Student Privacy 101: Health Privacy in Schools –What law applies?


Screen Shot 2014-09-10 at 1.52.35 PM

By Robert Gellman and Pam Dixon

This article is the third in a series on educational privacy

Schools are increasingly providing students with more health services. Health clinics, counselors on site, the administration of prescription drugs, and vaccinations are among the types of healthcare offered on school campuses ranging from kindergarten through graduate school. Given that schools may have sensitive health information — or request that information from students and parents — what law covers health record privacy for school records? The answer is important. It is also messy, because two laws can apply to this information.  In some cases, no privacy law applies to the health records. Let’s begin with the basics.

  • FERPA, the Family Educational Rights and Privacy Act, applies to most school health records most of the time.
  • HIPAA, the Health Information Portability and Accountability Act, applies to some school health records some of the time.
  • No privacy law applies to some private school health records some of the time.

Whether your records are covered under HIPAA or FERPA — or in some cases are not covered under any law — can be a challenging question to answer in some instances. Here are some basics to guide you through the most important parts of what information is covered by what law, when, and where.

Navigating School Health Privacy: The basics

FERPA, which was passed in 1974, came first. The Department of Health and Human Services issued the HIPAA health privacy rule in 2000. The Department knew that the pre-existing FERPA student record privacy law already covered health records held by schools. So it decided that HIPAA would not apply to health records that were already subject to FERPA. The idea was to avoid conflicts that would force a school to decide when to apply FERPA and when to apply HIPAA.

The decision to make school health records subject to FERPA sounds like a simple solution to a difficult problem. However, the real world is messy, and even simple solutions can be difficult to apply. We have discovered that sometimes the general rule of thumb does not apply. In some cases, HIPAA will indeed apply to school health records because sometimes school health records lose their FERPA coverage.

Important Exceptions

FERPA and HIPAA do not always mesh cleanly, and that creates convoluted exceptions. Here are some of the key exceptions you need to know about:

Private Schools

Most private schools are not subject to FERPA at all because the schools do not receive federal funds. When FERPA does not apply, then the HIPAA exemption for records covered by FERPA does not apply.

While this means that HIPAA may potentially apply, it is also possible that no privacy law applies. HIPAA does not actually apply to every healthcare record held by schools, even when FERPA does not apply. HIPAA only applies to certain types of businesses which are defined strictly under HIPAA as “covered entities.” Covered entities are typically healthcare providers who bill for services, for example, hospitals, doctors, etc.  This is a very important point to be clear on before a student receives health care, including mental health counseling, at a private school. For more on what kinds of businesses are covered under HIPAA regulations, see our Patient’s Guide to HIPAA entry on this topic.


Some school health records may be subject to HIPAA, FERPA, or even both. For example, consider a public health nurse who provides immunization to students on school grounds but who is not acting on behalf of the school. The records that the nurse creates would not be education records subject under FERPA. The nurse’s records could be subject to HIPAA while in the hands of the nurse.

If a school then obtains the records from the nurse, the records are FERPA records in the hands of the school. Disclosures between the nurse and the school requires parental consent that meets either FERPA or HIPAA standards for consent.

Students 18 or older

FERPA does not cover treatment records for a student 18 years old or older as long as the school only discloses the records to persons providing treatment. Because FERPA does not apply, HIPAA would likely apply to those treatment records.

However, if a college discloses a record to anyone not providing treatment (including disclosure to the student), then it becomes a FERPA record and is no longer subject to HIPAA in the hands of the school.

The determination depends on a factual test that can produce a different result from case to case. Thus, the application of one law or the other will depend on how a specific record was actually disclosed.

University Hospital Student Health Clinics and other University Hospital Health Records

If a university hospital runs a student health clinic on behalf of a university, the clinic’s records on students would probably be subject to FERPA, not HIPAA. Hospital records about students that are not student health clinic records (e.g., inpatient records) are probably HIPAA records.

Hospital records generated from non-student health clinic visits may be subject to HIPAA, as they are unrelated to the school. If you are being treated at what seems to be a student health clinic run by your university, read the privacy notice to find out which law applies.

Health Clinic Run by a College

A college that operates a clinic open to staff, or the public, or both must comply with FERPA with respect to the health records of students, and it must comply with the HIPAA Privacy Rule with respect to the health records of nonstudents.

HIPAA or FERPA – which gives you better rights?

Do you have better privacy protection if your records are subject to HIPAA or FERPA? The answer varies, and some privacy rights are better under one law, and some are better under the other. The differences can be quite complex and subtle. Ultiately, these complexities may not be that important in many circumstances. Besides, the applicable law is not in your control so you have to take the law that applies and work with it. Here are some basics about the two statutes, and how to work with them.

If your records are Subject to HIPAA:

If your records are subject to HIPAA, you have 8 specific rights under HIPAA. For example, the right of access, the right to restrict disclosures, the right to ask for an accounting of disclosures, and more.

Here are the eight key rights of HIPAA:

  • Right to a Notice of Privacy Practices
  • Right to Inspect and copy your record
  • Right to request confidential communication
  • Right to request amendment
  • Right to receive an accounting of disclosures
  • Right to complain to the Secretary of Health
  • Right to request use and disclosure restrictions
  • Right to mandate some disclosure restrictions if you pay out of pocket

For a step-by-step explanation of how to use your HIPAA rights, see our Patient’s Guide to HIPAA, Part II, Basic Patient Rights.

 If your records are Subject to FERPA:

FERPA gives parents and eligible students these basic rights:

  • The right to inspect and review the student’s education records maintained by the school;
  • The right to request that a school amend the student’s education records;
  • The right to consent in writing to the disclosure of personally identifiable information from the student’s education record, except under certain permitted situation; and
  • The right to file a complaint with the Family Policy Compliance Office (FPCO) regarding an alleged violation under FERPA.

Excerpted from the Department of Education Family Policy webpage, available at

Other Things You Can Do

Ask the School

If you are a student (or parent of a student) and you want to know what privacy rule applies, you should ask or look for a copy of the privacy policy or notice of information practices. It matters at times because privacy protections differ under the HIPAA and FERPA.

Request a Copy of Your Medical Files

Whether your school health files are held under HIPAA or FERPA, request a copy of your files. This is important for all patients, including students. Having these records becomes especially important in cases of medical forms of identity theft.

Read the Official Guidance

The Department of Education and HHS issued an explanation of the two laws: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records. Be warned. It’s a complicated document and a challenge even for lawyers to understand. However, if you want the fine print, this is a good document to peruse.

Additional Resources:


A Patient’s Guide to HIPAA This is a comprehensive and yet easy to read guide written expressly for patients.

Paying Out of Pocket to Protect Health Privacy This is a report with extensive tips on how to exercise your right to pay out of pocket.


Student Privacy 101: What is FERPA and Why Does it Matter? (Part I)

Student Privacy 101: Why directory information and FERPA is a major education privacy issue (Part II)

See the entire Student Privacy 101 Series 



Document history:

Updated January 2017. Originally published Feb. 2015.