HIPAA vs FERPA: Why HIPAA Usually Doesn’t Apply to Schools or IEPs

It’s exhausting. I see this in online conversations all the time. A teacher says something about a student in the hallway. An IEP gets sent home in the wrong backpack. A school nurse shares information they shouldn’t have.

The parent comes to the message boards asking what to do. And immediately someone says: “That’s a HIPAA violation!” Except… most of the time, it isn’t.

Two clipboards compare hipaa and ferpa regulations, listing key differences in covered entities, ieps, information protected, complaint processes, and oversight authorities.

We’ve all been trained to think of HIPAA whenever privacy is involved. We sign forms at the doctor’s office, we hear about HIPAA constantly, and it starts to feel like it applies everywhere. But HIPAA generally does not apply to schools.

When it comes to student records—including IEPs, evaluations, and most school health records—the law that usually applies is FERPA (the Family Educational Rights and Privacy Act).

Understanding the difference between HIPAA and FERPA can help parents know what their rights actually are when something goes wrong with a child’s school records.

Does HIPAA Apply to Elementary or Secondary Schools?

In most situations, HIPAA does not apply to schools. There are two main reasons for this:

Save The Post IEP Parent Form
📧 Save this for later? 📧
 
Instantly send this to your inbox.

1. Most schools are not HIPAA-covered entities. HIPAA mainly applies to hospitals, doctors, health insurance companies, and other healthcare providers that bill insurance electronically. Most schools do not do that.

Even though schools may employ nurses, psychologists, or other health professionals, that does not automatically make the school subject to HIPAA.

2. Student health records are usually considered education records under FERPA. When a school keeps health information about a student—such as records maintained by the school nurse or documentation related to an IEP—those records are typically considered education records under FERPA.

Because FERPA covers those records, HIPAA specifically excludes them from its rules. In other words, inside schools, FERPA generally replaces HIPAA when it comes to student records.

Why This Confuses So Many Parents

Many parents hear school staff say things like: “We can’t share that because of HIPAA.” In most K–12 situations, the privacy law that applies to student records is FERPA, not HIPAA.

That distinction matters because FERPA gives parents the right to inspect and review their child’s education records, including IEPs and many school health records.

What Is Considered an Education Record Under FERPA?

Under FERPA, an education record is any record that is directly related to a student and maintained by a school or school district.

Education records can exist in many formats, including:

  • electronic files and databases
  • emails
  • paper documents
  • reports and forms kept by school staff

If the school maintains the information and it relates to a specific student, it is usually considered an education record.

Examples of Education Records

Education records commonly include things like:

  • report cards and transcripts
  • standardized test scores
  • attendance records
  • discipline records
  • evaluations and assessment reports
  • teacher notes related to the student’s program

For students receiving special education services, education records also include:

  • IEPs
  • 504 plans
  • evaluation reports and assessment data
  • progress monitoring reports
  • service logs
  • work samples used to document progress
  • emails and notes related to the student’s program

Because these are education records under FERPA, they are not governed by HIPAA.

Infographic explaining the differences between hipaa vs ferpa

What Is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. FERPA applies to schools that receive funding from the U.S. Department of Education, which includes almost all public schools and many private schools.

Under FERPA, schools must protect the confidentiality of student records and generally cannot release those records without parent or student consent. This law is the primary privacy law that applies to school records, including IEPs, evaluations, and many school health records.

When Can Schools Share Records Without Consent?

FERPA does allow schools to share records without consent in certain situations.

Common examples include:

  • school officials with a legitimate educational interest
  • a school the student is transferring to
  • government officials conducting program audits or evaluations
  • compliance with a subpoena or court order
  • health or safety emergencies

These exceptions are one reason FERPA can sometimes feel confusing to parents.

While FERPA protects student records, it also allows schools to share information in specific circumstances defined by law.

Why FERPA Matters for IEPs and School Records

If your child has an IEP or 504 plan, nearly everything related to that program is considered an education record under FERPA.

That includes:

  • IEP documents
  • evaluations and assessments
  • progress monitoring data
  • emails or notes about the student’s program
  • school health records maintained by the school

Because these are education records, they are governed by FERPA—not HIPAA.

What Rights Do Parents Have Under FERPA?

FERPA gives parents several important rights regarding their child’s education records.

Parents have the right to:

  • Inspect and review their child’s education records
  • Request corrections if records are inaccurate or misleading
  • Control most disclosures of information from those records

When a student turns 18 or enrolls in college, these rights transfer to the student.

FERPA and College Students

This is often quite alarming to parents, but once a child is over 18 and enrolled in college, the student controls the information. Yes, even if the parent is paying the tuition! Per FERPA, a parent has no rights to gather any educational records about their child without that child/student’s permission.

  • College students must be permitted to inspect their own education records
  • Once a student begins attending a college/university, the transfer of the right from the parents having the right to inspect and review a student’s record to the college student.
  • School officials may not disclose personally identifiable information about students, nor permit inspection of their records, without written permission from the student, unless such action is covered by exceptions permitted by the Act. A notable exception is disclosing information to school officials determined by the institution to have a legitimate educational interest.

FERPA and AI: Can Teachers Use AI to Write IEPs?

With the rise of AI tools, many educators are experimenting with using AI to help draft lesson plans, reports, and even IEP language.

But this raises an important FERPA question. If a teacher enters personally identifiable student information into a public AI tool, that could potentially violate FERPA.

FERPA requires schools to protect personally identifiable information (PII) from education records. This includes things like:

If that information is entered into an AI platform that is not approved by the school district or covered under a FERPA-compliant data agreement, the school may be disclosing protected student information to a third party without parental consent.

That is where the FERPA risk comes in. Some districts are now creating policies about AI use in schools for this exact reason.

In general, educators should avoid entering identifiable student information into public AI tools unless their district has approved the platform and confirmed that it meets FERPA privacy requirements.

What Happens if FERPA is Dismantled?

This isn’t hypothetical anymore. Some lawmakers have floated the idea of gutting or replacing FERPA, either by shifting oversight to a different agency (like the FTC) or by weakening the law in the name of “streamlining education.”

What could happen?

  • Less federal oversight. Without DOE involvement, who enforces violations? What’s the recourse?
  • More data sharing. Companies and state agencies could push for access to student records for research, sales, or other purposes.
  • Weaker parent rights. You might not be able to see or fix errors in your child’s records. Or even know they exist.
  • No clear complaint process. Right now, you have a place to go. Without FERPA? Good luck.

If FERPA goes, so do the few protections we do have for our kids’ sensitive information, especially for kids in special ed who already face enough battles.

For IEPs, evaluations, school nurse records, and most student records, the governing law is FERPA.

That’s why pursuing a “HIPAA violation” in a school setting is usually not the correct path.

Understanding FERPA rights is typically much more important for parents navigating school records.

IEP Jumpstart
Tell us where to send the access information
Use a personal email—school filters may block confirmations. Contact us if needed.