25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

What is the Difference between FERPA and HIPAA?

Posted By on Apr 29, 2025

The main difference between FERPA and HIPAA is that FERPA applies to most student health records maintained by or on behalf of an educational institution that receives federal funding, while HIPAA excludes student health records maintained by a FERPA covered organization from the definition of Protected Health Information. However, there are cases in which educational institutions may be covered by both sets of regulations.

It is important to understand the difference between FERPA and HIPAA because, although the two sets of regulations have similar objectives, the circumstances in which student health records can be disclosed without consent under FERPA are more limited than the circumstances in which Protected Health Information (PHI) can be disclosed without consent under HIPAA.

What is FERPA?

FERPA is an acronym of the Family Educational Rights and Privacy Act – a law passed in 1974 that gave “eligible students” and parents the right to access their/their children’s education records, the right to seek corrections if errors existed, and the right to have a degree of control over disclosures of Personally Identifiable Information (PII). (Eligible students are students who are 18 years of age or older, or who are enrolled in post-secondary education).

FERPA applies to any educational institution that receives federal funding. Therefore, all public schools and agencies, and many private educational institutions are covered by FERPA. The law authorizes the Department of Education to withhold funding from educational institutions that fail to comply with the right of access and correction provisions of FERPA, or that disclose PII for a purpose not permitted by the Act without the consent of the eligible student or parent.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

FERPA has subsequently been revised via various updates to the General Education Provisions Act. These include revisions attributable to the Protection of Pupils Rights Amendment (1978), the Educate America Act (1994), and the No Child Left Behind Act (2001). The Department of Education also has the authority to create and amend FERPA regulations to “address issues identified through the Department’s experience in administering FERPA”.

HIPAA versus FERPA

Once of the best ways to explain the difference between FERPA and HIPAA is to compare some of the terminologies and requirements of HIPAA against the equivalent terminologies and requirements of FERPA – where FERPA requirements exist. For example, educational institutions are not required to notify parents of data breaches under FERPA. Instead, breaches of student health records are subject to each states’ notification requirements.

HIPAA PHI versus FERPA PII

HIPAA protects the privacy of individually identifiable health information and any other information that could be used to identify the subject of the health information that is maintained in the same designated record set. Health information and identifying information maintained in the same designated record set is referred to as Protected Health Information or HIPAA PHI.

FERPA protects most education records maintained by a covered educational agency or institution or a party acting for or on behalf of the agency or institution. Exceptions to FERPA exist when a school official or teacher obtains information about a student through personal knowledge or observation until such time as the school official or teacher uses the information in a manner that produces an education record.

Educational records include grades, class lists, health records (at the K-12 level), student financial information, and student discipline files. Personally Identifiable Information (FERPA PII) maintained in educational records can be “direct identifiers” (i.e., name or student ID number) or “indirect identifiers” (any information that could be used to determine a student’s identity, such as their date of birth).

Individuals’ Right to Access and Correct Information

Both HIPAA and FERPA give individuals rights to access and correct information. In both sets of regulations, parents have the right to access and correct their child’s information until the child turns 18 years or of age, is emancipated (HIPAA), or enrolls in post-secondary education (FERPA). However, whereas HIPAA only requires individuals to be informed of their rights “on first encounter”, parents and eligible students must be notified annually of their FERPA rights.

With regards to the rights to request privacy protections, HIPAA (45 CFR §164.522) requires covered entities to agree to requests provided disclosures are not required for treatment, payment, or healthcare operations, or required by law. By comparison, FERPA requires covered entities to notify parents and eligible students of certain types of surveys, physical exams, and marketing activities in which PII may be disclosed, and give them the opportunity to opt out.

Both sets of regulations also have “Accounting of Disclosure” requirements. However, whereas HIPAA excludes disclosures of PHI for treatment payment, and healthcare operations purposes from the requirements, FERPA (34 CFR §99.32) only excludes disclosures to parents, school officials, and other third parties when prior consent has been provided. Note: Different requirements apply for students covered by the Individuals with Disabilities Education Act.

HIPAA versus FERPA Permitted Uses and Disclosures

HIPAA and FERPA protect information by limiting uses and disclosures of information without consent to those which are required and permitted. Required disclosures are those to the individual or their personal representative (i.e., parent), and those to the agency responsible for enforcing the regulations. Permitted disclosures under HIPAA are covered in 45 CFR §164.506 and 45 CFR §164.512. Permitted disclosures under FERPA are covered in 34 CFR §99.31.

The difference between FERPA and HIPAA with regards to permitted uses and disclosures is significant. Whereas HIPAA permits a wide range of uses and disclosures (i.e., for employers to comply with OSHA recordkeeping requirements, to avert perceived threats to health or safety, to support HIPAA training, etc.), permitted uses and disclosures of PII under FERPA are limited to:

  • Disclosures to school officials when a legitimate educational reason exists.
  • Disclosures to third parties providing a service on behalf of the educational institution.
  • Disclosures to officials of another school at which a student intends to enroll.
  • Disclosures in connection with the provision of financial aid for the student.
  • Disclosures to accrediting organizations to carry out accrediting functions.
  • Disclosures required by law or in response to a court order or subpoena.
  • Disclosures in connection with a health and safety emergency.
  • In some circumstances, disclosing the outcomes of disciplinary hearings.

Unlike HIPAA, which allows business associates to redisclosure PHI to subcontractors provided the disclosure is covered by a Business Associate Agreement, redisclosures by third parties and school or state officials is event-specific. In some cases, the redisclosure of PII must be consented to by the subject of the PII or their personal representative. In other cases, it may be necessary to obtain assurances that PII will not be redisclosed.

The Difference Between FERPA and HIPAA Enforcement

The difference between FERPA and HIPAA enforcement is that the Department of Education only finds out about violations of FERPA when a complaint is received by its Student Privacy Policy Office (SPPO). Complaints are most often made by a parent who has been denied their access rights or whose child’s PII has been disclosed without consent. In most cases, complaints are resolved voluntarily as soon as the SPPO gets involved.

If a complaint is not resolved voluntarily, the SPPO has a number of enforcement options at its disposal. These include requiring the educational institution to take corrective action via a court injunction or a cease and desist order. It can withhold funding from an educational institution or terminate its eligibility from future programs. If an impermissible disclosure was due to a third party’s non-compliance, the SPPO can prohibit the third party from providing a service to educational institutions for five years.

By comparison, HHS’ Office for Civil Rights is alerted to HIPAA privacy violations via its Complaint Portal and the HIPAA breach notification requirements. Thereafter, it has the options to resolve complaints and the causes of data breaches via voluntary compliance, technical assistance, or a corrective action plan. The agency also has the authority to issue civil monetary penalties and escalate criminal violations of HIPAA to the Department of Justice.

Some Organizations May be Covered by Both Sets of Regulations

Because the Privacy Rule excludes student health records covered by FERPA from its definition of Protected Health Information, educational institutions in receipt of federal funding generally do not qualify as HIPAA covered entities – even if they employ healthcare professionals and/or have their own medical facilities.  However there are exceptions to this generalization, due to which some organizations may be covered by both sets of regulations.

The first exception is when a school qualifies as a HIPAA covered entity because it conducts transactions electronically for which HHS has adopted standards. In this case, although the HIPAA Privacy Rule does not apply (because the organization has no PHI to protect), educational institutions are required to comply with the Transactions and Code Sets Rules in Part 162 of the HIPAA Administrative Simplification Regulations.

The second exception is when a school provides healthcare services to students and members of the public. In this case, the educational institution operates as a “hybrid entity” and is required to comply with FERPA with regards to students’ health records and comply with HIPAA with regards to members’ of the public PHI. Organizations who are uncertain about their HIPAA versus FERPA statuses, or who require more information about the difference between FERPA and HIPAA, are advised to seek independent compliance advice.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist