Administration, General, Organization

Superintendents’ Guide to HIPAA/FERPA

With vaccinations rolling forward (wooohooo!) and schools opening their doors (finally!) it is more important than ever for superintendents to understand HIPAA and FERPA. Schools are being used as vaccine sites for both staff and students and vaccination records are being recorded by schools and other authorities. So let’s break these HIPAA and FERPA acronyms down and clear them up.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a Federal law that came about in 1996 to address some limitations of insurance, overhaul healthcare information communications, and to set standards for the protection of sensitive patient health information. The last part, in particular, led the U.S. Department of Health and Human Services to issue both a HIPAA Security Rule and a HIPAA Privacy Rule. The Security Rule sets protection standards for certain health information that is transferred or maintained in electronic form. The Privacy Rule concerns how certain health information is protected and safeguarded.

What is FERPA?

FERPA stands for the Family Educational Rights and Privacy Act. It is a Federal law that protects the privacy of students’ education records. This includes such things as report cards, transcripts, disciplinary records, family and contact information, and class schedules. It became law in 1974. It allows parents and eligible students to prevent the disclosure of personally identifiable information from their education records without consent, review and inspect student education records, and request correction of these education records. It applies records that are maintained by a school but also any kept by a third-party on behalf of a school. All schools that receive any type of funding for any program from the Department of Education are subject to it.

What do FERPA/HIPAA mean for schools?

The short answer is that schools need to take proper steps to safeguard and protect the records of their students. Failure to do so could mean fines. And we’re not just taking little fines, we’re talking fines into the millions. Here are some questions to consider:

  • What information is appropriate for what audience? It’s OK for a teacher to recount an incident at school to a parent but if a principal reads a report of the same incident it is not allowed because an official record is now involved. Always keep in mind who, what, and why regarding information about students. Especially if any communication is involving anything or anyone external. The purpose of HIPAA and FERPA is to protect the disclosure of information beyond the need-to-know basis.
  • When should records be withheld? When should they be released? Any school records covered under FERPA are not covered by HIPAA. But this doesn’t mean schools do not need to consider HIPAA. If the school handles health plans at all or transmits healthcare information electronically HIPAA needs to be considered. HIPAA also applies if non-school employees administer any health care at school.The FERPA rights of a student are owned by their parents or guardians until the child turns 18 or enters university. plans, Schools need to prevent wrongful disclosure but they can’t block access to rightful parties.
  • Are the vendors used by my school reliable? Schools are responsible for what happens to data in possession by vendors under the guidelines of HIPAA and FERPA. If any student information is misused or exposed, even accidentally, the school itself could be found at fault and end up in hot water. This means understanding the practices and safeguards of vendors is more important than ever, especially as more and more school information is being handled outside of schools.

How can you keep your school secure?

The best way to stay inline with FERPA and HIPAA mandates is to use secure paperless options for recordkeeping throughout your schools and district. Digital records have much more potential than paper for redundancies that prevent misuse, fraud, and unintended access. It’s no contest. Best practices also dictates that less is more in terms of systems. It’s better for your district to use a limited amount of paperless services in order to keep the movement and ownership of information more secure and predictable.

Script can do it all for your district. All types of school records and forms to the correct recipients and back and completely secure. Some examples are

  • Enrollment Forms
  • School of Choice
  • First Day Packets
  • Field Trip Requests
  • Technology Use Agreements
  • Early Childhood and Special Education Consent Forms
  • Contracts, Purchase Orders
  • Recommendations
  • Health Screening

And there’s always more — districts are constantly finding new and better uses for Script. All of your paperwork, under one umbrella, more accountable and safe than ever before.


Questions? We can answer them. We want to get rid of the headaches of paperwork and compliance. We know that everyday your attention and brainpower is sought by staff members, department heads, municipal officials, and above all parents and we think that they are far better served if forms and records are as streamlined as possible.