Topic Terms

What is HIPAA in Education

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that protects the privacy and security of health information, though in school settings FERPA typically governs student health records rather than HIPAA.

HIPAA stands for the Health Insurance Portability and Accountability Act, a landmark federal law enacted in 1996 that establishes national standards for protecting sensitive health information (called Protected Health Information, or PHI). HIPAA is administered by the U.S. Department of Health and Human Services (HHS) through the Office for Civil Rights (OCR).

The Core HIPAA Rules

Privacy Rule

Establishes national standards for protecting individuals' medical records and personal health information:

  • Gives patients rights over their health information (right to access, right to request corrections)
  • Sets limits on who can access and use health information without patient authorization
  • Requires covered entities to safeguard PHI

Security Rule

Establishes standards for protecting electronic Protected Health Information (ePHI):

  • Administrative safeguards (policies, training)
  • Physical safeguards (office access, workstation security)
  • Technical safeguards (encryption, access controls)

Breach Notification Rule

Requires covered entities to notify patients and HHS when unsecured PHI is breached.

Who Must Follow HIPAA?

HIPAA applies to covered entities:

  • Healthcare providers — Doctors, hospitals, clinics, pharmacies
  • Health plans — Insurance companies, HMOs, employer health plans
  • Healthcare clearinghouses — Organizations that process health data
  • Business associates — Contractors who handle PHI on behalf of covered entities

HIPAA vs. FERPA in School Settings

This is a frequent source of confusion. In K–12 schools:

  • Student health records (including nurse's records) maintained by the school are generally covered by FERPA (Family Educational Rights and Privacy Act), not HIPAA
  • A school nurse's records that are part of the education record fall under FERPA
  • However, if a school contracts with an outside healthcare provider who creates health records outside the education system, those records may be subject to HIPAA

At the college/university level, a student health center's records may be HIPAA-covered if the health center is a covered healthcare provider.

HIPAA Penalties

HIPAA violations carry significant penalties:

  • Civil penalties: $100–$50,000 per violation, up to $1.9 million per year for identical violations
  • Criminal penalties: Up to 10 years in prison for intentional violations

Related Terms