When HIPAA Doesn't Apply: The Education Records Exception You Need to Know About
Here's a scenario that plays out more often than you'd think: a college student asks their school's health center for a copy of their medical records, expecting HIPAA to give them the same privacy protections they'd get at a doctor's office off-campus. Or a parent assumes their child's school health file is covered by the same federal law that protects their own medical information at the hospital Simple, but easy to overlook..
Worth pausing on this one.
Here's the thing — it's not. HIPAA excludes information considered education records, and this gap catches a lot of people off guard The details matter here. Simple as that..
What HIPAA Actually Covers (And What It Doesn't)
HIPAA, the Health Insurance Portability and Accountability Act, is the federal law most people think of when they hear "medical privacy." It sets national standards for protecting individually identifiable health information and applies to what the law calls "covered entities" — health plans, health care clearinghouses, and health care providers who transmit health information electronically.
So far, so good. But here's where it gets tricky Simple, but easy to overlook..
The law explicitly excludes certain categories of information from HIPAA's reach. One of the most significant exclusions? Education records protected under FERPA, the Family Educational Rights and Privacy Act.
What FERPA Covers Instead
FERPA is the other major federal student privacy law, and it's the one that actually applies to most school health information. It protects "education records" — which includes anything directly related to a student and maintained by the school or by someone acting on the school's behalf.
This covers:
- Grade reports and transcripts
- Class schedules
- Disciplinary records
- Health records maintained by the school (including immunization records, medication logs, and health office visit notes)
- Counseling records
- Special education files
So when a school nurse documents that a student was seen for asthma symptoms, that note lives in an education record — not a medical record subject to HIPAA.
The Overlap (And Where It Gets Confusing)
Now here's what trips people up: HIPAA does apply to some health information in educational settings. A hospital affiliated with a university might be covered by HIPAA. A private doctor's office that does sports physicals for students is definitely covered. Here's the thing — the school itself, though? Generally not Less friction, more output..
Short version: it depends. Long version — keep reading.
The key distinction is who maintains the record and for what purpose. If the school is keeping the information as part of its educational function — tracking vaccinations for school entry, managing accommodations under a 504 plan, or documenting visits to the school nurse — that's FERPA territory.
This is the bit that actually matters in practice.
Why This Distinction Actually Matters
You might be thinking: "Okay, different law, same protection, right?Here's the thing — " Not exactly. There are meaningful differences in what these laws require, and understanding them matters more than you might expect Worth keeping that in mind..
Access and Amendment Rights Differ
Under HIPAA, individuals have a clear, enforceable right to access their protected health information and request corrections. The process is well-defined, timelines are set, and there are regulatory consequences if covered entities don't comply Took long enough..
FERPA gives parents (and eligible students over 18) the right to inspect and review education records, but the process can be less standardized. Schools have more flexibility in how they handle access requests, and the "right to amend" that exists under HIPAA is weaker under FERPA.
Disclosure Rules Vary
HIPAA has detailed requirements about when and how health information can be shared without patient authorization. There are specific exceptions, required safeguards, and minimum necessary standards Not complicated — just consistent. Which is the point..
FERPA has its own exceptions for disclosure — including to school officials with legitimate educational interest, for health and safety emergencies, and in some other limited situations — but the framework is different. Some disclosures that would require authorization under HIPAA might be permissible under FERPA's educational interest exception.
Enforcement Works Differently
HIPAA violations can bring significant penalties from the Department of Health and Human Services' Office for Civil Rights. Because of that, fERPA enforcement is more limited — it doesn't have the same solid complaint and penalty structure. Schools that mishandle education records face less clear-cut regulatory consequences Turns out it matters..
How This Plays Out in Real Situations
Let's make this concrete. Here are a few scenarios where the HIPAA-FERPA distinction actually matters:
College health centers — Most college health centers are considered part of the educational institution, so their records are typically FERPA-protected. Students often assume HIPAA applies the same way it would at their hometown doctor's office. It doesn't work that way.
K-12 school nurses — That file the school nurse keeps on your child's asthma? The medication log for ADHD? The documentation of that concussion during gym class? All education records. HIPAA doesn't give you the same rights to that information that it would for records at your pediatrician's office.
University hospitals vs. university clinics — A large teaching hospital affiliated with a university is usually a HIPAA-covered entity. A campus counseling center run by the university might not be. Same campus, different rules, depending on how the records are maintained and for what purpose It's one of those things that adds up. Which is the point..
Student athletes — The athletic department's records about your injury and treatment? Often education records. But if you get treated at the university hospital, those are medical records with HIPAA protections. The same injury can generate two different types of records with different privacy rules.
Common Mistakes People Make
Assuming All "School Health Records" Work the Same Way
There's no single answer for every piece of health information in an educational setting. The determining factor is who maintains the record and why. People often assume HIPAA applies broadly to any health information connected to a school, and that's just not accurate Less friction, more output..
Confusing FERPA and HIPAA Protections
Both laws protect student information, but they do it differently. Worth adding: assuming they're interchangeable can lead to unexpected results when you try to exercise rights you think you have. The protections aren't identical, and the processes for accessing or challenging records aren't either Worth keeping that in mind..
Not Understanding Who "Owns" the Record
Here's a practical one: if your child sees a doctor through the school-based health center, is that a HIPAA record or a FERPA record? It depends on who operates the health center, whether it's a separate entity, and how the records are maintained. This isn't always obvious from the outside Not complicated — just consistent..
What Actually Works Here
If you're trying to figure out student health privacy, here's what actually helps:
Ask what law applies. Don't assume. When you're dealing with school health information, ask whether the records are FERPA-protected education records or HIPAA-protected health records. The answer determines your rights.
Know who maintains the records. The entity that creates and keeps the record matters. A private physician practice contracted by the school is different from the school nurse's office. A university hospital is different from the student health center No workaround needed..
Understand the access process. For FERPA records, your primary right is to inspect and review. The process is set by school policy. For HIPAA records, you have specific rights to obtain copies and request amendments through a more formal process.
Check state laws. Some states have additional student privacy protections that go beyond both federal laws. Depending on where you live, state law might fill in gaps or add requirements.
FAQ
Does HIPAA apply to my child's school records?
Generally no. Plus, most K-12 school health records are considered education records under FERPA, not protected health information under HIPAA. This includes records kept by school nurses, counselors, and health offices.
Can I get my college student's medical records from the campus health center?
It depends on how the health center operates. On the flip side, you may have rights to access them, but through FERPA, not HIPAA. Many campus health centers are part of the educational institution and their records are FERPA-protected. Students over 18 generally handle their own requests Still holds up..
It sounds simple, but the gap is usually here Easy to understand, harder to ignore..
What's the difference between FERPA and HIPAA for student records?
HIPAA is a health privacy law that applies to health care providers, health plans, and health clearinghouses. But hIPAA generally provides stronger access and amendment rights. Think about it: fERPA is an education privacy law that applies to schools. FERPA focuses on educational records, including many health-related records schools maintain Simple, but easy to overlook..
Do private schools have to follow FERPA?
Private schools that don't receive federal funding are generally exempt from FERPA. On the flip side, many choose to follow similar practices, and some states have laws that extend student privacy protections to private school records.
Can schools share my child's health information with outside parties?
Under FERPA, schools can share information with school officials who have a legitimate educational interest, in health or safety emergencies, and in some other circumstances. The rules are different from HIPAA's authorization requirements, so disclosures that would require your permission under HIPAA might be permissible under FERPA.
The Bottom Line
The gap between HIPAA and education records is one of those regulatory nuances that sounds like it should be straightforward but isn't. If you're a parent trying to access your child's school health file, a college student trying to understand your rights at the campus health center, or anyone trying to figure out who can see your health information in an educational setting — the answer isn't "HIPAA covers this."
It's usually FERPA. And knowing the difference matters more than you'd expect.
