HIPAA & FERPA: Does your school have to comply with these regulations?

Magnus Health
March 5, 2020
Blog, Security & Compliance, Student Health
5 Minute Read

HIPAA & FERPA: Does your school have to comply with these regulations?

HIPAA and FERPA for K-12 SchoolsWe’re frequently asked about HIPAA and FERPA and if schools in the U.S. should comply with these regulations. Here are the basics of HIPAA and FERPA laws and how they each apply to schools and student records.

This is not legal advice, nor is it intended as legal advice.

FERPA: The Family Educational Rights and Privacy Act

FERPA is a federal law that protects the privacy of student education records. This law applies to all schools receiving funds from the U.S. Department of Education. That means that schools who are typically covered under FERPA are:

  • Most public schools and school districts.
  • Most public postsecondary institutions including medical and professional schools.

Schools not typically covered under FERPA include any private and religious elementary and secondary level schools that do not receive federal funds under an applicable program of the U.S. Department of Education.

According to the U.S. Department of Education, FERPA provides parents certain rights with respect to their children’s education records. These rights are transferable to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom rights have transferred are “eligible students.”

Parent and “Eligible Student” Rights:

  • The right to inspect and review the student’s education records maintained by the school.
  • The right to request that a school correct records which they believe to be inaccurate or misleading.

Generally, FERPA requires the written consent of a parent or an eligible student prior to the disclosure of education records, or release of personally identifiable information (PII) from the records.

Education records are records that are:

  • Directly related to a student.
  • Maintained by an educational agency, an institution, and/or by a party acting for the agency or institution.
  • At the elementary or secondary school level, health records (including immunization records) are considered education records.

Information covered under FERPA can be shared without prior consent from the parent or eligible student in some scenarios, including:

  • When released to school officials who are determined to have a “legitimate educational interest” in the information. However, the school must have identified who those people are (administrators, teachers, coaches, etc.) and inform the parent of the people who might have access to the information.
  • To schools in which the student seeks or intends to enroll.
  • Specified officials for audit or evaluation purposes.
  • In connection with financial aid for which the student has applied or which the student has received.
  • Organizations conducting certain studies for or on behalf of the school.
  • Accrediting organizations.
  • For health or safety emergencies.
  • To comply with a judicial order or a lawfully issued subpoena.
  • State and local authorities, within a juvenile justice system, pursuant to specific State law.

HIPAA: The Health Insurance Portability and Accountability Act

HIPAA sets standards for the protection and sharing of individually identifiable health information, often referred to as protected health information (PHI). HIPAA includes the Privacy and Security Rules, and the Transactions and Code Sets Standards

  • The Privacy Rule establishes national standards on how health care providers must protect patient information and outlines patient rights; such as:
    • The right to access your health records.
    • The right to correct or amend your health records.
    • The right to know how your health information is used and shared.
    • The right to limit the sharing of your health information.
  • The Security Rule identifies protections for protected health information that is stored electronically.
  • The Enforcement Rule establishes standards for the enforcement of the Administrative Simplification Rules.

HIPAA applies when:

  • Health care services are provided to students AND you’re filing a claim for payment electronically. In this case, the records are still education records and are neither covered under the Privacy nor Security Rule, but the filing of the claim must abide by the rules for Transactions and Code Sets.
  • The school is private, they are not receiving any federal funding, AND they bill electronically to be reimbursed. In this case, all the HIPAA rules apply. HIPAA does not apply if electronic billing does not take place.
  • A student receives health services in a hospital affiliated with a university subject to FERPA. The hospital records would fall under HIPAA for protection and access.
    • Exception: If the hospital runs a health clinic for students on behalf of the university, and there’s no filing of claims, the records would fall under “education” or “treatment records,” both covered by FERPA.
  • An institution is a covered entity providing healthcare services to non-students such as staff members, spouses of students, and the public. HIPAA Privacy and Security rules apply to the protection and access of these records.

This is not legal advice, nor is it intended as legal advice.


Based on these guidelines, whether your school should comply with FERPA or HIPAA, it is your responsibility to have a system in place to protect student health records. To safeguard from data breach and malicious behavior, including identity theft, you should ensure this private information cannot be accessed by anyone who doesn’t have the clearance to view it. Please also keep in mind the various ways that PHI can be lost, including fire, natural disasters, intentional or accidental destruction of data, theft of computers, hardware, or printed information.

In that same manner, you need to evaluate the different methods in which you’re storing student personal records at your school. Is their private data written down on paper? Is it in electronic format? Does the protected information get transmitted via business equipment such as fax machines or scanners? Are you storing student records on computers, thumb drives, flash drives, shared Google documents, smartphones, etc? And, please don’t forget, verbal communication about protected student information should be limited. Employees should not discuss work matters involving PHI outside of the work environment. This includes hallways – you never know who is around the corner listening, either intentionally or accidentally.

You can obtain more in depth information regarding HIPAA and FERPA using this valuable resource: HIPAA/FERPA Joint Guidance Document (Updated December 2019)

If you would like to learn how K-12 schools protect their student private data using an electronic Student Health Record (SHR) solution, please check out Magnus Health and request your personalized Live demo today!