Does FERPA or HIPAA apply to elementary or secondary school student health records maintained by a health care provider that is not employed by a school?

If a person or entity acting on behalf of a school subject to FERPA, such as a school nurse that provides services to students under contract with or otherwise under the direct control of the school, maintains student health records, these records are education records under FERPA, just as they would be if the school maintained the records directly.  This is the case regardless of whether the health care is provided to students on school grounds or off-site.  As education records, the information is protected under FERPA and not HIPAA. 

Some outside parties provide services directly to students and are not employed by, under contract to, or otherwise acting on behalf of the school.  In these circumstances, these records are not “education records” subject to FERPA, even if the services are provided on school grounds, because the party creating and maintaining the records is not acting on behalf of the school.  For example, the records created by a public health nurse who provides immunization or other health services to students on school grounds or otherwise in connection with school activities but who is not acting on behalf of the school would not be “education records” under FERPA.  In such situations, a school that wishes to disclose to this outside party health care provider any personally identifiable information from education records would have to comply with FERPA and obtain parental consent.  See 34 CFR § 99.30.

With respect to HIPAA, even where student health records maintained by a health care provider are not education records protected by FERPA, the HIPAA Privacy Rule would apply to such records only if the provider conducts one or more of the HIPAA transactions electronically, e.g., billing a health plan electronically for his or her services, making the provider a HIPAA covered entity.

Created 11/25/08