HIPAA vs. FERPA: What’s the Difference and When Each Law Applies

FERPA Overview and Scope

FERPA safeguards education records privacy at schools and districts that receive U.S. Department of Education funds. It governs how you collect, store, use, and disclose student records maintained by the institution or a party acting for it.

What counts as an education record

• Records directly related to a student and maintained by the school, including most K–12 nurse or clinic files kept by the school.
• At the postsecondary level, “treatment records” kept by a campus clinician solely for treatment are excluded from education records but remain regulated by FERPA (not HIPAA) unless disclosed beyond treatment.
• “Directory information” (for example, a team roster) may be released unless the parent or eligible student opts out.

Access based on legitimate educational interests

School officials may access records without consent when they have legitimate educational interests—meaning they need the information to perform school duties. Other disclosures usually require prior written consent, with a narrow health or safety emergency exception.

HIPAA Overview and Scope

HIPAA’s Privacy Rule protects protected health information held by covered entities—health plans, health care clearinghouses, and most health care providers that conduct standard electronic transactions. It sets rules for use, disclosure, and patient access to PHI.

Core HIPAA standards you should know

• Use and disclosure of PHI generally requires the individual’s written authorization unless permitted for treatment, payment, or health care operations.
• Minimum necessary: disclose only what’s needed for the purpose, except for treatment where broader sharing is allowed.
• Emergency disclosure provisions allow disclosure to prevent or lessen a serious and imminent threat to health or safety.
• HIPAA expressly excludes FERPA-covered education records and FERPA treatment records from the definition of PHI.

Intersection of FERPA and HIPAA

The key question is who maintains the record and for what purpose. If a record is an education record (or a FERPA treatment record), FERPA applies and HIPAA does not. If a record is created and kept by a separate health care provider unaffiliated with the school, HIPAA applies.

How school-based health centers fit

School-based health centers operated by external providers are usually HIPAA covered entities for their own charts. If those providers share information with the school for non-treatment purposes, the shared copy becomes an education record subject to FERPA, while the provider’s original chart remains PHI under HIPAA.

When a clinic is part of the school

If the clinic is run by the school or a party acting for it, student health files are education records under FERPA. You treat them like other student records and apply FERPA’s consent rules and emergency exceptions, not HIPAA.

Disclosure of Information under Each Law

FERPA disclosure rules

• Parental or eligible student consent is the default for releasing personally identifiable information.
• No consent is required for: school officials with legitimate educational interests; transfers to another school; audits and evaluations; health or safety emergencies; court orders or subpoenas; and properly designated directory information.
• Disclose only what is necessary, document your rationale, and notify parents or eligible students when required.

HIPAA disclosure rules

• No written authorization is required for treatment, payment, and health care operations.
• Disclosures without authorization are also allowed when required by law, for public health purposes, and under emergency disclosure provisions to prevent or lessen a serious and imminent threat.
• For minors, a parent is typically the personal representative with access rights, subject to state minor-consent laws and safety exceptions.

Parental Access and Consent Rights

Under FERPA

Parents may inspect and review their child’s education records until the student turns 18 or attends a postsecondary institution, at which point rights transfer to the eligible student. Schools may still inform parents without consent in limited situations, such as a health or safety emergency or when the student is a tax dependent under federal law.

Under HIPAA

Parents generally control access to a minor’s protected health information as personal representatives. However, when state law lets a minor consent to care (for example, certain reproductive or mental health services), or when a provider believes parental involvement could endanger the minor, HIPAA may allow or require limiting parental access.

Applicability in Postsecondary Institutions

In colleges and universities, FERPA governs most student records. Health or counseling notes kept solely for treatment are FERPA treatment records, not PHI, and can be shared only with other treatment providers unless the student authorizes broader disclosure. If a university clinic also treats non-students, those non-student records are typically HIPAA-regulated PHI.

Practical takeaways for campuses

• Student records: FERPA applies, including treatment records kept by campus clinicians solely for treatment.
• Non-student records: HIPAA usually applies when services are delivered by a covered entity clinic.
• Once treatment records are disclosed outside treatment, they generally become education records subject to FERPA’s rules.

Compliance Challenges and Best Practices

Common challenges

• Distinguishing education records, FERPA treatment records, and PHI when services are integrated across departments and school-based health centers.
• Reconciling HIPAA’s minimum necessary standard with FERPA’s legitimate educational interests during multidisciplinary case management.
• Managing emergency disclosure provisions consistently and documenting judgments made under pressure.
• Navigating state minor-consent rules that affect parental access expectations.

Best practices you can implement

• Map data flows and label repositories as FERPA, FERPA treatment record, or HIPAA PHI; maintain separate charts where feasible.
• Adopt role-based access aligned to legitimate educational interests for FERPA and minimum necessary for HIPAA.
• Use clear consent and written authorization templates for routine, cross-entity sharing; refresh them on a defined schedule.
• Execute MOUs with external providers; use business associate agreements only when HIPAA actually applies.
• Train staff with scenario-based drills (routine referrals, crises, parent requests) and keep an auditable log of disclosures and emergency decisions.

Conclusion

Whether HIPAA or FERPA applies depends on who maintains the record and the purpose of disclosure. By classifying records, clarifying roles, and standardizing consent and emergency workflows, you can protect students’ information while enabling timely care and support.

FAQs

When does FERPA apply instead of HIPAA?

FERPA applies when the information is an education record maintained by a school or district receiving Department of Education funds, or a FERPA treatment record kept solely for treatment by campus clinicians. In those cases, HIPAA’s rules for protected health information do not apply to the student record.

How do school-based health centers comply with both laws?

If an external provider operates the center, the clinic’s charts are HIPAA PHI; the school’s copy of any shared information becomes a FERPA education record. Use separate systems, define what can be shared, and rely on written authorization for routine non-emergency exchanges beyond treatment.

What are the parental rights under FERPA versus HIPAA?

Under FERPA, parents control access to education records until the student turns 18 or attends college, when rights transfer to the student. Under HIPAA, parents usually act as the minor’s personal representative for PHI, except where state law allows the minor to consent to care or where disclosure could jeopardize the minor’s safety.

Can educational institutions share health records without consent in emergencies?

Yes. FERPA allows disclosure without consent to address a health or safety emergency, and HIPAA permits disclosures to prevent or lessen a serious and imminent threat. Share only what is necessary, and document the emergency disclosure provisions and your rationale.