FERPA vs. HIPAA: School Clinics and Health Records

FERPA and HIPAA both protect health-related information about individuals, but they divide that responsibility along institutional lines rather than by information type. The distinction matters for school-based health providers, pediatric practices, and community clinics that work with minors or operate within or adjacent to school systems.

How the boundary is drawn

The HIPAA Privacy Rule at 45 CFR 160.103 defines protected health information to exclude education records covered by the Family Educational Rights and Privacy Act (FERPA) and treatment records of students at postsecondary institutions. This is a deliberate carve-out: Congress decided that student records governed by FERPA should not also be subject to HIPAA, to avoid dual regulatory burdens and conflicting requirements.

The result is a framework where the institution’s character determines which law applies, not the type of health information itself.

When FERPA governs health records

A school — K-12 or higher education — that receives federal funding is subject to FERPA for records it directly maintains about students. If that school employs a nurse and the nurse maintains health records accessible only to personnel with a legitimate educational interest, those records are education records under FERPA.

The FERPA definition of “education records” excludes records that are made by physicians, psychiatrists, or psychologists solely in connection with the treatment of a student and disclosed only to the treating professional. These are called “treatment records” under 34 CFR 99.3 and are not education records even if maintained on school premises. They are also not HIPAA-covered because FERPA treatment records are a separate category — the student or their chosen professional can access them, but they fall outside both regimes in a narrow way.

When HIPAA governs health records in school settings

A healthcare entity that provides services to students — but is not the school itself — is typically a HIPAA covered entity for the records it creates. Examples:

• A federally qualified health center operating a school-based health center under a contract with the school district maintains its own records and is subject to HIPAA, not FERPA, for those records.
• A pediatric practice that receives referrals from a school is a HIPAA covered entity for all its patient records, whether or not those patients are students.
• A community health clinic that provides immunizations to students on school grounds, but operates under its own entity structure, maintains HIPAA-covered records.

In each case, the records belong to the healthcare provider, not the school. FERPA does not reach records maintained by entities that are not educational agencies or institutions.

The joint guidance framework

HHS OCR and the U.S. Department of Education published joint guidance on the application of FERPA and HIPAA to student health records. The original joint guidance was published in November 2008. Updated joint guidance clarifying scenarios involving school-based health centers was published in 2019. The guidance explains the FERPA exclusion in the HIPAA rule, describes scenarios where each law applies, and addresses circumstances where records may shift between the two frameworks.

The joint guidance confirms: if a student’s health information is an education record at the school, FERPA governs. If that same information is also in a healthcare provider’s treatment records, HIPAA governs the provider’s copy.

Records shared across the boundary

Complications arise when records move between the FERPA and HIPAA worlds. A school shares a student’s education records with a treating physician under a FERPA consent or emergency exception. The physician then maintains those records as part of the patient’s treatment file. The physician’s record is now HIPAA-governed. The school’s original copy remains FERPA-governed.

Disclosure back to the school — for example, a physician sending a return-to-activity letter — requires HIPAA authorization from the patient or their parent (if the patient is a minor), unless a HIPAA exception applies.

For school-based health clinics operating as separate entities

If your clinic operates in a school setting but is organized as an independent healthcare entity with its own EHR, billing function, and staff, you are almost certainly a HIPAA covered entity. Your patients happen to be students, but your records are not education records. You need:

• A Notice of Privacy Practices.
• Business associate agreements with any vendors you use.
• HIPAA-compliant authorization forms for disclosures outside treatment, payment, and healthcare operations.
• A documented process for handling parental consent for minors and for recognizing when a minor’s rights transfer to the student.

Related: HIPAA administrative safeguards and HIPAA physical safeguards.

PHIGuard keeps compliance documentation, BAA tracking, and policy acknowledgements in one place. Plans start at $99 per clinic. See HIPAA compliance for more.