Does HIPAA apply to schools?

The Health Insurance Portability and Accountability Act (HIPAA) generally does not apply to schools. It primarily applies to covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, that handle protected health information (PHI) in the context of providing healthcare services. However, there are circumstances in which schools may have to consider HIPAA regulations.

Are schools covered entities?

Generally, K-12 schools are not considered covered entities under HIPAA. As the US Department of Health and Human Services (HHS) states, “In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.” In practice, this means that even when a school employs healthcare professionals, such as school nurses, counselors, psychologists, or athletic trainers, the health information they maintain about students is usually classified as part of the student’s education record. As a result, that information is protected under the Family Educational Rights and Privacy Act (FERPA), which governs the privacy and security of student education records, including health information contained in those records.

Schools may collect, store, maintain, and share student health information to support learning, ensure student safety, and comply with public health requirements. However, as long as the school is not engaging in HIPAA-covered electronic healthcare transactions, HIPAA regulations generally do not apply.

Related: How to know if you’re a covered entity

FERPA vs. HIPAA

FERPA applies to educational institutions that receive funding through programs administered by the U.S. Department of Education. This includes most public schools and many postsecondary institutions. Under FERPA, education records are broadly defined as “those records that are: (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution.” It includes “a student’s health records, including immunization records, maintained by an educational agency or institution (such as by an elementary or secondary school nurse),” which “would generally constitute education records subject to FERPA.”

When a record is considered an education record under FERPA, HIPAA explicitly does not apply, even if the information would otherwise qualify as Protected Health Information (PHI). This exclusion is intentional and designed to prevent overlapping or conflicting privacy obligations.

For example, records maintained by a school nurse related to a student’s asthma, diabetes management plan, or food allergies are considered education records under FERPA. Parents (or eligible students) have the right to access these records, request corrections, and control disclosures, subject to FERPA’s rules.

When can a school be considered a covered entity?

Some schools may employ a healthcare provider that conducts transactions electronically, for which the HHS has adopted standards. In this case, the school would be classified as a HIPAA-covered entity.

• Student health records: While HIPAA does not typically apply to schools, when student health records maintained by a school nurse or other healthcare professionals within the school are involved in healthcare operations that fall under HIPAA's scope, they may be subject to HIPAA.
• Hybrid entities: In some cases, a school may be considered a "hybrid entity" if it performs both covered and non-covered functions. In such cases, only the parts of the school that engage in covered functions may be subject to HIPAA, while the rest of the school would not be.
  
  

FERPA, HIPAA, and private schools

According to the HHS, “If an educational agency or institution receives Federal funds

under one or more of these programs, FERPA applies to the recipient as a whole, including each of its components, such as a department within a university.” Therefore, FERPA applies to public schools, but private schools are not typically covered by FERPA as they do not receive federal funding directly from the Department of Education. If the private school is not covered by FERPA, it may or may not be covered by HIPAA, depending on whether it conducts electronic transactions for which the HHS has adopted standards. If it does, it would be required to comply with HIPAA, although if not, neither HIPAA nor FERPA would apply.

See also: When does HIPAA apply to universities?

HIPAA Transactions and Code Sets, and Identifier Rules

When a school hires a healthcare provider that uses electronic means to carry out covered transactions, like sending medical claims to a health plan electronically for payment, the school becomes a covered entity under HIPAA and is required to abide by the rules regarding HIPAA Transactions and Code Sets, and Identifier Rules.

How do schools follow HIPAA regulations?

For schools or school components subject to HIPAA, compliance requires more than just understanding the law; it requires active implementation of safeguards and policies.

• Business associate agreements: If a school, as a covered entity or hybrid entity, works with third-party service providersthat handle health information on its behalf, it must have appropriate business associate agreements (BAAs) in place. These agreements define how PHI may be used and disclosed, security responsibilities, and breach notification obligations. Without a BAA, a vendor relationship may itself constitute a HIPAA violation.
• Protected health information (PHI) safeguards: Schools subject to HIPAA must implement appropriate administrative, physical, and technical safeguards to protect PHI. These include:
  • Access controls to limit who can view PHI
  • Secure storage systems and encrypted communications
  • Policies and procedures governing data handling
  • Workforce training on privacy and security practices
  • Incident response and breach notification plans

Even hybrid entities must ensure that HIPAA-covered components are adequately protected from unauthorized access by non-covered parts of the institution.

• Privacy notices: Schools subject to HIPAA should provide a HIPAA compliant privacy notice to patients or students receiving healthcare services to inform them of their rights and the school's privacy practices.

See also: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a hybrid entity in the context of schools?

A hybrid entity is an organization that performs both HIPAA-covered and non-covered functions. For example, a university with a campus health clinic that bills insurance electronically may be a hybrid entity. HIPAA would apply only to the healthcare component, not the entire school.

Is email communication with parents or students subject to HIPAA?

In most school settings, email communication about student health information is governed by FERPA, not HIPAA. However, schools should still use secure communication practices to minimize privacy risks and unauthorized disclosures.

Can schools share student health information with teachers?

Yes, under FERPA, schools may share relevant health information with teachers or staff who have a legitimate educational interest, such as managing allergies, medication needs, or emergency situations. HIPAA does not restrict these disclosures in most school settings.