Understanding the HIPAA Exclusion of Education Records Under FERPA: Privacy Laws for Student Health Information

Introduction

Student privacy is a cornerstone of educational and health law in the United States. Two federal statutes-FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act)-govern how student records, including health information, are protected and disclosed. Understanding when HIPAA applies and when FERPA controls is crucial for educators, healthcare professionals, parents, and eligible students. This article provides a comprehensive, actionable guide to navigating the intersection of these laws, with special attention to the exclusion of education records under FERPA from HIPAA protections.

FERPA: The Core Law Governing Education Records

FERPA is a federal law that protects the privacy of student education records in schools receiving federal funding. It covers a broad range of records-including academic, disciplinary, and health information maintained by schools or their employees. Under FERPA, schools generally cannot disclose education records or personally identifiable information (PII) without written consent from the parent or eligible student (a student who is at least 18 or attends a postsecondary institution) [3] .

Source: kaltmanlaw.com

FERPA’s scope means that health records maintained by school nurses or other school staff-when those records are part of the education record-are governed by FERPA, not HIPAA. These records can be accessed by school officials who have a legitimate educational interest, such as teachers or counselors [1] . In emergency situations, schools may disclose information without consent if necessary to protect student or public safety [3] .

HIPAA: Health Information and Its Exclusion of FERPA Records

HIPAA establishes national standards for the protection of health information, specifically Protected Health Information (PHI). However, HIPAA
explicitly excludes
from its definition of PHI any education records covered by FERPA [1] . If a record is protected by FERPA, HIPAA does not apply. This exclusion is designed to avoid overlapping federal regulations and ensure clarity for educational agencies and institutions.

For example, a student’s immunization record maintained by a school nurse in a public school is considered an education record under FERPA, and therefore not subject to HIPAA’s privacy rules [5] . The rationale is that FERPA already provides robust privacy protections for these records, so HIPAA’s additional layer of regulation is unnecessary.

Treatment Records: Special Considerations

FERPA also addresses treatment records , which are defined as records made or maintained by a healthcare professional for students 18 or older or attending postsecondary institutions, used only for treatment purposes. Treatment records are excluded from FERPA’s definition of education records and thus are not subject to FERPA unless disclosed for non-treatment reasons. However, HIPAA does
not
cover these records if maintained by an educational institution subject to FERPA [2] .

When treatment records are disclosed for reasons other than treatment-such as sharing with parents or other school officials-they become education records and fall under FERPA protections [4] .

Examples and Case Studies

Consider a public high school with a school nurse who maintains health records for students. These records, whether they relate to immunizations, medication administration, or injury reports, are part of the student’s education record and are protected by FERPA, not HIPAA. If the same nurse works for a private school that does
not
receive federal funding, FERPA may not apply, and HIPAA could govern the privacy of those records if the school is a HIPAA-covered entity [5] .

Source: dremilywhitehorse.com

Another example: A university counseling center maintains psychotherapy notes for students 18 and older. If these records are used exclusively for treatment by the counselor, they are considered treatment records and excluded from FERPA’s definition of education records. However, if they are disclosed for other purposes, such as academic support, they become education records subject to FERPA [2] .

Accessing Education and Health Records

Parents and eligible students have the right to access education records under FERPA. To request records, you can:

• Contact the school’s administration office and submit a written request for access to the student’s records.
• If you believe your rights under FERPA have been violated, you may file a complaint with the U.S. Department of Education’s Family Policy Compliance Office. Visit the official U.S. Department of Education website and search for “FERPA complaint” to find instructions and forms.
• For postsecondary institutions, eligible students (those 18 and older or enrolled) may request records directly from the registrar or student services office.

Schools are required to respond to requests for records within a reasonable timeframe, typically no more than 45 days. If you encounter challenges accessing records, contact the school district’s FERPA compliance officer or your state’s education agency for further guidance.

Challenges and Solutions

One common challenge is confusion over whether HIPAA or FERPA applies, especially in settings where health information is handled by educational staff. The key is to determine whether the record is maintained by an educational institution that receives federal funding. If so, FERPA applies, and HIPAA does not. If the record is maintained by a healthcare provider who is not affiliated with an educational institution, HIPAA may apply.

For private schools or organizations that do not receive federal funds, confirm whether your records are protected under FERPA. If not, inquire about HIPAA compliance with the organization’s privacy officer or administrator. In both cases, written policies about record access, disclosure, and privacy should be available on request.

Alternative Approaches

If you are unsure which law applies to your situation, consider the following strategies:

• Consult with the school’s privacy officer or compliance director for clarification.
• Review the school’s annual FERPA notification, typically distributed to families at the start of each academic year. This document outlines your rights and the school’s policies regarding record disclosure.
• For healthcare providers working with schools, review joint guidance from the U.S. Department of Education and the U.S. Department of Health and Human Services, available on their official websites.
• If necessary, seek legal advice from an attorney specializing in education or health privacy law.

Summary and Key Takeaways

HIPAA excludes education records protected by FERPA . If a student’s health record is maintained by a federally funded educational institution or its staff, FERPA governs privacy and access, not HIPAA. This exclusion prevents overlap and ensures that families, educators, and healthcare professionals understand their rights and responsibilities. For guidance on your specific situation, always contact the relevant school office, compliance personnel, or official government agency.

References

• [1] Kaltman Law (2024). HIPAA & FERPA: Education Records Exclusions Explained.
• [2] Compliancy Group (2023). How Do FERPA and HIPAA Interact?
• [3] American Academy of Pediatrics (2024). HIPAA and FERPA Basics.
• [4] National Center for Youth Law (2018). HIPAA or FERPA? A Primer on Sharing School Health Information.
• [5] Bricker Graydon (2023). HIPAA Regulations: Family Educational Rights and Privacy Act Relationship to Other Federal Laws.