When HIPAA Doesn't Apply: The Education Records Exception You Need to Know About
Here's a scenario that plays out more often than you'd think: a college student asks their school's health center for a copy of their medical records, expecting HIPAA to give them the same privacy protections they'd get at a doctor's office off-campus. Or a parent assumes their child's school health file is covered by the same federal law that protects their own medical information at the hospital Small thing, real impact..
Here's the thing — it's not. HIPAA excludes information considered education records, and this gap catches a lot of people off guard.
What HIPAA Actually Covers (And What It Doesn't)
HIPAA, the Health Insurance Portability and Accountability Act, is the federal law most people think of when they hear "medical privacy." It sets national standards for protecting individually identifiable health information and applies to what the law calls "covered entities" — health plans, health care clearinghouses, and health care providers who transmit health information electronically But it adds up..
So far, so good. But here's where it gets tricky Simple, but easy to overlook..
The law explicitly excludes certain categories of information from HIPAA's reach. One of the most significant exclusions? Education records protected under FERPA, the Family Educational Rights and Privacy Act.
What FERPA Covers Instead
FERPA is the other major federal student privacy law, and it's the one that actually applies to most school health information. It protects "education records" — which includes anything directly related to a student and maintained by the school or by someone acting on the school's behalf Easy to understand, harder to ignore. Simple as that..
This covers:
- Grade reports and transcripts
- Class schedules
- Disciplinary records
- Health records maintained by the school (including immunization records, medication logs, and health office visit notes)
- Counseling records
- Special education files
So when a school nurse documents that a student was seen for asthma symptoms, that note lives in an education record — not a medical record subject to HIPAA.
The Overlap (And Where It Gets Confusing)
Now here's what trips people up: HIPAA does apply to some health information in educational settings. Plus, the school itself, though? A hospital affiliated with a university might be covered by HIPAA. A private doctor's office that does sports physicals for students is definitely covered. Generally not Most people skip this — try not to..
The key distinction is who maintains the record and for what purpose. If the school is keeping the information as part of its educational function — tracking vaccinations for school entry, managing accommodations under a 504 plan, or documenting visits to the school nurse — that's FERPA territory.
Why This Distinction Actually Matters
You might be thinking: "Okay, different law, same protection, right?" Not exactly. There are meaningful differences in what these laws require, and understanding them matters more than you might expect That alone is useful..
Access and Amendment Rights Differ
Under HIPAA, individuals have a clear, enforceable right to access their protected health information and request corrections. The process is well-defined, timelines are set, and there are regulatory consequences if covered entities don't comply.
FERPA gives parents (and eligible students over 18) the right to inspect and review education records, but the process can be less standardized. Schools have more flexibility in how they handle access requests, and the "right to amend" that exists under HIPAA is weaker under FERPA.
Disclosure Rules Vary
HIPAA has detailed requirements about when and how health information can be shared without patient authorization. There are specific exceptions, required safeguards, and minimum necessary standards.
FERPA has its own exceptions for disclosure — including to school officials with legitimate educational interest, for health and safety emergencies, and in some other limited situations — but the framework is different. Some disclosures that would require authorization under HIPAA might be permissible under FERPA's educational interest exception.
Enforcement Works Differently
HIPAA violations can bring significant penalties from the Department of Health and Human Services' Office for Civil Rights. FERPA enforcement is more limited — it doesn't have the same dependable complaint and penalty structure. Schools that mishandle education records face less clear-cut regulatory consequences That's the part that actually makes a difference..
How This Plays Out in Real Situations
Let's make this concrete. Here are a few scenarios where the HIPAA-FERPA distinction actually matters:
College health centers — Most college health centers are considered part of the educational institution, so their records are typically FERPA-protected. Students often assume HIPAA applies the same way it would at their hometown doctor's office. It doesn't work that way.
K-12 school nurses — That file the school nurse keeps on your child's asthma? The medication log for ADHD? The documentation of that concussion during gym class? All education records. HIPAA doesn't give you the same rights to that information that it would for records at your pediatrician's office Worth keeping that in mind..
University hospitals vs. university clinics — A large teaching hospital affiliated with a university is usually a HIPAA-covered entity. A campus counseling center run by the university might not be. Same campus, different rules, depending on how the records are maintained and for what purpose.
Student athletes — The athletic department's records about your injury and treatment? Often education records. But if you get treated at the university hospital, those are medical records with HIPAA protections. The same injury can generate two different types of records with different privacy rules.
Common Mistakes People Make
Assuming All "School Health Records" Work the Same Way
There's no single answer for every piece of health information in an educational setting. The determining factor is who maintains the record and why. People often assume HIPAA applies broadly to any health information connected to a school, and that's just not accurate Still holds up..
Confusing FERPA and HIPAA Protections
Both laws protect student information, but they do it differently. That said, assuming they're interchangeable can lead to unexpected results when you try to exercise rights you think you have. The protections aren't identical, and the processes for accessing or challenging records aren't either Practical, not theoretical..
Not Understanding Who "Owns" the Record
Here's a practical one: if your child sees a doctor through the school-based health center, is that a HIPAA record or a FERPA record? Plus, it depends on who operates the health center, whether it's a separate entity, and how the records are maintained. This isn't always obvious from the outside The details matter here. No workaround needed..
What Actually Works Here
If you're trying to handle student health privacy, here's what actually helps:
Ask what law applies. Don't assume. When you're dealing with school health information, ask whether the records are FERPA-protected education records or HIPAA-protected health records. The answer determines your rights.
Know who maintains the records. The entity that creates and keeps the record matters. A private physician practice contracted by the school is different from the school nurse's office. A university hospital is different from the student health center.
Understand the access process. For FERPA records, your primary right is to inspect and review. The process is set by school policy. For HIPAA records, you have specific rights to obtain copies and request amendments through a more formal process Still holds up..
Check state laws. Some states have additional student privacy protections that go beyond both federal laws. Depending on where you live, state law might fill in gaps or add requirements.
FAQ
Does HIPAA apply to my child's school records?
Generally no. Here's the thing — most K-12 school health records are considered education records under FERPA, not protected health information under HIPAA. This includes records kept by school nurses, counselors, and health offices Not complicated — just consistent..
Can I get my college student's medical records from the campus health center?
It depends on how the health center operates. Many campus health centers are part of the educational institution and their records are FERPA-protected. And you may have rights to access them, but through FERPA, not HIPAA. Students over 18 generally handle their own requests.
What's the difference between FERPA and HIPAA for student records?
HIPAA is a health privacy law that applies to health care providers, health plans, and health clearinghouses. Practically speaking, fERPA is an education privacy law that applies to schools. HIPAA generally provides stronger access and amendment rights. FERPA focuses on educational records, including many health-related records schools maintain.
This is the bit that actually matters in practice.
Do private schools have to follow FERPA?
Private schools that don't receive federal funding are generally exempt from FERPA. Still, many choose to follow similar practices, and some states have laws that extend student privacy protections to private school records.
Can schools share my child's health information with outside parties?
Under FERPA, schools can share information with school officials who have a legitimate educational interest, in health or safety emergencies, and in some other circumstances. The rules are different from HIPAA's authorization requirements, so disclosures that would require your permission under HIPAA might be permissible under FERPA Simple, but easy to overlook..
The Bottom Line
The gap between HIPAA and education records is one of those regulatory nuances that sounds like it should be straightforward but isn't. If you're a parent trying to access your child's school health file, a college student trying to understand your rights at the campus health center, or anyone trying to figure out who can see your health information in an educational setting — the answer isn't "HIPAA covers this."
It's usually FERPA. And knowing the difference matters more than you'd expect.
