HIPAA and FERPA are both federal laws designed to protect the privacy and security of individuals. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to the healthcare industry where the Family Educational Rights and Privacy Act of 1974 (FERPA) applies to the education industry.

HIPAA provides privacy and security for protected health information (PHI). Created by the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule protects sensitive patient information by setting forth patient rights and standards for health plans, health care clearinghouses and health care providers who collect and store patient identifiable information in electronic form.  The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.  

FERPA is in place to protect the privacy of student education records and designates rights for students and their parents. According to the Department of Education, education records include such information as academic report cards, transcripts, class schedules, disciplinary records, contact information, and family information. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Educatons.  FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

The HIPAA Privacy Rule does not typically apply to primary and secondary schools. In grades K–12, student health records are considered to be educational records. This consideration is either because student health information in education records is protected under FERPA or because the school is not a HIPAA-covered entity. In fact, FERPA applies to most public and private postsecondary institutions and to student records at campus health clinics of these institutions. In that case, they are either referred to as education records or treatment records under FERPA and therefore are excluded from the HIPAA Privacy Rule, even when the school is a HIPAA-covered entity.

In the case where a health plan at a higher education institution is treating nonstudents, they are still not considered to be bound by HIPAA unless they transmit health care information in electronic form in connection with the submission of claims for payment.

Regardless of whether HIPAA or FERPA applies, state laws concerning privacy need to be considered as well. State laws are more specific and rarely conflict with HIPAA or FERPA. And, if more than one law is applicable, the more stringent one typically applies.

Automating GRC: The Next Frontier
in Risk Management