Complying With HIPAA In The World Of Education

Photo by Hush Naidoo Jade Photography on Unsplash

When it comes to healthcare, it’s important as a student or parent to understand your right to privacy. 

While the Health Insurance Portability and Accountability Act (HIPAA) does not directly apply to educational institutions, there is a level of security that is covered by the Family Educational Rights and Privacy Act (FERPA).

We’ll take a look at the difference between the two acts along with how your family is protected when it comes to HIPAA-compliant data sharing in education.

What Is HIPAA?

HIPAA was originally put into law in 1996. However, there were several changes made over the next two decades. Due to advances in technology, a new amendment was made which covered the transferring of digital medical records, financial data, and personal information.

Hospitals, health care providers, clearinghouses, and business associates must adhere to HIPAA policies. However, schools are not required to follow these guidelines unless they specifically have a healthcare provider who conducts transactions digitally.

For example, if an outsourced physician comes to the school to provide vaccinations but is not technically employed by the school, they’d need to adhere as a healthcare professional by the laws of HIPAA.

Typical nurses or psychologists will conduct matters in-house and do not end up making any transactions of data digitally, hence why the rules don’t apply. That doesn’t mean your information isn’t protected, though. 

Overall, HIPAA compliance in education can be tricky as the language is rather vague for who it covers, as well as what constitutes a violation.


FERPA is a federal law that provides every parent the right to access their children’s educational records and covers who is allowed to access these records, along with other personally identifying data.

Parents and eligible students who aren’t minors must provide written consent if any educational or medical data is to be disclosed.

In terms of a student’s medical information, all medical and healthcare records stored by the educational institution are protected under FERPA. However, this is only if the healthcare information is listed under “educational records.” This act applies to any institutions that receive direct funding from the Department of Education.

Because private schools don’t receive this type of funding, students aren’t typically covered by FERPA. However, this means they may be covered by HIPAA if they conduct any electronic transfers. And again, each state has its own set of laws on top of HIPAA and FERPA which all educational intuitions are required to abide by.

For instance, the higher education institution of Oregon State University receives government funding as it is a public institution. The state has additional laws which prohibit the release of any medical or personal information without having proper consent from the student.

Concerns With Security

With many professionals having worked from home over the last two years, there were several concerns about the lack of security measures being taken by education professionals.

Unsecure wifi connections, for example, led to ample security breaches, primarily in higher education. Now, education is focusing more of their attention and allocating more funds towards their IT departments.

How To Maintain HIPAA Or FERPA Compliance

All educational facilities have some type of privacy standard based on federal or state law. There are several action steps they can take for an institution to be compliant.

First, it’s important to work with a data storage company that provides proper data security for all personal identifying information, regardless of whether the details are stored or transferred. A safe platform will restrict who has access to what information, as well as perform regular audits.

As an institution, it’s their responsibility to provide regular training and education for either HIPAA or FERPA compliance.

Print Friendly, PDF & Email