HIPAA and FERPA Basics

Coordination and collaboration between community and school health care providers is vital to supporting the health and wellbeing of children and youth. When sharing information, providers must be mindful of the major federal privacy protections that govern the disclosure of information about students and patients: the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

FERPA

FERPA is a federal law that protects the privacy of educational records. It applies to all educational agencies and institutions that receive federal funds from the US Department of Education, including public elementary and secondary schools. Private and religious schools are often exempt from FERPA.

Under FERPA, educational institutions can not disclose educational records or personally identifiable information (PII) from those records without the written consent of a parent (or the student, if 18 or older or attending a postsecondary institution).

Educational institutions can disclose information from a student’s education record, including health and medical information, to teachers and other staff within the school who have “legitimate educational interests” in the records without obtaining written consent. Educational agencies can also disclose information without written consent in an emergency situation if necessary to protect the health or safety of the student or other individuals.

HIPAA

The HIPAA Privacy Rule applies to health plans, health care providers, and others that transmit health information in electronic form. The purpose is to protect the privacy and security of individuals’ protected health information (PHI) through safeguards that govern the use and disclosure of such information. Covered entities must obtain written authorization before disclosing PHI. Like FERPA, HIPAA does allow disclosure of PHI in order to treat a patient during an emergency or in the case of an imminent threat. It also allows providers to share information for treatment purposes.

The Intersection of FERPA and HIPAA

Which applies?
Depending on the situation, either FERPA or HIPAA may apply—not both.

For the most part, community health care providers follow HIPAA and school providers follow FERPA. This is because schools that provide health care services generally document student health information in records that are considered education records, and are therefore covered under FERPA.

Student records covered under FERPA are excluded from HIPAA. If schools bill Medicaid for health services, they must follow HIPAA guidelines for those transitions, but the student health information maintained in education records is still excluded from HIPAA coverage.

School-based health centers operated by HIPAA-covered entities, such as a hospital or healthcare system, would be subject to HIPAA. If the clinic is operated by the school, then FERPA would apply.

What information can school and community health care providers share with one another?
HIPAA allows health care providers to disclose PHI to school nurses, physicians, or other health care providers for treatment purposes without obtaining authorization from the parent or patient. For example, a student’s pediatrician may discuss the patient’s health care needs with the school nurse responsible for administering medications and providing other health care while the student is in school.

FERPA places more limits on information sharing. Under FERPA, school nurses are not allowed to share PII with a student’s physician without obtaining written consent unless there is a specific and significant threat to health and safety, or if the nurse is verifying information provided by that physician (e.g., a note confirming medical reasons for a student absence).

Summary of FERPA and HIPAA

Additional Information

Federal guidance

US Department of Health and Human Services and US Department of Education: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records

US Department of Education: Protecting Student Privacy

Additional resources

American Academy of Pediatrics: HIPAA/FERPA Learning Burst

Association of State and Territorial Health Officials: Comparison of FERPA and HIPAA Privacy Rule for Accessing Student Health Data

California School-based Health Alliance: A California Guide for Sharing Student Health and Education Information

CDC: HIPAA and FERPA Comparison Chart

Mental Health Technology Transfer Center Network: HIPAA and FERPA Laws: A School Mental Health Navigation Tool

National Association of School Nurses: HIPAA and FERPA

National Center for Youth Law: HIPAA or FERPA? A Primer on Sharing School Health Information in California, Second Edition

National Law Review: Understanding the Privacy Rights of HIPAA and FERPA in Schools

The Network for Public Health Law:

• Family Educational Rights and Privacy Act
• Data Privacy in School Nursing: Navigating the Landscape of Data Privacy Laws (Part I)
• Data Privacy in School Nursing: Navigating the Landscape of Data Privacy Laws (Part II)

Information adapted from: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records and Comparison of FERPA and HIPAA Privacy Rule for Accessing Student Health Data

The content of this page is for informational purposes only and is not intended to provide legal advice. Health care providers and school staff must also follow state confidentiality and privacy laws as well as other federal laws that may apply, such as the Individuals with Disabilities Education Act.