The Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are federal laws that intersect. FERPA and HIPAA each impose requirements on when medical information may be disclosed. The requirements of FERPA and HIPAA differ in several aspects. Disclosure of student medical information under each law is discussed below.

Elementary and Secondary Schools

As noted in Part 1, FERPA – a federal law designed to protect privacy of student educational records –  permits parents to inspect and review elementary and secondary school records, including medical records. The HIPAA Privacy Rule generally does not “step in” to shield student medical records from being disclosed to parents. This is because the HIPAA Privacy Rule generally does not apply to elementary or secondary schools, either because:

• The schools are not covered entities that do not perform HIPAA-covered transactions;  or
• The schools maintain health information that is by definition “educational information,” which, as stated above, is “carved out” of the HIPAA Privacy Rule’s protection.

Do FERPA and HIPAA Prevent Me, As a Parent, From Inspecting and Reviewing My Child’s Health and Medical Records?

As indicated above, the answer is “no.” Generally, FERPA and HIPAA do not prevent a parent from inspecting and reviewing his or her elementary or secondary school child’s health and medical records. 

Are There Exceptions to this General Rule?

Yes, in extremely limited circumstances. IF 1) an elementary school or secondary school is a HIPAA covered entity; AND 2) the school is NOT subject to FERPA, AND 3) state law prevents disclosure of PHI to the child’s parents, then (and only then), PHI may not be disclosed to the parent.

These three conditions are discussed in greater detail below.

Condition 1: Engaging in HIPAA-Covered Transactions

To meet the first condition – to be subject to the HIPAA Privacy Rule, the school medical providers must be engaging in HIPAA-covered transactions. By definition, HIPAA-covered transactions include the transmission of information between two parties to carry out financial or administrative activities related to health care. HIPAA-covered transactions include the following types of information transmissions:

(1) Health claims or equivalent encounter information. 

(2) Health care payment and remittance advice. 

(3) Coordination of benefits. 

(4) Health care claim status. 

(5) Enrollment and disenrollment in a health plan. 

(6) Eligibility for a health plan. 

(7) Health plan premium payments. 

(8) Referral certification and authorization. 

(9) First report of injury. 

(10) Health claims attachments. 

Generally, elementary and secondary school health providers do not engage in these transmissions. In rare instances they do. In these instances, the HIPAA Privacy Rule applies to the PHI that is the subject of the transmission.

Condition 2: Not Being Subject to FERPA

As noted in Part 1, treatment and educational records of eligible students under FERPA are excluded from coverage under the HIPAA Privacy Rule. Therefore, condition 2 may only be met by those schools that are not subject to FERPA. While FERPA applies to almost all public schools and public secondary institutions, most private schools at the elementary and secondary school level typically do not receive funding from the U.S. Department of Education, and therefore are not subject to FERPA.

Condition 3: State Law Does Not Allow the Covered Entity to Disclose PHI About a Child to His or Her Parent

The HIPAA Privacy Rule does not contravene state laws that expressly address the ability of parents to obtain health information about minors.

Therefore, the HIPAA Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent disclosure is prohibited under state law. If state law prohibits disclosure, HIPAA does as well.

If (and only if) all three of these conditions are met, a minor may be able to block the disclosure of PHI to parents, to the extent provided for by state law.

Do Either FERPA or HIPAA Apply to Records on Students at Health Clinics Run by Postsecondary Institutions?

FERPA recognizes two kinds of records on students at public and private postsecondary school (i.e., any education level higher than high school) campus health clinics – education records and treatment records.

Education Records

Education records are excluded from coverage under the HIPAA Privacy Rule, even if the school is a covered entity. Educational records, as defined under FERPA, mean records that are:

• Directly related to a student; and
• Maintained by an educational agency or institution by a party acting for the agency or institution

When May Education Records be Disclosed Under FERPA?

Under FERPA, covered educational agencies and institutions may not disclose the education records of eligible students, or personally identifiable information from those education records, without an eligible student’s written consent. An “eligible student” is defined as a student who is at least 18 years of age, or a student who attends a postsecondary institution at any age.

Treatment Records

FERPA treatment records are also excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA-covered entity.

“Treatment records” are excluded from the FERPA definition of “educational records.”

FERPA treatment records are:

• Records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which
• Are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his or her professional or paraprofessional capacity, or assisting in that capacity, and which
• Are made, maintained, or used only in connection with the provision of treatment to the student, and
• Are not available to anyone other than persons providing such treatment.
  • Note, though, that a student may choose to have a physician or other appropriate professional of the student’s selection review the records.

When May Treatment Records be Disclosed Under FERPA?

A student may consent to have treatment records disclosed to a third party for non-treatment reasons, Furthermore, as noted above, treatment records may be disclosed for purposes other than treatment, provided the records are disclosed under a FERPA exception to written consent. Exceptions include when the school has a legitimate educational interest in the disclosure; and when disclosure is necessary for enrollment or transfer purposes.

Can Postsecondary School Students Inspect Their Treatment Records?

Under FERPA, postsecondary educational institutions may allow an eligible student to inspect his or her treatment records. If the school chooses to do this, such records are no longer excluded from the definition of “education records.” The records become “educational records.”  When the records become educational records, the general FERPA rule against disclosure of postsecondary education record applies: Covered educational agencies and institutions may not disclose the education records of eligible students, or personally identifiable information from their education records, without the eligible student’s written consent. 

In sum, with respect to students at postsecondary schools, the HIPAA Privacy Rule generally does not provide protection from use or disclosure of medical records. FERPA, however, does provide protection to educational records of eligible students; to treatment records if a student does not consent to their disclosure and no FERPA exception applies; and to treatment records that “become” educational records upon being inspected by a student.

Read more about HIPAA and FERPA in part 1.