HIPAA & FERPA

Campus Health Services (CHS) or Counseling 

• Records on students are FERPA education or treatment records.
• HIPAA does not apply to those student records.
• FERPA controls access, disclosure, and parental involvement.

Treatment records vs. Education records

• Treatment records: Records made or maintained by a physician, psychiatrist, psychologist, counselor or other recognized professional for the purpose of providing treatment, used only by treating providers, and disclosed only to those providers (or the student’s chosen physician for review).
  • Treatment records are excluded from the general definition of education records, so they are not subject to routine FERPA disclosures that education records might be (e.g., to school officials with “legitimate educational interest”). This limits who can see sensitive clinical notes.
• If used or disclosed for any other purpose (such as billing insurance), they become education records and are subject to FERPA’s consent rules.

Non‑student patients

NAU’s HIPAA‑covered entities are called Health Care Components (HCCs) and provide care to non‑students:

• Non-students can be university staff or family members and the public, obtaining treatment at the university.
• These non-student health records created or maintained at a covered entity is PHI under HIPAA.

If a student works for the university and receives health care from the institution:

• They remain FERPA education or treatment records, not HIPAA PHI.
• Such records would be covered as education records by FERPA and thus would not be covered by the HIPAA Rules

Student treatment records may be shared with other treating professionals or when appropriate, school officials, to coordinate the student’s care. When the university receives external health records, they become FERPA records. Please see the NAU’s FERPA webpage for more guidance.

Staff and providers may disclose PHI for treatment, payment or operational purposes without a seperate authorization, when a Notice of Privacy Practices has been given to the patient. Often a valid HIPAA authorization is necessary to share PHI unless a permitted exception exists.

A: Education records are records directly related to a student and maintained by the university. Treatment records are records on an eligible student  made or maintained by a clinician and used only for treatment, and are excluded from FERPA’s definition of education records while they remain limited to treatment use.

A: Only the treating providers may access treatment records; an eligible student may have those records reviewed by a physician or other appropriate professional of their choice. If records are disclosed beyond treating providers for other purposes, they become FERPA education records.

A: Usually no. FERPA applies to student health records maintained by a university’s covered entity and are governed by FERPA (or the school’s policies) rather than HIPAA; both treatment and education records at schools are generally excluded from HIPAA.

A: FERPA allows limited exceptions (e.g., health/safety emergencies, lawfully issued subpoenas, transfers to other schools, or disclosures to school officials with legitimate educational interest).

The U.S. Department of Education administers and enforce student privacy laws such as the Family Educational Rights and Privacy Act (FERPA). Please visit NAU’s FERPA page for specific sharing and consent procedures.