The following information can guide you in determining what entities—and which records—are covered by each law. Your state’s related laws may also apply. 

• Student education records or treatment records covered by FERPA are excluded from coverage under the HIPAA Privacy Rule and the HIPAA Security Rule.[1]
• The HIPAA Privacy Rule excludes from its definition of protected health information individually identifiable health information contained in an education record covered by FERPA, as well as treatment records that are excluded from the definition of education records.
• School-based health centers operated by HIPAA-covered entities other than schools, such as hospitals, clinics, or government health departments, are subject to HIPAA but not FERPA.
• HIPAA rules do not apply to student health information maintained by a school district or individual school, including a school-operated health clinic. These health records are considered education records and are covered by FERPA. For example, records maintained by a school nurse employed by or under contact to a school district are education records governed by FERPA. Parents have access to these education records and generally control third-party access to them.
• Under HIPAA, youth who can consent to their own health care under state law control access to these records by third parties, including their parents. In states where students can consent to health care services before age 18, parents have the right to access health records about their child that are maintained by the school.
• Health care providers operating in schools need to know whether FERPA or HIPAA applies to the records they maintain.

[1] Federal Register (December 28, 2000), p. 82483.