HIPAA vs FERPA: Compliance for School-Based Health Centers

Q: Can parents access a minor's SBHC records?

Usually yes, as the minor's personal representative, except where state law allows a minor to consent to a specific service, in which case the minor may control that information and HIPAA follows state law.

Quick Answer: School-based health centers (SBHCs) sit at the intersection of HIPAA and FERPA, serve minors whose consent rules vary by state, and share space and staff with schools. The key is knowing when records are HIPAA-covered versus FERPA-covered, applying state minor-consent law correctly, and running a Security Risk Analysis over the clinic’s systems.

HIPAA vs. FERPA: which rule applies

This is the defining compliance question for SBHCs. Records held by a school (including many “school nurse” records) are generally education records under FERPA, not HIPAA. But a school-based health center operated by an outside provider — an FQHC, hospital, or health department — typically creates HIPAA-covered treatment records. Many SBHCs hold both types, and the boundary determines which consent, access, and disclosure rules apply to a given record. Getting this mapping wrong is the most common SBHC compliance error.

Minors, consent, and parental access

For minors, the right to control PHI often shifts to the parent as the minor’s personal representative — but with significant exceptions. Where state law lets a minor consent to a service (commonly reproductive, mental health, or substance-use care), the minor may control that information and HIPAA defers to state law on parental access. SBHCs must operate against their specific state’s minor-consent statutes, not a generic rule.

Shared space, shared staff, real risk

SBHCs often share buildings, networks, and front-desk staff with the school. PHI must still be segregated from education records and protected with access controls, so school staff cannot see clinical information they have no treatment role in. Devices and the clinic network belong in the Security Risk Analysis even when the school owns the infrastructure.

The Security Risk Analysis and 2026 update

Under 45 CFR § 164.308(a)(1)(ii)(A), the operating provider must run a thorough risk analysis over the SBHC’s ePHI. The proposed 2026 Security Rule update (NPRM December 2024, not yet final, 240-day window once published) adds mandatory encryption, MFA, asset inventory, biannual vulnerability scanning, and annual penetration testing.

How Medcurity helps school-based health centers

Medcurity provides guided, NIST-aligned Security Risk Analyses, remediation tracking, BAA management, training, and audit-ready reporting — and is widely used by the FQHCs and health systems that operate SBHCs, starting at $499/year (about $42/month). See our HIPAA compliance for FQHCs and HIPAA risk assessment guides.

Frequently Asked Questions

Are school-based health center records HIPAA or FERPA?

It depends on who holds them. Records created by an outside provider operating the SBHC are generally HIPAA-covered treatment records; records held by the school itself are usually FERPA education records. Many centers hold both and must map each record correctly.

Can parents access a minor’s SBHC records?

Usually yes, as the minor’s personal representative — but where state law allows a minor to consent to a specific service, the minor may control that information and HIPAA follows state law on parental access.

Does the school’s IT count in the clinic’s risk analysis?

Yes. Any system or device that touches the clinic’s ePHI belongs in the Security Risk Analysis, even when the school owns the network or hardware.