Do educational institutions fall under the scope of entities covered by HIPAA?

by | May 3, 2023 | HIPAA News and Advice

No, educational institutions typically do not fall under the scope of entities covered by HIPAA, as they are generally subject to the Family Educational Rights and Privacy Act (FERPA) for the protection of student educational records rather than HIPAA which primarily pertains to privacy and security of individually identifiable health information held by healthcare providers, health plans, and certain healthcare clearinghouses. Educational institutions and healthcare organizations are two distinct sectors, each governed by its own set of regulations and standards to ensure the privacy and security of sensitive information. In the United States, the HIPAA and FERPA are two legislative frameworks that guide the protection of personal information within their respective domains.

Focuses on protecting health informationFocuses on safeguarding student educational records
Applies to healthcare entitiesApplies to educational institutions that receive federal funding
Includes healthcare providers, health plans, and certain clearinghousesCovers K-12 schools and post-secondary institutions
Regulates handling of PHIEnsures privacy of student records such as grades and transcripts
Privacy and security regulations for sensitive health dataGrants rights to parents and eligible students for record access and control
Relevant in healthcare and insurance sectorsRelevant in educational institutions at all levels
Hybrid entity status may apply in limited casesDoes not typically involve hybrid entity classification
Requires safeguards for PHI securityRequires confidentiality and controlled disclosure of student records
Compliance involves handling health-related dataCompliance involves maintaining academic record privacy
Intersection with educational records in certain casesFocuses solely on educational records and related rights
Balancing both privacy and security aspectsPrimarily addresses privacy concerns within educational contexts
Legal counsel can provide guidance on complianceLegal expertise is valuable for navigating compliance complexities
Table: Comparison of Key Points Between HIPAA and FERPA

HIPAA, enacted in 1996, was designed to establish a framework for the protection of individually identifiable health information. Its primary aim is to regulate how healthcare providers, health plans, and healthcare clearinghouses handle patients’ sensitive health data. This includes information such as medical history, treatment plans, and billing details. HIPAA ensures that this information is kept confidential and is only disclosed to authorized individuals involved in patient care or for legitimate administrative purposes. Covered entities under HIPAA are mandated to implement various safeguards, administrative controls, and technical measures to secure protected health information from unauthorized access, use, or disclosure.

FERPA, enacted in 1974, focuses on safeguarding the privacy of student educational records. This law applies to educational institutions that receive federal funding, which includes most K-12 schools and post-secondary institutions such as colleges and universities. FERPA grants parents and eligible students (those over 18 years of age or attending a post-secondary institution) certain rights pertaining to access and control of their educational records. These rights include the ability to review their records, request amendments if they believe information is inaccurate, and control the disclosure of their records to third parties.

The distinction between HIPAA and FERPA becomes evident when considering the types of information they protect and the entities they regulate. HIPAA is concerned with medical information, including medical histories, diagnoses, lab results, and treatment plans. It applies to healthcare providers such as doctors, hospitals, and clinics, as well as health plans like insurance companies and certain healthcare clearinghouses that process claims. The entities covered by HIPAA are involved in the direct provision of healthcare services or manage health insurance claims, thereby coming into contact with sensitive health-related data. In contrast, FERPA pertains to student educational records, including information such as grades, transcripts, disciplinary records, and class schedules. It applies to educational institutions at all levels, from primary schools to universities, that receive federal funding. These institutions gather and maintain extensive records about students’ academic progress, and FERPA ensures that these records remain confidential and are only disclosed with proper consent or under specific circumstances defined by the law.

Despite the clear distinctions between HIPAA and FERPA, there might be situations where educational institutions have some intersection with healthcare-related information. For instance, school nurses and counseling services within educational institutions may deal with health-related data. In such cases, educational institutions might encounter a scenario where they need to consider both FERPA and HIPAA regulations. Educational institutions need to understand their responsibilities under FERPA and the limited instances in which they might also need to comply with HIPAA. While schools do not generally fall under the category of covered entities according to HIPAA, certain activities might bring them into contact with PHI. For example, if an educational institution provides healthcare services to its students that involve transmitting, storing, or accessing PHI, it might be considered a hybrid entity under HIPAA that may require extra staff HIPAA training.

A hybrid entity is an organization that performs functions covered by HIPAA while also conducting non-covered functions. In this case, the healthcare-related activities would be subject to HIPAA regulations, but other educational records would still fall under FERPA. As a hybrid entity, the educational institution would need to establish safeguards to segregate PHI from other student records and ensure that HIPAA requirements are met only for the relevant healthcare components.


While educational institutions generally operate under FERPA rather than HIPAA, the complexity arises when these institutions engage in healthcare-related activities. Such institutions must carefully assess their roles, activities, and the types of data they handle to determine whether they fall under HIPAA’s hybrid entity classification. This evaluation ensures that the appropriate safeguards are in place to protect both student educational records and any healthcare-related information they may encounter, maintaining compliance with both FERPA and HIPAA regulations within their respective contexts.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy