HIPAA Violations School Nurses Should Know About (and How to Avoid Them)

HIPAA Applicability to School Nurses

As a school nurse, you navigate two privacy regimes: the HIPAA Privacy Rule and FERPA. Most K–12 student health records maintained by a school or district fall under FERPA, not HIPAA. HIPAA’s rules apply when you provide care as part of a HIPAA‑covered entity (for example, a hospital- or health department–run school-based health center that conducts standard electronic transactions).

When HIPAA applies, Protected Health Information (PHI) includes any individually identifiable health data you create, receive, store, or transmit. Common HIPAA violations in these settings include sharing PHI with staff who are not involved in treatment, using unsecured messaging, leaving charts visible, or disclosing more than the “minimum necessary” for non‑treatment purposes.

When HIPAA typically does not apply

If you are employed by a public school or district and keep student health information in school files, those records are governed by FERPA. Even if outside providers send you PHI, once it is maintained by the school for the student, it becomes part of the education record and is handled under FERPA rules rather than HIPAA.

Dual‑hat scenarios

Some nurses work both in a school role (FERPA) and in a clinic on campus (HIPAA). Keep the record sets, workflows, and access controls separate. Apply HIPAA to clinic records and FERPA to school records to preserve Student Health Record Confidentiality and avoid cross‑contamination of data or policy.

FERPA and Student Health Records

FERPA Compliance governs education records, including most student health records kept by a school nurse. Within the school, you may share information only with school officials who have a legitimate educational interest. Disclosures outside the school generally require written consent from a parent or eligible student, unless a specific FERPA exception applies (for example, a health or safety emergency).

FERPA recognizes “treatment records,” created or maintained by a physician, nurse, or other recognized professional, used only for treatment. If these are disclosed beyond treatment, they become education records and are subject to standard FERPA access and consent rules.

Key takeaways for school nurses

• Do not label health information as “directory information.” Health details are never directory information under FERPA.
• Document the basis for any emergency disclosure and limit it to what is necessary to address the threat.
• Remember: education records and FERPA treatment records are excluded from HIPAA’s PHI definition, but you still must protect confidentiality under FERPA.

Disclosure of PHI to School Nurses

HIPAA‑covered providers may disclose PHI to a school nurse for treatment purposes without a signed authorization. Typical examples include medication orders, care plans for chronic conditions, allergy or asthma action plans, and post‑discharge instructions. The “minimum necessary” standard does not apply to disclosures for treatment, but it does apply to payment and health care operations.

Common disclosure pathways

• Permitted for treatment: A pediatrician sends a seizure action plan to you so you can implement it at school.
• Permitted with parent/student agreement: Proof of immunization may be shared with a school based on a parent’s or eligible student’s oral or written agreement; keep a note of the agreement.
• Requires authorization: Non‑treatment disclosures (for example, to a news outlet, coach unaffiliated with care, or a community organization) need a HIPAA authorization when HIPAA applies.

Avoiding violations during handoffs

• Verify identity before accepting or releasing PHI by phone or email.
• Use secure fax or encrypted messaging where available; avoid personal devices for PHI.
• Once PHI is filed in the school record, manage it under FERPA rules and your district’s policies.

Sharing Mental Health Information

Mental Health Information Sharing follows the same HIPAA framework: you may exchange information for treatment, care coordination, or referral. Psychotherapy notes—therapist’s separate, personal notes from counseling sessions—receive extra protection and generally require a specific authorization to disclose.

When the patient is a minor, parent access under HIPAA depends on state law and circumstances (for example, when a minor may consent to care, or when disclosure to a parent could endanger the minor). If the information is part of the school’s FERPA record, you typically need parent consent to share it outside the school unless a FERPA exception applies.

Practical guardrails

• Share the minimum necessary for non‑treatment purposes and only with individuals involved in the student’s care or safety.
• For threat assessment or imminent risk, disclose necessary details to appropriate parties to prevent or lessen harm; document the rationale and recipients.
• Segregate psychotherapy notes from general medical or counseling records when you operate in a HIPAA‑covered clinic.

Confidentiality and State Laws

State Confidentiality Laws can be more protective than HIPAA and will control where they are more stringent. Many states grant minors confidentiality for specific services—such as mental health counseling, reproductive health, STI/HIV services, or substance use treatment. Separate federal rules (for example, 42 CFR Part 2 for substance use disorder programs) may also require heightened protections and consent before redisclosure.

Build School Nurse Compliance procedures that account for these stricter rules. Map which services in your state allow minors to consent, what information parents can access, and when you must obtain explicit written authorization before sharing.

Action steps

• Create a quick‑reference matrix of state minor‑consent laws and apply the most protective rule when in doubt.
• Flag records subject to heightened protections to prevent accidental redisclosure.
• Train staff annually on FERPA, HIPAA, and state‑specific privacy requirements.

Maintaining Confidentiality

Strong habits prevent both HIPAA and FERPA violations. Use role‑based access, keep conversations private, and apply the minimum necessary principle for non‑treatment uses. Standardize forms for consent, authorization, and revocation, and maintain a clear log of disclosures made under emergency or legal exceptions.

Everyday practices

• Store paper files in locked cabinets; log out of electronic systems and position screens away from public view.
• Use official, secure communication channels; avoid personal email, texting, and cloud storage for student information.
• Verify identity before sharing information, especially with outside providers or new guardians.
• Keep FERPA and HIPAA records separate when you serve in both capacities.

High‑risk scenarios and safeguards

• Field trips and athletics: distribute only need‑to‑know details to supervising staff, not full health records.
• Substitutes and volunteers: provide brief, purpose‑limited instructions without diagnoses whenever possible.
• Emergencies: share promptly with responders what they need to treat or protect safety; document after the event.

Conclusion

Most school nurse records are FERPA‑protected, while HIPAA governs records in school‑based clinics or outside providers. Know which rule applies, restrict access to those who need to know, secure every channel you use, and document decisions. These steps minimize HIPAA violations, uphold Student Health Record Confidentiality, and strengthen School Nurse Compliance.

FAQs

When does HIPAA apply to school nurses?

HIPAA applies when you provide care as part of a HIPAA‑covered entity—commonly a hospital, community clinic, or health department that runs a school-based health center and conducts standard electronic transactions. In that clinic context, your records are PHI and HIPAA rules govern them. Health records you maintain for the school itself are typically subject to FERPA, not HIPAA.

How does FERPA differ from HIPAA for student health records?

FERPA protects education records, including most health records kept by a school nurse. It allows sharing within the school only with officials who have a legitimate educational interest and generally requires parent or eligible student consent for outside disclosures. HIPAA protects PHI held by covered entities and permits broader treatment‑related exchanges between providers. Education records covered by FERPA are excluded from HIPAA’s PHI.

What are the rules for sharing mental health information under HIPAA?

Under HIPAA, you may share mental health information for treatment, care coordination, or to prevent or lessen a serious and imminent threat. Psychotherapy notes receive extra protection and usually require a specific authorization to disclose. Parent access to a minor’s information depends on state law and circumstances. If the record is maintained by the school, FERPA rules govern sharing outside the school.

How can school nurses maintain confidentiality of student health information?

Identify whether HIPAA or FERPA applies, limit disclosure to those who need to know, and secure records at rest and in transit. Use encrypted or approved channels, separate clinic and school records, verify identities before sharing, obtain required consents or authorizations, and document emergency disclosures. Regular training and audits help sustain compliance with both federal rules and stricter state laws.