How School Nurses Handle HIPAA and FERPA: A Practical Guide to Student Health Privacy

FERPA Applicability to School Health Records

In most K–12 settings, student health information kept by a school nurse is part of the student’s education record and is governed by FERPA. Because the records are maintained by the school or district, they fall under education records confidentiality rather than HIPAA. This includes nursing notes, clinic logs, medication administration records, immunization documentation received and stored by the school, and Individualized Healthcare Plans or emergency action plans.

FERPA allows access to these records only to school officials with a legitimate educational interest—those who need the information to fulfill their professional duties. You should restrict viewing to the minimum necessary to support the student’s learning, safety, and participation in school.

Remember that FERPA’s “treatment record” category mainly applies to eligible students in postsecondary institutions. In K–12, parents retain access to health records, which keeps these documents within FERPA’s education record framework.

In emergencies, FERPA permits disclosure without consent to protect the health or safety of the student or others. Document the specific threat, to whom you disclosed, what you shared, and why the disclosure was warranted for student health record compliance.

HIPAA Applicability in School Settings

HIPAA applies to covered entities such as healthcare providers who transmit certain transactions electronically, health plans, and clearinghouses. A school nurse employed by a school or district typically is not a HIPAA covered entity for student health files because those files are education records under FERPA, not protected health information under HIPAA.

HIPAA can apply when a school-based health clinic is operated by an outside hospital or medical practice that bills electronically. In that case, the clinic’s patient records are HIPAA PHI while held by the clinic. If the clinic shares information with the school for inclusion in the student’s file, that copy becomes a FERPA education record inside the school’s system.

When HIPAA does apply (for example, in an external clinic on campus), you must follow HIPAA Privacy and Security Rules, including safeguards for electronic health information transmission, role-based access, and breach response. Disclosures from a HIPAA entity to the school usually require written consent from a parent or eligible student, except for limited circumstances such as immunization proof or health and safety emergencies permitted by HIPAA.

Information Sharing Guidelines Under FERPA

Under FERPA, you may share student health information without prior consent only under defined exceptions. The most common for school nurses are:

• School officials with a legitimate educational interest who need information to carry out professional responsibilities.
• Health or safety emergencies, where disclosure is necessary to prevent or lessen a serious and imminent threat.
• Transfers to another school in which the student seeks or intends to enroll.
• Compliance with a judicial order or lawfully issued subpoena (with required notices, unless an exception applies).

Outside these exceptions, obtain written consent that specifies what will be shared, with whom, and for what purpose. Apply data minimization: disclose only what is necessary. Maintain logs or notations of non-consensual disclosures to support education records confidentiality and audit readiness.

Information Sharing Guidelines Under HIPAA

If you work within or alongside a HIPAA-covered clinic, information may be shared without authorization for treatment, payment, and healthcare operations. The minimum necessary standard applies to most uses and disclosures other than treatment. Disclosures to public health authorities (for reportable conditions, immunizations, or outbreaks) are permitted by law.

Sharing from a HIPAA entity to a FERPA-covered school generally requires parent or eligible student authorization. HIPAA also permits schools to receive proof of required immunizations with a parent’s oral or written permission when state law requires such documentation. For urgent threats, HIPAA allows disclosures to prevent or lessen a serious and imminent danger.

When exchanging records between a HIPAA clinic and the school, clearly separate the HIPAA-designated records from FERPA education records once they enter the school environment. Confirm whether vendor relationships require a business associate agreement on the HIPAA side or a school official/data-sharing agreement on the FERPA side.

Parental Rights and Record Access

Under FERPA, parents have robust parental access rights to inspect and review their child’s education records, including health records maintained by the school. Schools must provide access within required timelines and offer a process to request amendment of records believed to be inaccurate or misleading.

At age 18 or upon enrollment in postsecondary education, rights transfer to the student (the “eligible student”). Until that transfer in K–12, parents generally control consent for disclosures under FERPA’s rules.

Under HIPAA, parents typically act as a minor’s personal representative and may access protected health information, except where state law allows minors to consent to specific services independently, where a court has assigned someone else, or where access could endanger the minor. Always align your approach with both FERPA and any applicable HIPAA provisions when external providers are involved.

Impact of State Laws on Privacy Compliance

State confidentiality statutes can be more protective than federal rules and will shape how you handle sensitive services, consent, and disclosure. Many states provide minors with confidentiality for certain services, such as mental health counseling, reproductive healthcare, HIV/STD testing, sexual assault care, or substance use treatment. In those cases, parent access may be limited by law even in school contexts.

States also set retention schedules, breach notification duties, and requirements for electronic health information transmission (for example, encryption standards or participation in immunization registries). Mandated reporting laws for abuse or neglect may require disclosure irrespective of consent; document the legal basis and limit what you share to the required scope.

Build a state-by-state matrix with counsel to clarify consent ages, protected topics, and disclosure pathways so your team can act quickly and correctly during routine operations and emergencies.

Best Practices for Record Maintenance

Strong practices make compliance practical and sustainable. Focus on these essentials:

• Governance and access: designate a records custodian; define who qualifies as a school official with legitimate educational interest; use role-based permissions and audit trails.
• Segregation and minimization: keep health records distinct from discipline files; store only necessary data; de-identify or aggregate when possible for program evaluation.
• Secure technology: use approved systems for electronic health information transmission; avoid unencrypted email or texting; encrypt devices; enable remote wipe; back up securely.
• Documentation: standardize consent forms, emergency disclosure notes, and release logs; record the legal basis for any non-consensual disclosure.
• Vendors and interoperability: confirm whether relationships require HIPAA business associate terms or FERPA-compliant school official agreements; ensure data mapping when records move between HIPAA and FERPA systems.
• Training and drills: provide annual, role-specific training on education records confidentiality, protected health information, and state confidentiality statutes; rehearse emergency information-sharing scenarios.
• Lifecycle management: follow state retention schedules; purge or archive records securely; prepare subpoena response workflows with counsel before you need them.

In summary, treat school-maintained health files as FERPA education records, apply HIPAA only where a covered clinical provider is involved, share the minimum necessary with those who have a legitimate educational interest, and anchor decisions in applicable state laws. This balanced approach keeps students safe while upholding privacy and student health record compliance.

FAQs.

What records do school nurses maintain under FERPA?

Typical FERPA education records include clinic visit logs, nursing assessments and care notes, medication administration records, immunization documentation maintained by the school, screening results, and health plans (for example, IHPs and emergency action plans). When these records are kept by the school or district, they are not HIPAA PHI; they are FERPA education records subject to education records confidentiality.

How does HIPAA apply to school health providers?

HIPAA applies when a healthcare provider is a covered entity (for example, a hospital-run clinic on campus that bills electronically). The clinic’s records are protected health information while held by the clinic. Once health information is shared with and maintained by the school, that copy becomes a FERPA education record. School-employed nurses typically operate under FERPA, not HIPAA, for student files.

When can school nurses share student health information without consent?

Under FERPA, you may disclose without consent to school officials with a legitimate educational interest, during a bona fide health or safety emergency, to a receiving school when a student transfers, to comply with a court order or subpoena (with required notices), and as otherwise required by law. Always disclose the minimum necessary, document the reason, and align with state rules that may further limit or direct sharing.

What additional protections do state laws provide for student health records?

State confidentiality statutes can restrict disclosures and expand minors’ control over certain services (such as mental health, reproductive health, HIV/STD care, and substance use treatment). States also dictate retention timeframes, breach notifications, and technical safeguards for electronic health information transmission. These rules can narrow parental access rights in defined circumstances and must be layered on top of FERPA and any applicable HIPAA obligations.