HIPAA vs FERPA
Two federal privacy laws. One protects health records, the other protects education records — until a student walks into a school-based health clinic and both apply at the same time. This guide breaks down every meaningful difference between HIPAA (45 CFR Parts 160 & 164) and FERPA (34 CFR Part 99), with a focus on the overlap scenarios that cause the most confusion. Updated March 2026.
HIPAA
1996
Health Insurance Portability and Accountability Act
- Protects
- Protected Health Information (PHI)
- Applies To
- Covered entities & business associates
- Enforced By
- HHS Office for Civil Rights (OCR)
FERPA
1974
Family Educational Rights and Privacy Act
- Protects
- Education records (including health records)
- Applies To
- Schools receiving federal funding
- Enforced By
- U.S. Dept. of Education (SPPO)
Side-by-Side Comparison
The table below covers every major dimension where HIPAA and FERPA diverge. Use it as a quick reference when determining which law governs a specific situation.
| Dimension | HIPAA | FERPA |
|---|---|---|
| Year Enacted | 1996 | 1974 |
| Primary Statute | 42 USC §1320d et seq. | 20 USC §1232g |
| Implementing Rules | 45 CFR Parts 160 & 164 | 34 CFR Part 99 |
| What It Protects | Protected Health Information (PHI) — any individually identifiable health data | Education records — any records directly related to a student maintained by a school |
| Who It Covers | Covered entities (providers, plans, clearinghouses) and their business associates | Educational agencies and institutions that receive federal funding from the Dept. of Education |
| Consent Model | Opt-out — PHI can be used for treatment, payment, and healthcare operations without consent | Opt-in — prior written consent required for most disclosures; limited exceptions |
| Enforcement Agency | HHS Office for Civil Rights (OCR) | Dept. of Education Student Privacy Policy Office (SPPO) |
| Penalties | Civil fines up to $2.19M per violation category/year (2026); criminal penalties up to $250K + jail | Loss of federal funding (rarely enforced); no private right of action |
| Breach Notification | Mandatory within 60 days for 500+ records; individual notice required | No federal breach notification requirement |
| Right to Access | Patients can access and request corrections to PHI within 30 days | Parents (or students 18+) can inspect and request amendments to education records |
| Private Lawsuits | No private right of action (some states have parallel laws allowing suits) | No private right of action (Gonzaga University v. Doe, 2002) |
Consent Requirements
This is where HIPAA and FERPA differ most dramatically. HIPAA takes an opt-out approach where many uses are permitted without explicit authorization. HIPAA authorization forms are only required for uses beyond treatment, payment, and operations. FERPA, in contrast, defaults to requiring prior written consent before any disclosure.
Key Distinction
Under HIPAA, a provider can share PHI with another provider for treatment without patient authorization. Under FERPA, a school cannot share a student's health records with an outside provider without written parental consent (or student consent if the student is 18+).
HIPAA — Opt-Out Model
No authorization needed for these disclosures:
- Treatment, payment, and healthcare operations (TPO)
- Public health activities and disease reporting
- Judicial and administrative proceedings
- Law enforcement purposes (with limitations)
- Research with IRB-approved waiver
- Health oversight activities and audits
- Workers' compensation proceedings
FERPA — Opt-In Model
Consent not required only for these exceptions:
- Other school officials with legitimate educational interest
- Schools to which a student is transferring
- State or local educational authorities for audits
- Financial aid eligibility determination
- Organizations conducting studies for schools
- Accrediting organizations
- Health or safety emergency (strict standard)
Enforcement Mechanisms
HIPAA enforcement has real financial teeth. The HHS Office for Civil Rights actively investigates complaints and conducts audits. FERPA enforcement, by comparison, is almost entirely procedural — the primary penalty is withdrawal of federal funding, which has never been fully imposed.
$2.19M
Max Civil Penalty
Per violation category, per year (adjusted for inflation)
$250K + 10 yrs
Criminal Penalties
For knowingly obtaining or disclosing PHI with intent to sell
130,000+
Enforcement Actions
Complaints investigated by OCR since HIPAA took effect
HIPAA Civil Penalty Tiers (2026)
Tier 1
Did not know and would not have known by exercising reasonable diligence
$145 – $73,011
Tier 2
Reasonable cause but not willful neglect
$1,461 – $73,011
Tier 3
Willful neglect, corrected within 30 days
$14,602 – $73,011
Tier 4
Willful neglect, not corrected within 30 days
$73,011 – $2,190,294
FERPA Enforcement Reality
The Department of Education's Student Privacy Policy Office (SPPO) processes complaints and can require corrective action, but the only statutory penalty is loss of federal funding. In practice, SPPO works with institutions to resolve violations through voluntary compliance agreements. No institution has ever lost federal funding over a FERPA violation.
This doesn't mean FERPA violations are consequence-free. State data breach laws, institutional policies, and reputational damage create meaningful accountability. And some common violations in healthcare settings also trigger state-level penalties.
Where HIPAA and FERPA Overlap
The most confusing compliance scenarios arise in educational settings that also deliver healthcare. The 2008 joint guidance from HHS and the Department of Education clarifies the rules, but real-world application still trips up administrators. Understanding who HIPAA actually applies to is the first step.
K-12 School Nurse Records
Governed by: FERPA
When a school employs a nurse or contracts with a health provider, the records maintained by the school are education records under FERPA — not HIPAA. The school nurse's notes, immunization records, and health screenings are all FERPA-protected.
Important: If the school bills Medicaid for health services, the billing records transmitted to Medicaid are subject to HIPAA, not FERPA.
School-Based Health Clinic (SBHC)
Governed by: Both May Apply
School-based health clinics operated by an outside entity (like a hospital system or community health center) create a dual-coverage scenario. The clinic is a HIPAA covered entity providing treatment. But the school may also maintain the student's health records as education records.
Important: Records the clinic creates for its own purposes → HIPAA. Records the clinic shares with the school that become part of the student's education record → FERPA.
University Student Health Center
Governed by: FERPA (Usually)
If the university health center provides services only to students and maintains records solely as education records, FERPA applies. The HHS/ED joint guidance confirms this applies even when the health center employs licensed physicians and nurses.
Important: If the health center also treats non-students (faculty, staff, community), it may qualify as a HIPAA covered entity. Records for student-patients remain FERPA; records for non-students fall under HIPAA.
University That Bills Insurance
Governed by: Both Apply
When a university health center bills a student's private insurance or Medicare/Medicaid, the billing transactions make the center a HIPAA covered entity. The treatment records used for billing are subject to HIPAA's transaction and code set rules.
Important: The same student's records may simultaneously be education records under FERPA. In this case, the institution must comply with both laws — applying whichever provides stronger protection for each specific use.
Decision Flowchart
Use this flowchart to determine which law applies to a specific health record. Start at the top and follow the path that matches your situation.
When both laws apply, the HHS/Department of Education joint guidance recommends applying whichever standard provides the stronger privacy protection for each specific disclosure decision. This typically means defaulting to FERPA's stricter consent requirements.
Quick Reference: Which Law Applies?
| Scenario | HIPAA | FERPA |
|---|---|---|
| Student visits the school nurse | ||
| Patient visits a hospital | ||
| School-based clinic bills Medicaid | ||
| University health center (students only) | ||
| University health center billing insurance | ||
| Private school not receiving federal funds | ||
| Student immunization records at school | ||
| Employee health plan at a university |
When in doubt, run through the decision flowchart above, and use our HIPAA compliance checklist to verify your organization's obligations.
Related Tools & Guides
Who Does HIPAA Apply To?
Covered entities, business associates, and the exceptions that catch people off guard.
HIPAA Compliance Checklist
Interactive checklist covering administrative, physical, and technical safeguards.
HIPAA Training Requirements
Who needs training, how often, and what topics must be covered.
HIPAA Risk Assessment Tool
Identify vulnerabilities and document your security risk analysis.
Common HIPAA Violations
The most frequent violations and how to avoid them in your practice.