Does HIPAA Apply to Schools?

HHS 2020 Proposed HIPAA Privacy Rule Updates

In most cases, the question of does HIPAA apply to schools is answered by the definition of a HIPAA Covered Entity. A HIPAA Covered Entity is a health plan, health care clearinghouse, or healthcare provider that transmits health information electronically in connection with a transaction for which the Department of Health and Human Services has developed standards.

Therefore, even though a school may employ a nurse, a psychologist, or other healthcare provider, the school is not a HIPAA Covered Entity if neither the school nor an employee conduct covered transactions (for example, checking electronically with a health plan whether a student is eligible to receive treatment for an injury). Most schools fall into this category.

When Does HIPAA Apply to Schools?

In some cases, a school will conduct covered transactions electronically and qualify as a HIPAA Covered Entity. In such cases, the school must comply with the Administrative Requirements in respect of code sets, identifiers, and the general provisions for transactions. However, health information in these transactions is not subject to the Privacy and Security Rules.

This is because the HIPAA General Provisions (§160.103) state that individually identifiable health information maintained in educational records are excluded from the definition of Protected Health Information – provided that the educational records are covered by the Family Educational Rights and Privacy Act (FERPA).

As students´ healthcare records are part of their educational records (under FERPA), the school – although it may be a Covered Entity – is not maintaining or transmitting information defined as Protected Health Information and is not required to comply with the HIPAA Privacy and Security Rules – although the privacy and security provisions of FERPA will still apply.

Does HIPAA Apply to Schools Not Covered by FERPA?

The Family Educational Rights and Privacy Act (FERPA) applies to schools that receive funding under a program administered by the Department of Education. Not all schools receive funding from the Department of Educations, and there are some – mostly private or religious elementary and secondary schools – that do not qualify as FERPA-Covered Entities.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

However, HIPAA only applies to schools not covered by FERPA if they qualify as HIPAA-Covered Entities as defined in the introduction to this article. Only then would the school have to comply with the HIPAA Privacy and Security Rules along with the HIPAA Administrative Requirements (because it is conducting covered transactions electronically).

The exception to when HIPAA applies to schools not covered by FERPA is when a school provides services for or on behalf of another school (or school district) that is subject to FERPA. In this scenario, the healthcare records of publicly placed students are subject to FERPA, while the healthcare records of the remaining students would be subject to HIPAA.

Other Examples of When HIPAA Applies to Schools

One example of when HIPAA applies to schools is when the school is a university hospital. Because university hospitals generally do not provide healthcare services to students on behalf of the educational institution to which they are affiliated, patient records are not considered to be educational records. Therefore – assuming the university hospital qualifies as a HIPAA Covered Entity – HIPAA applies.

The exception to this example is when a university hospital runs a student health clinic on behalf of the university. In this scenario, students´ individually identifiable health information collected at the clinic would be subject to FERPA and would have to be maintained separately from any Protected Health Information maintained by the university hospital – even if the Protected Health Information relates to the same individual.

There can be other examples of when HIPAA applies to schools – but these tend to be less common and may depend on the relationship between a healthcare provider and a school. For example, immunization records may be subject to HIPAA in some circumstances, and subject to FERPA in others. School administrators unsure about does HIPAA apply to schools in a specific situation should seek professional compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: