When does HIPAA apply to universities?

An excerpt from Complying with HIPAA: A Guide for the University and Its Counsel notes, “Colleges and universities' that provide health care or offer employee health benefits have undoubtedly spent a great deal of time and resources trying to understand and comply with their new responsibilities and obligations under privacy regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).” 

“Although the privacy regulations were introduced as somewhat of a Congressional afterthought, they will have an impact on the way covered health care providers and benefit plans at universities conduct business.”

HIPAA applies to universities when they function as covered entities or hybrid entities under the Privacy Rule. Universities become subject to HIPAA if they operate healthcare components such as hospitals, health clinics, or health plans that electronically transmit protected health information (PHI). 

A university with an academic medical center that bills insurance electronically is a covered entity. However, universities can designate themselves as hybrid entities, limiting HIPAA compliance to specific healthcare components (e.g., a hospital) while excluding non-health-related departments like academic divisions. 

Research activities involving PHI also trigger HIPAA requirements if conducted within the healthcare component or using PHI from covered entities. In contrast, student health records maintained for educational purposes fall under FERPA, not HIPAA, unless the healthcare provider operates as a separate covered entity.

When are universities considered covered entities under HIPAA? 

Universities are classified as covered entities under HIPAA if they:

• Operate a health plan (e.g., student health insurance programs).
• Provide healthcare services through components like hospitals or clinics that conduct electronic transactions (e.g., billing, lab orders).
• Function as a healthcare clearinghouse, processing health data for insurance claims.

A university may also be a hybrid entity if only specific divisions (e.g., a medical center) qualify as covered entities. Chapter 4 from Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research notes, “If a university includes an academic medical center with a hospital, the entire university will be classified as a covered entity unless the university elects to be a hybrid entity by designating only the hospital as the health care component. By doing this, only the hospital has to comply with the Privacy Rule.”

What health records are covered by FERPA instead of HIPAA? 

According to a journal article published in Sage Choice on information sharing in schools during public health emergencies, “In short, when FERPA applies, HIPAA does not, but there are circumstances when school nurses may be subject to HIPAA, such as if they practice in a private school that does not receive DOE funding and when they need to interact with HIPAA covered entities.”

FERPA governs student health records maintained by educational institutions, including:

• Immunization records.
• Clinic visit notes from campus health centers.
• Disability accommodations.
• School nurse documentation.

HIPAA explicitly excludes these records if they are part of a student’s educational file, even if created by healthcare providers. A university clinic’s treatment records for non-students fall under HIPAA, while student records are FERPA-protected. Exceptions occur if the healthcare provider operates independently (e.g., a private hospital affiliated with the university), in which case HIPAA applies.

The scenarios when HIPAA applies 

The main scenarios include university-affiliated hospitals, clinics, and health insurance plans that electronically transmit PHI. For example, a university medical center that bills electronically for patient services is subject to HIPAA regulations. Research activities involving access to PHI from these healthcare components also fall under HIPAA. 

In research, HIPAA governs the use and disclosure of PHI, requiring patient authorization or Institutional Review Board (IRB) waivers for recruitment, preparatory research, and data collection. Recruitment is a particularly sensitive area; HIPAA permits physicians to contact their own patients about clinical trials, but third-party researchers must obtain waivers or patient authorization before accessing PHI for recruitment purposes. 

A Journal of Oncology Practice study on the applicability of HIPAA in clinical trials notes, “The use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research…Alternatively, the Privacy Rule allows the physician to share ‘de-identified’ data without restriction.”

Pre-screening over the phone is possible, but generally requires a waiver to protect privacy. The consent process under HIPAA includes providing a Notice of Privacy Practices, obtaining informed consent, and securing HIPAA authorization, which can increase administrative complexity and potentially hinder recruitment if not managed carefully.

How health records of non-students or staff treated differently under HIPAA at university healthcare facilities

While student health records maintained by campus health centers or clinics are considered education records or treatment records under the FERPA, and thus explicitly excluded from HIPAA coverage, the same is not true for non-student patients such as staff, faculty, or members of the public. 

An Emory Law Journal article that analyzes record security in education notes, “Although a variety of federal and state laws contain data privacy, security, and breach notification protections, most of these laws do not apply to student treatment records. As discussed in more detail below, the federal HIPAA and FERPA regimes exclude most postsecondary student treatment records from the definitions of protected health information and education records, respectively.

In addition, state medical practice acts, state facility licensing laws, state medical record privacy laws, state data security laws, state breach notification laws, and new state consumer data protection laws either do not apply to student treatment records or provide marginal (if any) protections for such records. As a result, postsecondary students have substantially inferior privacy, security, and breach notification protections compared to non-students.”

When a university healthcare facility, such as a student health center or university hospital, provides medical treatment to non-students, the health records generated in the course of treatment are not classified as education or treatment records under FERPA. Instead, they are considered PHI under HIPAA and are subject to the full scope of HIPAA’s Privacy and Security Rules.

This distinction arises because FERPA’s protections are limited to students and their educational records, which include most health records created for students in the context of their role as students. When a university health center expands its services to staff, faculty, or even community members, those records fall outside FERPA’s jurisdiction. 

If the university health center or hospital qualifies as a HIPAA-covered entity, meaning it transmits health information electronically, then it must comply with HIPAA for non-student records. It includes requirements for protecting PHI, providing patients with notices of privacy practices, and restricting disclosures of health information without patient authorization, except as permitted by law.

For example, if a university health clinic treats both students and staff, it must maintain separate compliance protocols. FERPA governs student records, while HIPAA governs staff records.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Are student counseling records covered by HIPAA?

Generally, no. If the counseling services are provided through a school program and the records are maintained by the institution, FERPA governs them.

Are student immunization records protected by HIPAA or FERPA?

If submitted to and maintained by a school (e.g., for enrollment), they fall under FERPA. If created and maintained by a provider outside the school (like a pediatrician), HIPAA applies.

Can a university disclose health information to parents?

Under FERPA, schools may disclose student information to parents if the student is a dependent for tax purposes. HIPAA generally does not permit disclosures to parents without patient consent unless the patient is a minor or an exception applies.