HIPAA Software for School-Based Health Centers

What makes school-based health centers different

School-based health centers provide clinical care inside an education institution. That creates a compliance environment that no other outpatient setting faces: two federal privacy frameworks — HIPAA and FERPA — apply simultaneously, and the boundary between them is not always obvious.

FERPA covers education records. HIPAA covers health records maintained by covered entities. When a school nurse maintains immunization records or health screening results as part of a student’s cumulative education record, FERPA governs those records. When a school-based health center operating as a covered entity maintains separate clinical records — visit notes, diagnoses, treatment plans — for that same student, HIPAA may govern those records instead.

The practical challenge is that staff at a school-based health center often do not draw this distinction instinctively. A nurse who trained in a hospital or outpatient clinic knows HIPAA. They may not know FERPA. And a school administrator who is accustomed to FERPA-governed access to student records may not understand why the health center operates differently. Getting both right requires explicit policy, staff training that addresses both frameworks, and clear documentation about which records fall under which law.

What the software should make easier

• Tracking annual compliance training that addresses both HIPAA and FERPA, by staff role
• Documenting authorization status for minor patients — particularly for care categories where state law permits minors to consent independently
• Managing BAA inventory for vendors who access PHI from the health center’s separately maintained clinical records
• Recording incident documentation for potential privacy events, with enough detail to support a breach determination
• Assigning policy review obligations on a schedule so HIPAA and FERPA policy documents stay current as HHS guidance and state law evolve
• Maintaining clear records of which staff have access to which record types, supporting the minimum-necessary standard under HIPAA

The FERPA-HIPAA boundary in practice

HHS and the Department of Education issued joint guidance clarifying how FERPA and HIPAA interact in school settings. The key determination is whether a health record is an “education record” under FERPA.

If the record meets FERPA’s definition — maintained by the school and directly related to a student — FERPA controls. HIPAA’s Privacy Rule explicitly excludes from its scope records that are subject to FERPA. That means a school nurse who maintains student immunization records as part of the education record is operating under FERPA, not HIPAA, for those records.

But if the school-based health center maintains clinical records separately — its own chart system, separate from the school’s student information system — those records may qualify as health records of a covered entity, governed by HIPAA.

The implication for compliance programs: policies and training must address both scenarios. Staff cannot assume HIPAA always applies, or that FERPA always applies. The right answer depends on how the records are maintained and by whom.

Minor consent and record control

Many states permit minors to consent to specific categories of care without parental authorization. Common categories include contraception services, STI testing and treatment, mental health counseling, and substance use treatment. The specific categories and age thresholds vary by state.

When a minor lawfully consents to care under state law, HIPAA’s Privacy Rule generally recognizes the minor as having the right to control those health records — including the right to restrict disclosure to parents or guardians. The parent or guardian does not automatically have access to those records simply because the patient is a minor.

This creates a specific compliance challenge for school-based health centers. The setting makes parental involvement feel natural and expected. But for records of care the minor accessed independently under state law, disclosure to a parent without the minor’s authorization may violate HIPAA.

Staff must understand this before they field a parent’s request for their child’s health records. The right response requires knowing what law governs, what care was provided, whether the minor consented independently, and what the specific state’s rules require.

Where PHIGuard fits

School-based health centers need compliance software that handles the operational layer without requiring a compliance officer on staff. Most operate as part of a community health network, a federally qualified health center, or a hospital-sponsored program — with limited administrative capacity at the school site itself.

PHIGuard addresses the recurring compliance work that must happen regardless of administrative capacity:

Training assignment and tracking by role, with records that show who completed what and when. In a school health center, training must cover both HIPAA and the relevant FERPA provisions for staff who interact with education records.

Policy documentation and review scheduling so the clinic can demonstrate it maintains current policies, not just that it had policies at some point in the past.

BAA management for any vendor handling PHI from the separately maintained clinical records — EHR vendors, billing processors, lab vendors.

Incident documentation that captures the who, what, and when of any potential privacy event with enough structured detail to support a breach risk assessment.