Skip Navigation
Forum Guide to the Privacy of Student Information
NCES 2006-805
July 2006

Health Records: FERPA and HIPAA

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to ensure continued health insurance coverage to individuals who change jobs, and to establish standards regarding the electronic sharing of health information. For purposes of HIPAA, "covered entities" include health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions (45 CFR 160.103).

Technically, schools and school systems that provide health care services to students may qualify as "covered entities" under HIPAA. However, the final regulations for the HIPAA Privacy Rule exclude information considered "education records" under FERPA from HIPAA privacy requirements. This includes student health records and immunization records maintained by an education agency or institution, or its representative; as "education records" subject to FERPA, these files are not subject to HIPAA privacy requirements. In addition, school nurse or other health records maintained on students receiving services under the Individuals with Disabilities Education Act (IDEA) are considered "education records" and also subject to that Act's confidentiality provisions. Consequently, these records are subject to FERPA and not the HIPAA Privacy Rule.

Nevertheless, certain activities, when performed by a school, could be subject to other provisions of HIPAA that concern electronic transactions. According to the preamble to the December 2000 final rules, "the educational institution or agency that employs a school nurse is subject to our (HIPAA) regulation if the school nurse or the school engages in a HIPAA transaction." HIPAA transactions are defined in the Code of Federal Regulations (CFR) as "the transmission of information between two parties to carry out financial or administrative activities related to health care," including submitting claims. However, consent must still be secured under FERPA before the records are disclosed.

For more information on the intersection of HIPAA and FERPA, see Health and Healthcare in Schools, "The Impact of FERPA and HIPAA on Privacy Protections for Health Information at School: Questions from Readers" (2003, Volume 4, Number 4).