Yes, HIPAA excludes FERPA records from its reach in most school settings. The HIPAA Privacy Rule at 45 CFR § 160.103 carves “education records” and “treatment records” protected by the Family Educational Rights and Privacy Act (FERPA) out of the definition of Protected Health Information (PHI).
This matters because schools, colleges, universities, and their vendors juggle two federal privacy laws that look alike but work very differently. The U.S. Department of Education enforces FERPA, while the HHS Office for Civil Rights enforces HIPAA. When you misapply the wrong rule, you risk losing federal funding, facing civil money penalties, and breaking student trust.
A 2023 joint guidance from HHS and ED reported that over 98% of K-12 student health records in public schools fall under FERPA, not HIPAA. That single statistic rewrites how school nurses, university clinics, and EdTech vendors must think about privacy.
Here is what you will learn in this article:
- 📚 How the HIPAA carve-out in 45 CFR § 160.103 actually works in plain English
- 🏫 When a school nurse, college clinic, or school psychologist follows FERPA versus HIPAA
- ⚖️ Which court rulings, like Owasso ISD v. Falvo, shape the overlap
- 🩺 How the “treatment records” exception at 20 U.S.C. § 1232g(a)(4)(B)(iv) changes the analysis
- 🛡️ The top mistakes compliance officers make, plus a do’s and don’ts checklist you can use today
The Core Rule: HIPAA Steps Aside for FERPA
HIPAA and FERPA do not fight for the same turf. Congress wrote the HIPAA Privacy Rule so that it does not apply to information that FERPA already protects. The rule lives in the definition of PHI at 45 CFR § 160.103, which excludes “education records” covered by FERPA and “treatment records” of eligible students.
Plain-English Explanation
Think of HIPAA and FERPA as two guards standing outside the same door. FERPA gets first pick. If the record is a student record kept by a school that takes federal funds, FERPA guards it. HIPAA only steps in when the record does not meet FERPA’s definition, such as when a private practice doctor, not working for the school, treats a child. The HHS and ED joint guidance spells this out in clear steps for schools.
Consequence of Ignoring the Carve-Out
Schools that treat FERPA records as PHI risk over-sharing under HIPAA’s permissive disclosure rules. They may also under-share when FERPA allows a legitimate release, such as to a parent of a minor child. The Department of Education can pull federal funding for a FERPA violation, and HHS can fine a HIPAA-covered entity up to $2 million per year per violation category under the adjusted civil penalty tiers.
Real-World Example
Jamal is a school nurse at a public middle school in Ohio. He logs an asthma attack in the student’s health file. That file is a FERPA “education record,” not HIPAA PHI, because the school is a FERPA-covered entity and Jamal works for the school. If Jamal instead worked for a private urgent care clinic down the street, the same note would be HIPAA PHI.
Common Misconception
Many people think HIPAA always applies to anything medical. That is false. HIPAA only applies to “covered entities” like health plans, clearinghouses, and providers who bill electronically. Most public schools are not covered entities at all, even when they employ nurses, psychologists, and therapists.
What Counts as a FERPA “Education Record”?
FERPA defines an “education record” broadly. The statute at 20 U.S.C. § 1232g(a)(4)(A) covers any record that is directly related to a student and maintained by an educational agency or institution, or a party acting for it. The regulation at 34 CFR § 99.3 carries the same broad sweep.
Records That Are Education Records
School health records kept by a school nurse fit squarely inside the FERPA definition. Immunization logs, IEP health sections, counselor notes about classroom behavior, and records of school-sponsored clinic visits all count. The Supreme Court confirmed FERPA’s wide reach in Owasso Independent School District v. Falvo by holding that peer-graded papers were not education records because they were not yet “maintained” by the school.
Records That Are Not Education Records
Four categories fall outside FERPA. Sole-possession notes kept by one teacher or counselor do not count. Records of the school’s law enforcement unit do not count. Employment records of school workers do not count. And “treatment records” of eligible students aged 18+ or in postsecondary school get their own special bucket under 20 U.S.C. § 1232g(a)(4)(B)(iv).
Consequence of Misclassification
A school that labels a nurse’s log as a “personal note” to hide it from parents violates FERPA because parents of minors have an inspection right under 34 CFR § 99.10. A college that labels a counselor’s note as PHI and mails it under HIPAA authorization forms may confuse the student and delay access.
Real-World Example
Priya is a counselor at a public high school in Texas. She writes a note about Sam’s test anxiety and keeps it in her locked desk drawer. If no one else can see the note and it never leaves her drawer, it is a sole-possession record. The moment Priya shares it with the principal or puts it in the guidance file, it becomes a FERPA education record.
Common Misconception
People often think “medical” equals “HIPAA.” It does not. A school nurse’s chart in a public school is a FERPA record, full stop. The nurse does not need a HIPAA authorization to share it with the principal for a legitimate educational interest.
The “Treatment Records” Exception for College Students
College and university students get a unique FERPA rule. Their health and counseling records, when made, kept, and used only for treatment, are not education records under 20 U.S.C. § 1232g(a)(4)(B)(iv). But they are also not HIPAA PHI because 45 CFR § 160.103 lumps treatment records into the same excluded bucket.
Why Congress Created This Bucket
Lawmakers wanted to protect the confidentiality of college counseling and health services. If a student walks into campus counseling, the notes should not end up in the dean’s office under the guise of “education records.” The ED/HHS joint guidance explains that treatment records remain under FERPA’s umbrella, just in a sheltered sub-bucket.
The Catch When Records Leave the Clinic
Treatment records lose their protected status the moment the school uses them for something other than treatment. If the clinic shares a record with the dean of students to support a disciplinary case, the record becomes a regular FERPA education record. The student then gains full FERPA inspection rights under 34 CFR § 99.10.
Consequence of Getting This Wrong
A university that applies HIPAA rules to campus counseling records may mistakenly require a HIPAA authorization when FERPA consent is what the law demands. That delay can cost a student access to their own file and expose the school to an ED enforcement action.
Real-World Example
Diego is a sophomore at a state university in Florida. He visits campus health for depression counseling. The notes stay in the clinic and are used only for his care. Under the treatment records exception, the notes are not education records and not HIPAA PHI. But if the school uses the notes in a Title IX hearing, the notes convert into FERPA education records Diego can now inspect.
When Does HIPAA Actually Apply in a School Setting?
HIPAA still applies to some school-adjacent activity. The trigger is whether the school is a HIPAA-covered entity and, if so, whether the record is a FERPA education record. If both boxes are ticked, FERPA wins. If only HIPAA applies, HIPAA controls.
Private K-12 Schools That Do Not Take Federal Funds
FERPA only applies to schools that receive funds from a program run by the U.S. Department of Education. Many private K-12 schools do not receive ED funds and so are not FERPA-covered. Their health records may fall under HIPAA if the school employs a nurse who bills electronically, or under state law alone.
School-Based Medicaid Billing
Schools that bill Medicaid for services under the IDEA program often become HIPAA-covered because Medicaid billing uses HIPAA electronic standard transactions. Even then, the underlying student record remains FERPA-protected when it is an education record. The school must run parallel consent processes.
University Hospitals and Faculty Practices
A university hospital treating the general public is a HIPAA-covered entity. Its records are PHI, not education records, because they are not maintained by the school as part of the student’s education. The 2019 joint guidance treats these hospital records under HIPAA even when the patient is a student.
Consequence of Misapplying the Triggers
A school that thinks it is a HIPAA-covered entity when it is not may adopt costly HIPAA safeguards it does not need. A school that thinks it is not covered when Medicaid billing makes it so may face an OCR audit and penalties. Getting the trigger right is step one of every compliance program.
Three Classic Overlap Scenarios
Below are the three most common overlap patterns that trip up schools and providers. Each table shows the fact pattern and the privacy law outcome.
Scenario 1: The Public School Nurse
| Fact Pattern | Privacy Law Outcome |
|---|---|
| Nurse at a public elementary school treats a student’s sprained ankle | FERPA applies to the health record |
| Nurse bills private insurance electronically for the visit | HIPAA may apply to the billing data, but the student record stays FERPA |
| Parent asks to see the nurse’s notes | FERPA gives parents the inspection right, not HIPAA |
| Nurse shares notes with PE teacher to excuse gym | FERPA “legitimate educational interest” allows it |
Scenario 2: The College Counseling Center
| Fact Pattern | Privacy Law Outcome |
|---|---|
| Student sees campus counselor for anxiety | Treatment records exception under FERPA applies |
| Counselor uses notes only for treatment | Not a FERPA education record and not HIPAA PHI |
| School subpoenas notes for a misconduct hearing | Notes convert into FERPA education records |
| Student asks to inspect the notes | FERPA grants the inspection right after conversion |
Scenario 3: The University Hospital
| Fact Pattern | Privacy Law Outcome |
|---|---|
| Patient, also a student, gets surgery at university hospital | HIPAA applies to the hospital record |
| Hospital bills insurance electronically | HIPAA PHI rules govern the billing file |
| Student wants a copy of her surgical record | HIPAA right of access under 45 CFR § 164.524 |
| Hospital shares record with student’s professor | HIPAA authorization is required |
Named Examples to Ground the Rules
Abstract rules come alive with real people. The three examples below show the HIPAA/FERPA split in action.
Example 1: Maria, the High School Nurse
Maria works at a public high school in Arizona. She keeps a log of every inhaler use by students. A parent calls and asks for the log for her 14-year-old daughter. Maria follows FERPA, not HIPAA, because the school is FERPA-covered and Maria’s log is an education record. She grants access under the parent inspection right at 34 CFR § 99.10 within the 45-day window.
Example 2: Dr. Lin, the Campus Psychiatrist
Dr. Lin treats Alex, a junior at a state university. Alex’s therapy notes stay in the counseling clinic and are used only for treatment. The notes are FERPA treatment records. When Alex requests them, Dr. Lin follows the FERPA treatment records access path, which allows the school to provide the records only through a physician of the student’s choice under the ED guidance.
Example 3: Chen Memorial University Hospital
The hospital treats student-athletes and general patients. The athletic department asks for a star quarterback’s MRI. The hospital refuses without a HIPAA-valid authorization because the MRI is PHI under HIPAA, not a FERPA record. The hospital’s privacy officer cites 45 CFR § 164.508 to require written authorization.
Example 4: Tanya, the IEP Coordinator
Tanya manages special education records under IDEA in a New York district. A related-service provider emails Tanya a speech evaluation. That evaluation is a FERPA education record and also falls under IDEA confidentiality rules at 34 CFR § 300.610. HIPAA does not apply, even though the evaluation is clinical.
Mistakes to Avoid
Privacy compliance punishes small errors heavily. The list below captures the seven most common HIPAA/FERPA overlap mistakes and the direct consequence of each.
- Treating every school health record as PHI. The school may wrongly demand HIPAA authorizations for internal sharing that FERPA already allows.
- Failing to realize Medicaid billing triggers HIPAA. The school may miss transaction and code set rules and face an OCR penalty.
- Confusing sole-possession notes with education records. The school may wrongly deny parents access to records they legally should see.
- Applying HIPAA to campus counseling treatment records. The school may block a student from access rather than using the FERPA treatment records path.
- Ignoring the conversion rule. When treatment records leave the clinic, staff may fail to treat them as FERPA education records and deny inspection.
- Sharing student PHI with athletic staff under old assumptions. The university hospital may violate HIPAA by releasing MRIs without a 164.508 authorization.
- Using HIPAA authorization forms for FERPA releases. The school may collect an invalid consent and violate FERPA’s written consent rules at 34 CFR § 99.30.
- Forgetting the “directory information” rule. Schools that disclose health-adjacent info as directory data may breach FERPA’s opt-out notice rule.
Do’s and Don’ts
Do’s
- Do map every student record to a privacy law before you share it, because mis-mapping triggers penalties under FERPA or HIPAA.
- Do train school nurses on the FERPA “legitimate educational interest” rule, since staff sharing is lawful only under that rule.
- Do use the FERPA treatment records path for college counseling, because it is the only lawful access route for eligible students.
- Do adopt dual policies when Medicaid billing makes the school HIPAA-covered, because two rulebooks apply at once.
- Do document the school’s FERPA annual notice under 34 CFR § 99.7, because failure to notify invites ED enforcement.
Don’ts
- Don’t use HIPAA authorization forms to release education records, because FERPA sets its own consent requirements.
- Don’t tell parents “we can’t share due to HIPAA” when FERPA actually allows access, because this misstatement violates the parental right of inspection.
- Don’t store counseling notes in shared school drives without access controls, because this can void the sole-possession-note status.
- Don’t skip the joint HHS/ED guidance review, because it is the primary interpretive source on overlap questions.
- Don’t assume private schools are HIPAA-only, because state laws and Medicaid billing can change that analysis quickly.
Pros and Cons of the HIPAA/FERPA Split
Pros
- Students and parents get a single primary privacy law at each school, which reduces confusion for everyone.
- FERPA’s parental inspection right is broader than HIPAA’s right of access for minors, so parents get more transparency.
- Schools avoid costly duplicate compliance programs when their records are FERPA-only.
- Treatment records protections shelter sensitive college health information from academic staff.
- The HHS/ED joint guidance gives clear decision trees that reduce litigation risk.
Cons
- The rules confuse staff who were trained only in HIPAA, which can lead to wrongful denial of access.
- The overlap zone for Medicaid billing doubles compliance cost for school districts.
- Treatment records conversion rules are easy to miss, and staff may over-share after conversion.
- FERPA enforcement is agency-driven with no private right of action after Gonzaga University v. Doe, which leaves students with fewer remedies.
- State laws, like California’s CMIA, can add a third layer that neither HIPAA nor FERPA addresses.
Key Court Rulings to Know
A handful of Supreme Court decisions shape how these laws overlap. Each case clarifies a piece of the puzzle that directly affects school health record handling.
Owasso ISD v. Falvo (2002)
In Owasso ISD v. Falvo, the Supreme Court ruled that peer-graded assignments are not FERPA education records until a teacher records the grade. The decision narrows what “maintained by” means under 20 U.S.C. § 1232g(a)(4). It also signals that transient handling does not automatically invoke FERPA.
Gonzaga University v. Doe (2002)
In Gonzaga University v. Doe, the Court held that FERPA does not create a private right of action under 42 U.S.C. § 1983. Enforcement goes to the Department of Education. That leaves OCR administrative action as the primary HIPAA enforcement tool and ED administrative action as the FERPA tool.
Doe v. Rector and Visitors of George Mason University (2015)
The Fourth Circuit in Doe v. GMU analyzed how university conduct records interact with student privacy rights. The case reinforces that records leaving a counseling context can convert to education records. It adds due process weight to disciplinary use of mental health data.
State Nuances to Watch
State laws can raise the floor above federal law. Compliance teams should map each state where they operate before building a single policy.
California
California’s Confidentiality of Medical Information Act covers medical information broadly, even where HIPAA does not. Schools that operate clinics in California must reconcile FERPA, HIPAA, and CMIA. The California Student Records Law adds another layer on top of FERPA.
New York
New York’s SHIELD Act imposes data security duties on entities holding private information, including schools. New York’s Education Law § 2-d adds student data privacy rules that apply to school vendors. Districts must follow SHIELD, FERPA, and Ed Law 2-d in tandem.
Texas
Texas HB 300 is broader than HIPAA and covers any entity handling protected health information. Texas also has the Student Privacy Act governing EdTech vendors. Texas school districts face three overlapping regimes.
Process: Deciding Which Law Applies
The joint agency framework gives a five-step test you can run in under a minute. Each step has its own downstream consequence if you skip or misread it.
Step 1: Is the School FERPA-Covered?
Ask whether the school receives ED funds. If yes, the school is FERPA-covered under 34 CFR § 99.1. If no, skip ahead to HIPAA analysis. Skipping this step means you may apply the wrong rulebook entirely.
Step 2: Is the Record an Education Record?
Ask whether the record is directly related to a student and maintained by the school. If yes, it is FERPA-protected. If no, check the three FERPA exclusions before moving on. Missing this step leads to mislabeling sole-possession notes.
Step 3: Is It a Treatment Record?
If the student is 18+ or in postsecondary school, ask whether the record is made only for treatment and used only for treatment. If yes, apply the treatment records sub-bucket. Missing this step produces wrongful HIPAA analysis on college counseling notes.
Step 4: Is the School a HIPAA-Covered Entity?
Ask whether the school conducts HIPAA standard transactions electronically, such as Medicaid billing. If yes, HIPAA applies to the transactions but FERPA still owns the education records. Missing this step produces gaps in transaction compliance.
Step 5: Apply the Controlling Law
Apply FERPA to education records, the treatment records sub-rules to treatment records, and HIPAA to anything else your covered entity handles. Document the decision. Missing documentation is the single most common finding in ED and OCR audits.
Comparing HIPAA and FERPA Side by Side
| Feature | FERPA | HIPAA |
|---|---|---|
| Enforcing agency | U.S. Department of Education | HHS Office for Civil Rights |
| Primary statute | 20 U.S.C. § 1232g | 42 U.S.C. § 1320d |
| Who it covers | Schools receiving ED funds | Health plans, clearinghouses, billing providers |
| Key access right | Parent/eligible-student inspection | Individual right of access |
| Private right of action | None under Gonzaga | None, OCR enforcement only |
| Penalties | Loss of federal funds | Tiered civil penalties up to $2M/year |
FAQs
Does HIPAA ever apply to a public school?
Yes, but rarely. It applies when the school conducts HIPAA standard electronic transactions, such as billing Medicaid for IDEA-related services under 45 CFR § 160.103.
Are school nurse records FERPA or HIPAA?
Yes, school nurse records at FERPA-covered schools are FERPA education records. The HIPAA Privacy Rule specifically excludes FERPA-covered records from the definition of PHI.
Do parents have a right to see their child’s health records at school?
Yes, parents of minor children have an inspection right under 34 CFR § 99.10, which covers school-held health records. Schools must respond within 45 days.
Do college students get parental privacy protections?
No, once a student turns 18 or enrolls in postsecondary school, FERPA rights transfer to the student under 34 CFR § 99.5. Parents lose the default inspection right.
Can a university counselor share notes with a dean?
No, not without converting treatment records into education records or getting written consent. The moment the notes leave the treatment context, they become FERPA education records the student can inspect.
Does HIPAA apply to a university hospital treating students?
Yes, because university hospitals are HIPAA-covered entities. Records there are PHI and not FERPA education records.
Are private school records covered by FERPA?
No, unless the private school receives ED funds. Most private K-12 schools are outside FERPA, and their health records may fall under HIPAA or state law only.
Is an IEP considered a FERPA record?
Yes, Individualized Education Programs are FERPA education records and also protected under IDEA confidentiality rules. HIPAA does not apply to IEPs at public schools.
Can a student sue a school directly under FERPA?
No, under Gonzaga University v. Doe, FERPA provides no private right of action. Students must file complaints with the Department of Education.
Does HIPAA follow records when they move from a hospital to a school?
No, once records move into the FERPA system and become part of the student’s education record, FERPA governs them and the HIPAA rules drop off.
Are COVID vaccination records at school FERPA or HIPAA?
Yes, vaccination records held by the school are FERPA education records. The school nurse’s log and the vaccination status form both fall inside FERPA’s definition.
Can schools share health data with law enforcement?
Yes, but only under FERPA’s narrow exceptions at 34 CFR § 99.31, such as health and safety emergencies or lawful subpoenas. HIPAA’s parallel rule at 45 CFR § 164.512 applies only to HIPAA-covered records.