FERPA and HIPAA Series Part 1 of 2:
What is FERPA?

The intersection of HIPAA vs. FERPA occurs when considering the federal laws governing privacy and rights. Specifically, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Family Educational Rights and Privacy Act (FERPA) come into play. Both FERPA and HIPAA have their own set of regulations regarding the disclosure of medical information. However, these two laws differ in various aspects concerning the requirements for such disclosures.

What is FERPA and What Entities Does it Cover?

The Family Educational Rights and Privacy Act, or FERPA, protects the privacy of student educational records. FERPA applies to educational agencies and institutions that receive funds under a program administered by the U.S. Department of Education. This includes virtually all public schools and school districts as well as most private and public postsecondary institutions, including medical and other professional schools.

Private and religious schools at the elementary and secondary level generally do not receive funds from the Department of Education and are therefore not generally subject to FERPA.

What is an “Educational Record” under FERPA, and When May It Be Disclosed?

Under FERPA, educational records include those records that are:

  • Directly released to a student; and
  • Maintained by an educational agency or institution or by a party acting for the agency or institution

Whether student medical information may be disclosed under FERPA depends in large part on whether the student is attending elementary or secondary school, or post-secondary school.

Elementary and Secondary School Level

At the elementary or secondary school level, a student’s health records, including immunization records, maintained by an educational agency or institution subject to FERPA, as well as school nurse records, are considered “education records” under FERPA.

Disclosure Rule for Elementary and Secondary Schools

Generally, parents have a right to inspect and review elementary and secondary school education records under FERPA. However, these records may not be shared with third parties without written parental consent unless a FERPA exception permits disclosure.

Exceptions to the Disclosure Rule

The most prominent exceptions allowing schools to disclose medical information and other “education records” to teachers and other school officials, without written parental consent, include:

  • School officials have “legitimate educational interests,” in accordance with school policy, in obtaining the records.
  • Emergencies. Disclosure of records, without consent, may be made to appropriate parties in connection with an emergency, if knowledge of the information is necessary to protect the health or safety of the student or other individuals.

Postsecondary Institutions

Under FERPA, covered educational agencies and institutions may not disclose the education records of postsecondary school students, or personally identifiable information from education records, without an eligible student’s written consent. 

Postsecondary school education records, as defined under FERPA, mean records that are:

  • Directly related to a student; and
  • Maintained by an educational agency or institution by a party acting for the agency or institution

An “eligible student” is defined as a student who is at least 18 years of age, or a student who attends a postsecondary institution at any age.

Distinction Between Education Records and Treatment Records

At postsecondary institutions (as opposed to elementary and secondary schools), medical and psychological treatment records of eligible students are excluded from the definition of “education records” if these records are:

  • Made;
  • Maintained; and
  • Used only in connection with treatment of the student; and
  • Only disclosed to individuals providing the treatment.

FERPA refers to these regulations as “treatment records.” Treatment records may be disclosed for purposes other than treatment, provided the records are disclosed pursuant to the student’s written consent, or under a FERPA exception to written consent. Exceptions include when the school has a legitimate educational interest in the disclosure; and when disclosure is necessary for enrollment or transfer purposes. 

In addition, students may, at the postsecondary school’s discretion, examine and inspect their own treatment records. If the school allows students to do so, the treatment records then are regarded as “education records,” as that term is used in FERPA for postsecondary schools.

How Are FERPA and HIPAA Related?

FERPA and HIPAA are related – intertwined. The HIPAA Privacy Rule expressly excludes “education record” and “treatment records” of eligible students under FERPA, from the HIPAA Privacy Rule’s definition of protected health information (PHI). Education and treatment records of eligible students under FERPA are also excluded from the HIPAA Security Rule’s coverage of electronic protected health information (ePHI). FERPA and HIPAA are related in that HIPAA makes a excludes (“carves-out”) FERPA education and treatment records from its (HIPAA’s) Privacy and Security Rules’ protection.

Whether student medical information may be disclosed under FERPA vs HIPAA depends on:

  • Whether the school is an elementary or secondary (as opposed to post-secondary) school 
  • Whether the student is 18 or older
  • Who seeks the information (parents, third parties, etc.)
  • Whether the school is a covered entity that performs HIPAA-covered transactions
  • Whether the school is private or public

Part 2 of this series will discuss these various factors, and will discuss under what law and under what circumstances, student medical information may be disclosed.

View Part 2>>

See How It Works