FERPA, HIPAA and Student Privacy in 2025: What You Need to Know Now
It’s exhausting. This comes up so often in the group and it’s exhausting. Every few weeks, a teacher will say something, or an IEP will be mistakenly sent home with the wrong kid, and so the parent comes to the message boards and asks about it. Immediately there are cries of “That’s a HIPAA violation!”
We’ve been so brainwashed by HIPAA, signed so many forms (that we don’t even read) and been told our HIPAA rights so many times…and most don’t even know what it covers. (Hint: not schools.)
Then, last week, we were told that some crazy type of “autism registry” was going to be created, which brought up the whole HIPAA and FERPA thing again. Since I first wrote this, AI has become a thing. So, let’s get into all of it so that you know what your rights are in 2025.

So, for the last time…say it with me: HIPAA does not apply to schools. Even HHS says so on their website. HIPAA can apply to a school, but the exceptions are so few and far between, the rule to go by is “FERPA is for schools, HIPAA is for medical facilities.”
And yes, if you read this through to the end, they even address the situation if a school bills Medicaid. Still, it’s FERPA, not HIPAA.
From HHS:
Does the HIPAA Privacy Rule apply to an elementary or secondary school?
Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition โeducation recordsโ under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.
- The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (โcovered transactionsโ). See 45 CFR ยง 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of โtransactionโ at 45 CFR ยง 160.103 and 45 CFR Part 162, Subparts KโR. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. It is expected that most elementary and secondary schools fall into this category.
- The school is a HIPAA covered entity but does not have โprotected health information.โ Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are โeducation recordsโ under FERPA and, thus, not โprotected health informationโ under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of โprotected health informationโ in the HIPAA Privacy Rule at 45 CFR ยง 160.103. For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the schoolโs provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPAโs privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR ยง 99.30) in order to disclose to Medicaid billing information about a service provided to a student.
What is considered an educational record?
Education records are directly related to a student and maintained by an institution or its agent for all enrolled students, including those in elementary or high school.
- Education records may exist in any medium (e.g., electronic or digital files including email, paper documents, fax documents, oral conversations, etc.).
- Education records include such things as personal identifiers and bio-demographic data (such as SSN, date of birth, ethnicity, gender, relationship information)
- Academic records such as test scores, GPA, graded papers, exams, transcripts, advising notes, financial aid information, etc.)
- IEPs, 504 plans and any and all case records associated with those plans, including but not limited to: teachers’ notes and emails, evaluation reports and raw data from assessments, progress monitoring reports, work samples, etc.

What is FERPA?
Here it is, all spelled out. Much of this I pulled directly from their website.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. ยง 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. See: U. S. Department of Education – FERPA. Educational institutions receiving funds under programs administered by the U.S. Secretary of Education are bound by FERPA regulations. Institutions that fail to comply with FERPA may have funds administered by the Secretary of Education withheld.
Parents’ Rights under FERPA
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”
- Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
- Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
- Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR ยง 99.31):
- Other schools to which a student is transferring;
- School officials with legitimate educational interest;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; and
- State and local authorities, within a juvenile justice system, pursuant to specific State law.
YesโFERPA has its own version of the โyeah, butโ clause too.
While FERPA generally requires parental (or eligible student) consent to release education records, it also includes a list of exceptions where schools can disclose records without consent. And yes, some of those exceptions allow government access.
Here are a few examples:
- Federal and state officials can access records for audit or evaluation purposes of federally-supported education programs (34 CFR ยง 99.31(a)(3)).
- Law enforcement or child welfare agencies may get access under certain emergency or legal circumstances.
- Compliance with a judicial order or subpoenaโyes, a school can hand over records if a court says so.
- Juvenile justice systems, under a specific state law, can access records even without parental consent.
So just like HIPAA, FERPA is not an impenetrable privacy wall. It’s more like a gated communityโwith some gates permanently open to government entities.
FERPA and AI-Is it Legal?
Lots of folks are leaning on AI to do their work these days, and that includes writing IEPs. If you’re unfamiliar with how AI works–here’s a quick explanation. AI platforms, no matter which one you use, “scrape” the internet for information to train their AI. Anything that you put into AI becomes a part of the AI database, to further train the computers.
So let’s say a school staff person enters a student’s private, protected information into an AI platform to get help writing the IEP. Is that a violation?
Yesโit absolutely could be a FERPA violation.
If an IEP team member enters personally identifiable information (PII)โlike a studentโs name, disability, grade, or any specific details that could reasonably identify the studentโinto a public AI platform like ChatGPT, thatโs a serious risk under FERPA. Hereโs why:
- FERPA requires written parental consent before disclosing PII from education records to third parties, unless one of the exceptions applies.
- Open AI tools like ChatGPT arenโt approved vendors under most school district data privacy agreements. Theyโre not part of the schoolโs educational team or contractually bound to follow FERPA.
- Even if the AI tool says โwe donโt store this data,โ using it still outsources confidential student information to a non-consenting third partyโwhich is enough to raise red flags under FERPA.
Now, if the team member stripped all identifying details and kept it super generic (โIโm writing a math goal for a 5th grader with a learning disability…โ), then maybe itโs a gray area. But honestly? Not worth the risk.
IEP teams should never enter identifiable student info into AI tools unless their district has a vetted, FERPA-compliant agreement in place.
FERPA and College Students
This is often quite alarming to parents, but once a child is over 18 and enrolled in college, the student controls the information. Yes, even if the parent is paying the tuition! Per FERPA, a parent has no rights to gather any educational records about their child without that child/student’s permission.
- College students must be permitted to inspect their own education records
- Once a student begins attending a college/university, the transfer of the right from the parents having the right to inspect and review a student’s record to the college student.
- School officials may not disclose personally identifiable information about students, nor permit inspection of their records, without written permission from the student, unless such action is covered by exceptions permitted by the Act. A notable exception is disclosing information to school officials determined by the institution to have a legitimate educational interest.
Can a school print my name in a directory?
Short answer, yes! It’s not that long ago that phone books were an important part of our society. Communities published everyone’s name, address and telephone number, and then distributed that book to everyone in the community. For free!
Directory Information is specific information kept about the student that is considered public. This information may be released without the student’s written permission. Directory information includes:
Directory Information Examples:
- Name
- Hometown (City, State, 5 digit zip only)
- E-mail address
- Dates of attendance
- Admission or enrollment status
- Campus, school building, grade, teacher(s), college, division, major
- Grade or Class standing (freshman, sophomore, junior, senior)
- Degrees and awards
- Activities
- Athletic information
From the Dept of Ed:
Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
A student may opt to restrict the release of this directory information by contacting the school office that handles publication and distribution of said directory.
Filing a FERPA Complaint
If you’ve read through FERPA and believe there has been a violation, filing a FERPA complaint is a complaint option for parents.
Who Oversees FERPA?
That would be the U.S. Department of Education, and more specifically the Student Privacy Policy Office (SPPO). They issue guidance, investigate complaints, and handle compliance. Theyโre also the ones whoโd maybe show up with a clipboard and ask why an IEP got mailed to the wrong family.
But hereโs the scary part…
What Happens if FERPA is Dismantled?
This isnโt hypothetical anymore. Some lawmakers have floated the idea of gutting or replacing FERPAโeither by shifting oversight to a different agency (like the FTC) or by weakening the law in the name of โstreamlining education.โ
What could happen?
- Less federal oversight. Without DOE involvement, who enforces violations? Whatโs the recourse?
- More data sharing. Companies and state agencies could push for access to student records for research, sales, or other purposes.
- Weaker parent rights. You might not be able to see or fix errors in your childโs records. Or even know they exist.
- No clear complaint process. Right now, you have a place to go. Without FERPA? Good luck.
If FERPA goes, so do the few protections we do have for our kids’ sensitive informationโespecially for kids in special ed who already face enough battles.
When HIPAA applies to Schools:
- Health care services are provided to students AND you’re filing a claim for payment electronically. In this case, the records are still education records and are not covered under the Privacy or Security Rules, but the filing of the claim must abide by the rules for Transactions and Code Sets. (in other words, they have to use correct billing codes, but you are only guaranteed privacy rights per FERPA)
- The school is private and not receiving any federal funding AND they bill electronically to be reimbursed. In this case, all the HIPAA rules apply. HIPAA does not apply if electronic billing does not take place.
- Student receives health services in a hospital affiliated with a university subject to FERPA. The hospital records would fall under HIPAA for protection and access.
- Exception: If the hospital runs a health clinic for students on behalf of the university, and there’s no filing of claims, the records would fall under “education” or “treatment records”, both covered by FERPA.
- An institution is a covered entity providing healthcare services to non-students such as staff members, spouses of students, and the public, HIPAA Privacy and Security rules apply to the protection and access of these records.
And, yes, our medical information is protected under HIPAA. However, the government can still access it. This has come up with all this chatter about a “registry” of our kids.
Yeah, HIPAA protects your medical informationโsort of. What most people donโt realize is that HIPAA includes exceptions. There are several clauses that allow government agencies to access your health records without your permission. For example, under HIPAAโs “required by law” or “public health activities” exceptions, the government can access protected health information for things like law enforcement purposes, national security, or public health investigations. So while weโve all been trained to treat HIPAA like a sacred wall of privacy, that wall has more than a few government-sized holes in it.
Look, I get it. It feels like a HIPAA thing when a school screws up. But chasing a HIPAA violation in an IEP situation? Waste. Of. Energy.
Put that energy into understanding FERPA. Use your rights under FERPA. Document your concerns. And if you’re still not getting traction, file a complaint. The system isnโt perfectโbut itโs what weโve got. And until FERPA is strengthened (or, gulp, dismantled), itโs the best path forward.
To file a HIPAA complaint, you go through the U.S. Department of Health and Human Services (HHS), specifically the Office for Civil Rights (OCR).
You can file a complaint:
- Online
- By mail: U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201
- By email: OCRComplaint@hhs.gov
- By phone: 1-800-368-1019 (TDD: 1-800-537-7697)
They require the complaint to be filed within 180 days of when you knew the violation occurred, though they can extend that in special cases.
To file a FERPA complaint, you go through the U.S. Department of Education, specifically the Student Privacy Policy Office (SPPO).
Hereโs how:
- By mail:
Student Privacy Policy Office
U.S. Department of Education
400 Maryland Avenue, S.W.
Washington, D.C. 20202-8520 - By email: FERPA.Complaints@ed.gov
There isnโt a specific online form (because, of course not ๐), but your written complaint must:
- Be submitted within 180 days of the violation
- Include facts that support your claim
- State clearly what right under FERPA was violated
They won’t award damages or force the school to fix itโbut schools that repeatedly and intentionally violate FERPA risk losing federal funding. Which, yeah, is rareโbut not impossible.