FERPA vs HIPAA: The Difference Between the Two Privacy Acts

The Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are two federal laws for data privacy concerning education records and health records. While they both apply to different types of sensitive personal information, there are cases where they overlap.

Here, either HIPAA or FERPA would apply; it can’t be both.

So, how do you find out which is the relevant law? Let’s do a quick FERPA vs HIPAA comparison and clarify.

What Is FERPA?

FERPA is a law that governs the privacy of sensitive personal and directory information contained in students’ educational records. It applies to any school, school district, or educational institution that receives federal funds from the U.S. Department of Education (DoE).

The law was passed in 1974 and states that any personally identifiable information (PII) of students cannot be disclosed without their parents’ consent or theirs if they are either over the age of 18 or have enrolled in a college or university.

In addition to keeping the information private unless permitted by the authorized parties, the law also allows the student or their parents to request access to the records within 45 days. If they notice inaccuracies, they can request amendments.

FERPA also applies to third-party vendors that the institution might use. It’s the school’s responsibility to ensure that their contract includes a clause about protecting student records. If they haven’t done their due diligence, the school might be liable for any intentional or unintentional disclosure of personal information by the vendor.

FERPA Exemptions

There are certain exemptions, of course. For example, the directory information of a student, like their name, year of graduation, etc., doesn’t require consent to be disclosed. However, parents or students can opt out of sharing this information.

As such, they must be given the opportunity to specify whether or not they want this information to be exposed before the school can share it.

Similarly, personal information and student records may be shared with teachers and other staff within the institution if they have “legitimate educational interests” in those records.

Student records may also be shared with other schools and postsecondary institutions without consent in certain cases. However, sharing for non-educational reasons—for example, with potential employers—requires authorization.

Finally, a school may share the sensitive information of a student in a medical emergency or when legally required to.

What Is HIPAA?

As the name suggests, HIPAA applies to entities that handle protected health information (PHI), such as healthcare providers (HCPs), insurance companies, and businesses that process medical information.

The Act provides guidelines on how such data should be stored and handled to protect the privacy of the patient and the security of the data. Like FERPA, it gives the eligible individuals control over information about them. They can request to view it and ask for it to be corrected if they find any mistakes. It also allows them to limit who can see that information.

HIPAA vs FERPA: What Happens if the Two Acts Intersect?

On the face of it, HIPAA and FERPA govern two very different kinds of personal records. Healthcare providers are bound by HIPAA, while education providers must abide by FERPA. However, sometimes, the two worlds can intersect.

In that case, only one of the laws would apply. There is no situation in which both would be applicable.

Any student records that are covered by FERPA are excluded from HIPAA, even if they contain medical information. That’s because even if it’s the school that’s providing healthcare services, the recorded information is part of their student’s educational information.

If they bill Medicaid for the health services provided, that process of information exchange would be covered by HIPAA. But, again, the medical records would be covered under FERPA.

Information Exchange Between FERPA and HIPAA

Under HIPAA, healthcare providers can share a patient’s PHI with school nurses, physicians, or other HCPs without requiring consent from the patient or their parents.

For example, if a school nurse is responsible for administering a student’s medication, the pediatrician can discuss the healthcare requirements with them sans parental consent without it being a HIPAA violation.

FERPA is more restrictive about sharing private information. The school cannot share medical information contained in a student’s educational records with their physician without obtaining written consent. The only exceptions are:

1. In an emergency, where the student’s health and safety are at risk, or,
2. When the school’s HCP is verifying information provided by the physician, for example, a note to explain the student’s absence.

Data Privacy Management With BigID

Whether it’s FERPA or HIPAA that governs your data, compliance is made easier with BigID. Our platform helps you discover and classify all your information, ranking it by sensitivity. You get full visibility across all structured, unstructured, and semi-structured data, whether it’s in motion or storage.

The BigID platform also monitors your data quality and reduces risk with its data security posture management features. Interested in finding out how BigID enables compliant data governance, management, and security? Schedule a free 1:1 demo today!