HIPAA vs. FERPA: What's the Difference?

HIPAA and FERPA often get confused because they are both national laws that protect private information. The main difference between them is that HIPAA protects patient information while FERPA protects student information. Although HIPAA and FERPA are stand-alone acts, they do have some points of intersection. 

What Is HIPAA? 

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a federal law that demands all organizations protect what’s considered “protected health information” (PHI) from being disclosed to unauthorized persons. Unless the state law is more stringent than federal law, HIPAA overrides state law regarding data privacy. 

The HIPAA Privacy Rule requires safeguards to protect the privacy of PHI in any medium and applies to health plans, health care clearinghouses, and health care providers. The rule also sets limits on disclosures that can be made without patient consent and gives individuals rights to examine and obtain their health records at any time. Its goal is to balance the confidentiality, integrity, and availability of private health information. 

According to The HIPAA Journal, employers most frequently run into HIPAA compliance issues due to:

• Impermissible uses and disclosures of PHI
• Lack of safeguards for (non-electronic) PHI
• Failures to provide patient access to PHI
• Lack of Administrative Safeguards for electronic PHI, and 
• Violations of the minimum necessary standard

For more information, check out our blog, “What Is HIPAA?” 

What Is FERPA? 

The Family Educational Rights and Privacy Act (FERPA) of 1974 is a federal law administered by the U.S. Department of Education that protects student privacy at any government-funded educational institution. FERPA gives parents the right to review a student's educational records and request correction of records. These rights are transferred to the student when they turn 18 or enter an educational institution beyond high school.  

FERPA also prohibits educational institutions from disclosing personally identifiable information in student records without the written consent of an eligible student (or the parents if the student is still a minor). However, there are a few exceptions to this FERPA rule. The institution can release information without consent if:  

• The request for information is coming from school officials with legitimate educational interest
• The student is transferring to the school requesting information
• The information is needed for audit or evaluation purposes
• The information is needed for financial aid purposes
• The information is being used by credible organizations to conduct studies for or on behalf of the school
• The information is needed by an accrediting organization 
• The information is needed to comply with a subpoena 
• The information is needed for a health or safety emergency 
• The information is being requested by state and local authorities, pursuant to specific State law.

How to Ensure FERPA Compliance

To ensure FERPA compliance, educational institutions should: 

• Advise students and parents annually of their FERPA rights
• Obtain signed written consent from a student/parent before any personally identifiable information is released to a third-party
• Remind students or parents of their options to restrict access to directory information 
• If any student information changes, obtain a new signed consent form 
• Regularly audit security policies and procedures
• Provide intensive FERPA training to all school staff 

Educational institutions that do not comply with FERPA may lose their federal funding, and some states allow compensation to students for FERPA violations. 

How can HIPAA and FERPA Overlap? 

When education and healthcare intersect, it can become difficult to identify what falls under HIPAA versus FERPA jurisdiction. According to the Joint Guidance document on the Application of FERPA and HIPAA to Student Health Records, in a few instances, an agency or institution can be subject to both FERPA and HIPAA. 

Let’s say an institution has its own clinic that’s also open to the public. In that case, they would be required to comply with FERPA with respect to the student patients, and with HIPAA with respect to their non-student patients. If both HIPAA and FERPA apply to your organization, patients can generally be categorized under one of the two laws. As a general rule, FERPA only applies to students.

FERPA covers student education records and student treatment or student Health Center records. Generally, university treatment records protected by FERPA are excluded from coverage under the HIPAA Privacy and Security Rules. 

Additional Resources

You can stay informed, educated, and up to date with important HR topics using BerniePortal’s comprehensive resources:

• BernieU—free online HR courses, approved for SHRM and HRCI recertification credit
• BerniePortal Blog—a one-stop shop for HR industry news
• HR Glossary—featuring the most common HR terms, acronyms, and compliance
• Resource Library—essential guides covering a comprehensive list of HR topics
• HR Party of One—our popular YouTube series and podcast, covering emerging HR trends and enduring HR topics

• Community—the HR Party of One Community forum, a place devoted to HR professionals to ask questions, learn more, and help others