Organizations that handle student health information often default to HIPAA — but in education environments, that assumption is frequently wrong.
Understanding FERPA vs HIPAA is critical for schools, universities, healthcare partners, and vendors because misclassifying which law applies can lead to improper disclosures, failed audits, and incorrect responses to breaches or record requests.
This guide explains the difference between HIPAA and FERPA, how each applies in schools, and what changes when parents, patients, or regulators request access to records.
If you have questions about whether FERPA or HIPAA applies to your records, you can request a consultation to clarify next steps.
→ Request a FERPA vs HIPAA consultation
The One Rule That Resolves Most FERPA vs HIPAA Confusion
If student health information is maintained by a school as part of an education record → FERPA applies.
If health information is created or maintained by a HIPAA-covered healthcare provider → HIPAA applies.
HIPAA explicitly excludes education records covered by FERPA, which is why the same student can have records governed by different laws depending on who maintains the data.
This distinction is not interpretive opinion — it comes directly from joint guidance issued by the U.S. Department of Health and Human Services (HHS) and the Department of Education, which clarifies that HIPAA explicitly excludes education records covered by FERPA.
What Is FERPA and Why It Often Applies Instead of HIPAA
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records.
FERPA applies to:
- K–12 schools
- Colleges and universities
- Educational institutions receiving U.S. Department of Education funding
Education records can include health information when that information is:
- Directly related to a student, and
- Maintained by the school or institution
This means many records people assume are “medical records” are actually FERPA-protected education records.
For more information on FERPA and student education records, refer to U.S. Department of Education guidance.
FERPA Rights in Plain English
Under FERPA, parents or eligible students (age 18+) have the right to:
- Inspect and review education records
- Request corrections to inaccurate information
- Control most disclosures to third parties
School nurse records maintained by the school almost always fall under FERPA — not HIPAA, as explained by the American Academy of Pediatrics’ guidance on HIPAA and FERPA in school health settings
What Is HIPAA and When It Actually Applies
The Health Insurance Portability and Accountability Act (HIPAA) governs protected health information (PHI) handled by:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
- Business associates of those entities
HIPAA applies only when an organization qualifies as a HIPAA covered entity or business associate and creates, receives, or maintains PHI.
Crucially, HIPAA does not apply to education records covered by FERPA or most K–12 school health records, as reflected in HHS guidance clarifying the scope of the HIPAA Privacy Rule
How Do You Know Whether FERPA or HIPAA Applies in Schools?
The deciding factor is who maintains the record and for what purpose.
School-Maintained Health Records
If health information is:
- Maintained by the school
- Used for educational or administrative purposes
➡ FERPA applies
➡ HIPAA does not
This includes most K–12 nurse records and many university disability or accommodation files.
University or School-Based Health Clinics
When a clinic:
- Operates as a healthcare provider, and
- Bills insurance electronically
➡ HIPAA applies to the clinic’s patient records
➡ FERPA applies to education records held by the school
Same student. Same institution. Different systems. Different laws.
FERPA vs HIPAA: What’s Actually Different
| Area | FERPA | HIPAA |
| Governs | Education records | Protected health information |
| Primary regulator | Department of Education | HHS Office for Civil Rights |
| Individual rights | Parents / eligible students | Patients |
| Applies in schools | Most student records | Limited, clinic-specific |
| Record exclusion | Excludes HIPAA | Excludes FERPA records |
FERPA vs HIPAA Decision Support
Unsure Which Law Applies to Your Records?
Most FERPA vs HIPAA mistakes happen before a breach or record request — during system design, vendor selection, and data classification.
→ Start with a risk assessment to identify which systems fall under FERPA, HIPAA, or both
HIPAA Penetration Testing—Go Beyond Automated Scans
Validate your security with an objective, third-party audit. We simulate real cyberattacks to uncover vulnerabilities and provide a comprehensive compliance report.
Learn MoreWhat Changes After a Data Breach Under FERPA vs HIPAA?
HIPAA Breach Obligations
HIPAA requires covered entities to:
- Notify affected individuals
- Notify HHS
- Notify media for large breaches
- Meet strict federal timelines
FERPA Breach Reality
FERPA does not include a HIPAA-style federal breach notification rule, but schools must:
- Protect education records using reasonable methods
- Comply with applicable state breach notification laws
- Address Department of Education enforcement expectations
Schools often underestimate breach risk because FERPA feels less prescriptive — but exposure still exists.
Breach Readiness
A Breach Is Where FERPA vs HIPAA Errors Get Expensive
If your response plan assumes HIPAA when FERPA applies (or the reverse), your organization may already be out of compliance.
→ Assess your breach response readiness before an incident occurs
How Should Organizations Respond to Record Requests Under FERPA vs HIPAA?
Responding Under FERPA
Schools must, consistent with FERPA requirements and Department of Education guidance on student privacy
- Provide parents or eligible students access to education records
- Respond within reasonable timelines
- Obtain consent for most third-party disclosures
Responding Under HIPAA
Covered entities must:
- Verify identity
- Provide access to PHI within HIPAA timelines
- Document disclosures and requests
For Schools and IT Teams
HIPAA-Grade Security Still Matters — Even When HIPAA Doesn’t Apply
FERPA does not prescribe technical safeguards the way HIPAA does, but regulators still expect:
- Access controls
- Audit logs
- Secure transmission and storage
- Vendor risk management
→ Map FERPA-covered data to HIPAA-grade security controls
Key Takeaways on FERPA vs HIPAA
Based on joint guidance from the U.S. Department of Health and Human Services and the Department of Education
- FERPA governs most student health records maintained by schools
- HIPAA governs healthcare providers, not education records
- Different systems may be governed by different laws for the same individual
- Breaches and record requests expose misclassification fastest
