Applies, What Falls Under FERPA, and How to Stay Compliant

As a school nurse, you sit at the intersection of education and healthcare. Knowing when HIPAA applies, when FERPA controls, and how to handle student information confidently is essential to protecting privacy and keeping care moving. This guide clarifies the dividing lines and gives you practical steps to stay compliant day to day.

FERPA Applicability to Student Health Records

What counts as education records in a health context

In most K–12 settings, student health records you create or maintain are Education Records under FERPA. That includes immunization records, medication administration logs, individual health plans, screening results, and nurse visit notes that are kept by the school or district. Because they identify a student, these records contain Personally Identifiable Information (PII) and must be protected accordingly.

Access and parent/eligible student rights

FERPA gives parents the right to inspect and request amendment of their child’s education records. When a student turns 18 or enrolls in postsecondary education, these rights transfer to the “eligible student.” You should have a clear process for responding to inspection requests within required timelines and documenting any amendments or statements of disagreement.

Sole possession notes and internal sharing

Brief notes you keep solely as a personal memory aid and never share are not education records. Once notes inform decisions about a student or are shared with others, they become part of the FERPA file. Within the school, you may share information with “school officials” who have a legitimate educational interest, but always apply a need-to-know standard and record disclosures when required.

HIPAA Exemptions for School Nurses

Education records are excluded from HIPAA

HIPAA does not apply to education records protected by FERPA. If you are employed by a public school or a private school that receives funds from the U.S. Department of Education, the student health records you maintain are generally FERPA records, not HIPAA Protected Health Information. HIPAA’s privacy and authorization rules do not govern those records.

Other HIPAA exclusions that often matter in schools

  • Treatment records of postsecondary students are excluded from HIPAA and handled under FERPA’s special “treatment records” category until disclosed for non-treatment purposes.
  • Employment records held by an employer (e.g., staff injury reports kept solely for employment purposes) are not HIPAA PHI. Keep staff health records separate from student files and apply the correct rule set to each.

Exceptions When HIPAA Applies

School-based health centers run by outside providers

If a hospital, FQHC, county health department, or other Covered Entity operates a clinic on campus, that clinic’s records are HIPAA PHI. When the clinic shares information with you for care coordination, your school’s copy becomes a FERPA education record, while the clinic retains HIPAA obligations.

Private schools not covered by FERPA

Private K–12 schools that do not receive U.S. Department of Education funds are not subject to FERPA. If such a school (or its health service) conducts Electronic Health Transactions—like submitting insurance claims or eligibility checks in standard formats—it may be a HIPAA Covered Entity, and HIPAA will apply to its health records.

Employee health clinics and occupational health

When a clinic serving school employees operates as part of a Covered Entity and bills insurers electronically, HIPAA governs those employee patient records. Keep student records walled off from employee health files and apply the correct rule to each dataset.

Immunization documentation from providers

Healthcare providers covered by HIPAA may disclose proof of immunization to a school with the parent’s (or eligible student’s) agreement. Once received, that documentation is a FERPA education record in your custody.

As a rule, you need written parental consent before disclosing PII from education records to anyone outside the school. This includes routine communication with external physicians, therapists, or pharmacies when there is no emergency.

  • Health and Safety Emergency: You may disclose necessary information to appropriate parties (such as EMS or treating clinicians) to protect the student or others.
  • School Officials: Teachers, administrators, or contracted providers performing institutional services under the school’s direct control, with a legitimate educational interest.
  • Transfers: Another school where the student seeks or intends to enroll.
  • Required Disclosures: Certain reports mandated by state law (e.g., communicable disease, child abuse) or disclosures under a court order or subpoena, following required notice procedures.

Ensure the consent is signed and dated and specifies (1) the records to be disclosed, (2) the purpose of the disclosure, and (3) the party or class of parties to whom the disclosure may be made. Time-limit consents where appropriate and allow revocation in writing.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Sharing Health Information with Providers

From the school to an outside provider (FERPA governs)

To send education records to a student’s pediatrician, therapist, or dentist, you typically need written FERPA consent unless a Health and Safety Emergency exists or the provider is acting as a school official under your direct control. Build workflows that verify the legal basis before releasing any PII.

From a provider to the school (HIPAA permits treatment disclosure)

HIPAA permits a Covered Entity to share PHI with another provider for treatment without authorization. That means a community physician may send you relevant information to support care at school as a Treatment Disclosure. Once you receive it, the information becomes a FERPA education record and must be handled under FERPA going forward.

Practical tips to streamline compliant sharing

  • Use a FERPA consent form that authorizes two-way communication with named providers and describes the purpose (care coordination, medication management, return-to-play decisions).
  • Standardize emergency protocols so staff know when the Health and Safety Emergency exception applies and how to document the decision.
  • Maintain a disclosure log when required by FERPA and train staff not to redisclose information beyond the stated purpose.

State Laws Impacting Health Record Disclosure

Many states give minors confidentiality for certain services (e.g., reproductive health, mental health, substance use). If a student lawfully consents to care under state law, additional limits may apply to parent access and disclosures. Always check state-specific rules before sharing sensitive information.

Mandatory reporting and registries

States often require schools to report immunizations, communicable diseases, or suspected abuse. FERPA permits disclosures required by state statute. Build clear pathways to make mandated reports without over-disclosing unrelated PII.

Resolving conflicts

When state law imposes stricter privacy protections than FERPA or HIPAA, follow the more protective rule where both can be honored. If obligations genuinely conflict, pause and seek Legal Counsel Guidance to document the analysis and choose a defensible path.

Compliance Best Practices for School Nurses

Create a simple data map

  • Label each record set as FERPA Education Records, HIPAA PHI (if a clinic partner is involved), or employment records. This prevents accidental cross-use.
  • Separate student and staff files and restrict access by role and need-to-know.

Control access and secure storage

  • Use strong authentication, locked storage, and minimum-necessary sharing inside the school.
  • Document who can see what, for what purpose, and how long you retain records.

Standardize forms and logs

  • Maintain FERPA-compliant consent forms for routine exchanges with pediatricians and therapists.
  • Keep a disclosure log when required and review it periodically for accuracy.

Manage vendors and partners

  • For student data systems, use FERPA’s school official framework with direct control over the vendor’s use and redisclosure.
  • For clinic partners that are HIPAA Covered Entities, ensure appropriate data-sharing agreements and align on emergency and referral workflows.

Train, audit, and document

  • Provide annual training on FERPA basics, Health and Safety Emergency criteria, and your district’s procedures.
  • Run quick audits of access rights, paper file security, and consent completeness.

Conclusion

In everyday K–12 practice, FERPA—not HIPAA—governs student health information you maintain. HIPAA enters the picture when an outside Covered Entity is involved or when a school isn’t subject to FERPA and conducts Electronic Health Transactions. With clear consents, tight access controls, and Legal Counsel Guidance for edge cases, you can protect privacy while ensuring students get timely care.

FAQs.

Does HIPAA apply to student health records managed by school nurses?

Usually no. Student health records you maintain as a school nurse are Education Records under FERPA, not HIPAA PHI. HIPAA may apply only when an outside Covered Entity (like a hospital-run clinic) holds the records or when a non-FERPA school qualifies as a HIPAA Covered Entity.

Consent is required for most disclosures of Personally Identifiable Information from education records to parties outside the school. You do not need consent for a Health and Safety Emergency, for school officials with a legitimate educational interest, for transfers to another school, certain state-law-required reports, or court orders following required notice.

How can school nurses share health information with healthcare providers legally?

From the school to a provider, obtain a FERPA-compliant consent unless an emergency or school-official exception applies. From a provider to you, HIPAA permits Treatment Disclosure without patient authorization; once you receive it, treat the information as a FERPA education record.

What should school nurses do if state laws conflict with FERPA or HIPAA?

Apply the more protective rule where possible and follow clear state mandates for reporting. If duties truly conflict, pause disclosure, document the issue, and seek Legal Counsel Guidance to determine a defensible path that prioritizes student safety and privacy.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...