Patient Privacy and Student Access to Medical Records: HIPAA Rules and Best Practices

Overview of HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards for protecting Protected Health Information and gives individuals enforceable rights over how their data is used and shared. It governs covered entities—health plans, most health care providers that bill electronically, and health care clearinghouses—plus their business associates.

Privacy Rule Coverage includes the right to access and obtain copies of your records, request corrections, receive an accounting of certain disclosures, and ask for restrictions. HIPAA also permits disclosures without authorization for treatment, payment, and health care operations, as well as when required by law or to avert a serious threat to health or safety.

When you request copies from a HIPAA-covered provider, the provider may charge Reasonable Fees for Record Copies limited to actual labor, supplies, and postage. They must provide the records in the requested form and format if readily producible and respond within set deadlines.

FERPA Protections for Educational Records

FERPA protects Student Educational Records maintained by schools that receive U.S. Department of Education funds. Parents have rights for K–12 students; at age 18 or when a student attends postsecondary education, these rights transfer to the student (the “eligible student”).

Under FERPA, you have Records Inspection Rights to review education records within a reasonable time frame and to request corrections of inaccurate or misleading information. Schools generally need written consent before releasing personally identifiable information from education records, subject to defined exceptions.

Key FERPA concepts include legitimate educational interest for school officials, the option to designate limited “directory information,” and detailed record-keeping by schools about non-consensual disclosures.

Distinction Between Student Health Records and Medical Records

Student health records kept by a school nurse, athletic trainer, or campus clinic that is part of the school are usually FERPA records, not HIPAA records. That means HIPAA’s Privacy Rule often does not apply directly to those documents, even though they contain health information.

Medical records held by outside health care providers remain Protected Health Information under HIPAA. Privacy Rule Coverage therefore depends on who maintains the records and for what purpose.

Common scenarios

• K–12 public school nurse files: typically FERPA education records.
• University counseling center notes used only for treatment: FERPA “treatment records” with special handling.
• Hospital-run clinic not part of the school: HIPAA applies to those patient records.
• School-based clinic that serves both students and non-students: student records are FERPA; non-student records are HIPAA.

Conditions for Accessing Student Health Records

If the records are FERPA-covered, parents (for minors) or eligible students can inspect and review them. Schools must provide access within a reasonable period and cannot charge fees to search or retrieve records; however, they may charge Reasonable Fees for Record Copies if you request duplicates.

For postsecondary “treatment records,” schools may allow access through a treating clinician or convert them to education records upon request, at which point standard Records Inspection Rights apply. Verify whether the document you want is an education record or a treatment record.

How to request access

• Identify the record holder (school health office, registrar, or outside provider).
• Submit a written request that specifies the records sought and preferred format.
• Provide proof of identity and, if applicable, evidence of parental status or dependency.
• Ask about timelines and any permissible copying fees in advance.

Rules for Disclosure of Student Health Information

Under FERPA, written consent is the default for releasing personally identifiable information from Student Educational Records. Schools may disclose without consent in defined situations, applying only the information necessary for the purpose.

FERPA non-consensual disclosures

• Health and Safety Emergency Disclosure when there is an articulable and significant threat to health or safety.
• To school officials with legitimate educational interest or to another school where the student seeks to enroll.
• For audits, evaluations, financial aid administration, or accrediting activities.
• Legal Compliance Disclosure in response to a lawfully issued subpoena or court order (with required notice, when applicable).
• To parents of dependent students under the tax code and in certain discipline or substance-use circumstances allowed by law.

HIPAA-permitted disclosures (when HIPAA applies)

• For treatment, payment, and health care operations without written authorization.
• When required by law, to public health authorities, or to prevent a serious and imminent threat to health or safety.
• Minimum necessary standard for most disclosures other than treatment.

Handling and Disclosure of Immunization Records

Schools frequently must document student immunizations to comply with state and local requirements. When a health care provider is asked to share proof of shots with a school, HIPAA permits disclosure with the parent’s or eligible student’s agreement if state or other law authorizes the school to receive it.

Once immunization documentation is maintained by the school, it is a FERPA education record. The school may disclose it without consent only as FERPA allows, such as a Health and Safety Emergency Disclosure or a Legal Compliance Disclosure required by public health law.

Best practices for immunization documentation

• Confirm legal authority and the recipient’s role before sending any record.
• Capture consent or agreement in writing or according to applicable rules and retain it with the file.
• Share only what is necessary (vaccine name, dates, and required identifiers).
• Transmit securely and maintain clear logs of requests and disclosures.
• Align retention schedules with state immunization and school record requirements.

Interactions Between FERPA and HIPAA

FERPA and HIPAA are designed to avoid overlap. If a record is a FERPA education or treatment record, HIPAA generally does not apply to that record. If a record is held by a HIPAA-covered provider who is not part of the school, HIPAA governs it as Protected Health Information.

Quick mapping

• K–12 public schools: student health records are under FERPA; HIPAA does not cover those records.
• Private schools without federal education funds: FERPA may not apply; HIPAA may govern if a clinic is a covered entity.
• University health services: student records are FERPA; services to non-students may create HIPAA records.
• School-based telehealth operated by an outside provider: HIPAA for the provider’s records; FERPA for any copies held by the school.

Conclusion

Determine who holds the record and why it is kept to know whether FERPA or HIPAA applies. Use consent as the default, rely on narrow exceptions like Health and Safety Emergency Disclosure or Legal Compliance Disclosure only when justified, and honor Records Inspection Rights while charging only Reasonable Fees for Record Copies. Clear roles, minimal data sharing, and secure handling keep you compliant and protect student privacy.

FAQs.

What rights do students have under HIPAA regarding their medical records?

When seen by a HIPAA-covered provider that is not part of the school, you have the right to access, receive copies in a usable format, request corrections, and get an accounting of certain disclosures. Providers may charge Reasonable Fees for Record Copies but cannot charge to search or retrieve.

How does FERPA affect access to student health records?

FERPA treats most student health files held by the school as Student Educational Records. Parents (for minors) or eligible students can inspect and review them and request corrections. Consent is generally required for disclosures unless a FERPA exception applies.

When can schools disclose student health information without consent?

Schools may disclose without consent for a Health and Safety Emergency Disclosure, to school officials with legitimate educational interest, to another school for enrollment, for audits or evaluations, for certain discipline notifications, and through Legal Compliance Disclosure such as a court order or applicable public health mandate.

What are the best practices for handling immunization records?

Verify legal authority, obtain and document permission when required, disclose only the minimum data needed, use secure transmission, and keep accurate logs and retention schedules. Treat records held by the school as FERPA-protected and follow permitted disclosure routes only when necessary.