When HIPAA Doesn't Apply: The FERPA Exception for Student Health Records
Your daughter gets sick at school. But here's the thing: it probably isn't. In real terms, you might assume that conversation is protected by HIPAA — the same federal law that keeps your doctor's visits private. The school nurse calls you, mentions her temperature, talks about giving her medication. Not because your daughter's health information doesn't matter, but because a different law — FERPA — already covers it. And HIPAA explicitly steps back when education records are involved Turns out it matters..
This distinction trips up a lot of people. It's not. They assume HIPAA is the default for any health information, period. Parents, educators, school administrators, even healthcare workers who rotate through school settings. And understanding why this exception exists matters — especially if you're responsible for handling student health data, or if you're a parent trying to understand your child's privacy rights.
What Is FERPA, and How Does It Interact With HIPAA?
FERPA stands for the Family Educational Rights and Privacy Act. Even so, passed in 1974, it's the federal law that protects the privacy of student education records. That includes pretty much anything a school maintains related to a student — grades, transcripts, class schedules, disciplinary records, and yes, health information that's part of those records Worth knowing..
Now enter HIPAA, passed in 1996. HIPAA protects "protected health information" (PHI) — your medical records, insurance info, billing data, anything a healthcare provider or health plan creates or maintains about your health Which is the point..
So where's the conflict? There isn't one, actually. Congress built a specific exemption into HIPAA to avoid redundancy and confusion. Under HIPAA's definition of "protected health information," the law explicitly excludes education records — and records covered by FERPA — from its scope.
Here's the actual language: HIPAA doesn't apply to education records protected by FERPA, or to medical records that a school creates for its own purposes (like a school nurse's notes in a student's file). The Department of Health and Human Services, which enforces HIPAA, has been clear about this. When a school maintains health information as part of a student's education record, FERPA is your protection — not HIPAA.
What Counts as an "Education Record" Under FERPA?
FERPA's definition is broad. An education record is any information directly related to a student that's maintained by the school or by a party acting for the school. This includes:
- Health forms you fill out at registration
- Vaccination records the school keeps
- Notes from the school nurse about your child's asthma or allergies
- Medication logs showing what the nurse administered and when
- Records of visits to the school-based health center
- Any documents in your child's cumulative file that mention medical conditions
As long as the school is keeping these records for its own educational purposes — tracking student health to provide a safe learning environment, comply with state immunization requirements, manage accommodations under Section 504 — they're education records. FERPA covers them Worth keeping that in mind..
When HIPAA Might Still Apply in a School Setting
Here's where it gets nuanced. HIPAA doesn't disappear from schools entirely. It just takes a back seat in specific situations:
- Post-secondary institutions: Colleges and universities that provide health services through a separate health clinic or hospital operating independently — not as part of the school's administrative records — may have HIPAA-covered entities. A university hospital, for instance, maintains HIPAA-protected records separate from the registrar's files.
- School employees: If a school employs a nurse or counselor, their own health records (not student records) are still protected by HIPAA if the school provides health insurance.
- Contracted healthcare providers: If an outside doctor, therapist, or mobile health clinic provides services to students under a contract with the school, the line gets blurry. The key question is who maintains the records and for what purpose.
The general rule: if the records live in the school's file system, are accessible to school staff for educational purposes, and relate to a student's status as a student — that's FERPA territory.
Why This Distinction Actually Matters
You might be thinking: okay, different law, same result. On the flip side, not quite. FERPA and HIPAA protect privacy in different ways, and the practical differences can matter a lot.
Parental Rights vs. Student Rights
Under FERPA, parents have rights over their minor children's education records. Once the student turns 18 or enrolls in post-secondary school, those rights transfer to the student. But FERPA also allows schools to share directory information — like your child's name and grade level — unless you opt out Small thing, real impact..
HIPAA, by contrast, gives patients more direct control over their health information. It requires specific authorizations for most disclosures and has stricter rules about what can be shared without consent.
Enforcement Mechanisms
If there's a FERPA violation, your recourse is primarily through the Department of Education. Complaints can be filed, and schools can lose eligibility for federal funding — which is a powerful incentive, though enforcement historically has been limited Surprisingly effective..
HIPAA violations, enforced by the Office for Civil Rights, can carry actual financial penalties. Covered entities (healthcare providers, health plans) that violate HIPAA can face fines ranging from thousands to millions of dollars, depending on the severity and whether the violation was willful But it adds up..
What this means in practice: a school's health records might have less dependable enforcement mechanisms behind them than your doctor's office records. That's worth knowing.
Access and Amendment Rights
Both laws give individuals the right to access their records and request corrections, but the processes differ. Also, fERPA requires schools to permit parents (or eligible students) to review records within a reasonable time frame and to request amendments if information is inaccurate. HIPAA gives patients similar rights but with more specific timelines and procedures.
How Schools Actually Handle Student Health Information
In practice, most schools operate under FERPA without much confusion. When a school nurse logs that a student received medication, that goes into the student's health file — an education record. When a teacher notes that a student seems fatigued or unwell, that's part of the teacher's observations, which can be included in academic or disciplinary files.
The system works because schools have been operating under FERPA for decades. The HIPAA exclusion for education records isn't a loophole — it's an acknowledgment that student records already have a dedicated federal protection that makes sense for the school context Easy to understand, harder to ignore. Nothing fancy..
What About College Health Centers?
We're talking about where people get confused most often. A college health center is a healthcare provider, right? Shouldn't it follow HIPAA?
The answer depends on how the health center is structured. If it's part of the university — staffed by university employees, funded through student fees, and maintaining records as part of the university's administration — those records are likely education records under FERPA. The health center might operate like a doctor's office, but legally it's functioning within the school's educational framework Easy to understand, harder to ignore. Less friction, more output..
If the university contracts with an external healthcare system that operates independently, maintains its own records, and bills insurance separately — then HIPAA likely applies to those specific interactions. The distinction comes down to who owns and controls the records It's one of those things that adds up..
Special Education and Section 504
Students with disabilities often have more extensive health-related documentation in their school files. Day to day, individualized Education Programs (IEPs) and Section 504 plans frequently contain medical diagnoses, medication information, and accommodations related to health conditions. These are clearly education records, protected by FERPA It's one of those things that adds up..
Parents sometimes worry that their child's sensitive health information is being shared too freely in these contexts. Because of that, understanding that FERPA — not HIPAA — applies can actually help, because FERPA has specific provisions about who can see IEP and 504 documents. Generally, school officials with legitimate educational interests can access them, but the rules are clearer than people assume.
Common Mistakes People Make
Assuming all student health data is HIPAA-protected. This is the big one. Parents often assume their child's medical information at school has the same legal shield as information at a doctor's office. It doesn't. The protection exists, but it's FERPA, not HIPAA.
Thinking HIPAA never applies to schools. As noted above, it's not an absolute. School employees' own health records, contracted healthcare services, and post-secondary health facilities can all fall under HIPAA in certain circumstances.
Confusing FERPA with HIPAA protections. They sound similar but have different scopes, exceptions, and enforcement. Assuming they're interchangeable can lead to incorrect assumptions about what can be shared and with whom.
Overlooking state laws. Some states have additional privacy laws that apply to student health information. Federal law sets a floor, not a ceiling. A school in one state might be subject to stricter state-level protections for student health data.
Practical Tips
If you're a parent, here's what this means in real terms:
- Know your school's privacy policy. FERPA requires schools to notify parents annually about their policies. Read it. It should explain how student records, including health information, are handled.
- Request a copy of your child's records if you want to see what's there. Under FERPA, you have the right to review. If your child has significant health needs at school, it helps to know exactly what documentation exists.
- Opt out of directory information if you're concerned. FERPA allows schools to share certain directory information without consent. You can tell the school in writing that you opt out.
- Ask questions about who sees your child's health information. If your child has a condition that requires medication at school or accommodations, ask exactly who has access to that documentation. FERPA limits it to school officials with legitimate educational interests, but it's okay to ask for specifics.
If you work in education:
- Train staff on the distinction. Teachers and administrators don't always know that HIPAA doesn't apply to student records. A quick training can prevent accidental assumptions.
- Keep health records where they belong. If your school contracts with outside healthcare providers, clarify who maintains which records and under what legal framework.
- Document everything. Good record-keeping practices protect everyone — the school, the staff, and the students.
FAQ
Does HIPAA apply to K-12 school nurses?
Generally, no. A school nurse's notes about a student are education records under FERPA. The nurse is acting as a school official providing health-related services as part of the school's responsibility to its students. HIPAA doesn't apply to those records The details matter here..
Can my child's teacher share his ADHD diagnosis with other teachers?
Under FERPA, school officials with legitimate educational interests can access education records. If a teacher needs to know about a student's ADHD to provide appropriate instruction or accommodations, that's generally considered a legitimate educational interest. Sharing beyond that — with parents of other students, for example — would violate FERPA Easy to understand, harder to ignore. Worth knowing..
What if my child sees a doctor through a school-based health clinic?
It depends on how the clinic is structured and who maintains the records. If the clinic is operated by the school and its records are part of the school's files, FERPA applies. Consider this: if it's an independent healthcare provider contracted by the school, HIPAA may apply to the clinical records. Ask the school or clinic about their privacy practices.
Can I sue a school for sharing my child's health information?
FERPA doesn't provide a private right of action. Some states, however, have laws that allow for legal action. You can't directly sue in court for a FERPA violation. Consider this: your remedy is to file a complaint with the Department of Education. Check your state's specific provisions.
Does FERPA protect my college student's therapy records?
If the counseling center is part of the university and maintains records as education records, FERPA applies. Many college counseling centers have their own confidentiality policies that exceed FERPA's minimum requirements, but legally, FERPA is the framework. Students should ask about privacy policies specifically No workaround needed..
The Bottom Line
The HIPAA exclusion for FERPA education records isn't a gap in protection — it's a recognition that student health information already has a dedicated legal framework. On top of that, fERPA isn't as well-known as HIPAA, but it does the job for the school context. The important thing is understanding which law applies, because that determines your rights, who can access the information, and what recourse you have if something goes wrong Most people skip this — try not to. Worth knowing..
Your child's health information at school is private. It's just protected by a different law than what you'd find at a doctor's office — and knowing the difference matters.
