FERPA and the HIPAA Privacy Rule
The HIPAA Privacy Rule exempts schools whose records are already covered by FERPA. So public K-12 health records under FERPA are not HIPAA records; a private school taking no federal funding may be under HIPAA if it is a covered entity; and a university clinic treating both students and nonstudents applies FERPA to student records and HIPAA to nonstudent records.
When HIPAA was enacted in 1996, the final Privacy Rule exempted schools where education records were already subject to FERPA. So where a public elementary or secondary school provides a nurse, those health records are subject to FERPA, not HIPAA.
| Setting | Governing law |
|---|---|
| Public K-12 school nurse / health records | FERPA (HIPAA exempted) |
| Private K-12 school with no federal funding, qualifying as a HIPAA covered entity | HIPAA Privacy Rule (FERPA does not apply) |
| University clinic treating only students | FERPA (records are education or treatment records) |
| University clinic treating both students and nonstudents | FERPA for student records; HIPAA for nonstudent records |
There can be overlap and controversy - for example school-based health centers disclosing health information for a student's lawsuit, or sharing records to prevent tragedies involving students with mental health issues. These fact patterns are difficult, especially when high school, university, and non-school provider records mix; consult an attorney.