A records question comes up at your clinic, and your first instinct is to reach for HIPAA. That's understandable. It's the privacy law everyone has heard of. But when it comes to HIPAA vs FERPA for university health clinics, the honest answer surprises a lot of administrators: for the students you treat, HIPAA usually isn't the law that governs their records at all.
That's not a technicality you can shrug off. Getting the classification wrong shapes the consent forms you use, the way you respond to a records request, and how you'd handle a breach. So let's untangle it. This article walks through which law applies to student health records, when both laws apply to the same clinic at the same time, the trap that quietly turns treatment records into education records, and what all of it means for the system you document in.
Why the HIPAA vs FERPA Question Trips Up University Clinics
Both laws exist to protect sensitive information about real people, so it feels natural that they'd overlap. But they come from two different worlds. HIPAA grew out of health care and regulates "covered entities" like providers and insurers. FERPA grew out of education and regulates schools that receive federal funding. A university training clinic sits right where those worlds meet, which is exactly why the question gets confusing.
Then there's the fame problem. HIPAA gets all the headlines, the posters in exam rooms, the training modules. FERPA is quieter. So when a health record is involved, people reach for the law they know. In education settings, that default is frequently wrong.
And guessing wrong isn't cheap. If your response plan assumes HIPAA when FERPA applies, you may already be out of compliance. Most misclassifications don't surface during a dramatic breach. They happen earlier, during system design, vendor selection, and the moment you decide how to sort your data. That quiet mistake is the one that shows up later as an improper disclosure or a failed audit.
Which Law Actually Applies to Student Health Records
Here's the core rule, stated plainly. Records that a postsecondary institution's own clinic makes and keeps on its student patients are FERPA "treatment records," and they're expressly excluded from HIPAA's definition of protected health information.1,2 The HIPAA Privacy Rule carves out education records and postsecondary treatment records on purpose, precisely because FERPA already covers them.2
So what counts as a treatment record? FERPA defines it fairly specifically. It's a record on a student who is 18 or older, or attending a postsecondary institution, that is made or maintained by a physician, psychologist, or other recognized professional (or a paraprofessional acting in that capacity) in connection with treatment, and that isn't available to anyone other than the people providing that treatment.2,4 Student clinicians documenting under a licensed supervisor fit squarely inside that definition.
Picture it in a real clinic. A speech-language pathology graduate student runs an articulation session with an assigned client at your campus speech-and-hearing clinic, then writes up the SOAP note. That note is a FERPA treatment record. It isn't HIPAA PHI, even though it reads exactly like a clinical note you'd find in any medical chart. The information is the same. The law that governs it is not.
Why does that distinction matter to you day to day? Because the student-patient's right to access those records, and the rules for disclosing them, follow FERPA's framework, not HIPAA's. If you hand a student the wrong consent form or quote them the wrong rights, the mismatch traces straight back to this classification.
When Both HIPAA and FERPA Apply at the Same Clinic
Now the part that catches even experienced directors off guard. It's not always one law or the other. A single clinic can answer to both at the same time.
Plenty of university clinics don't treat only students. They see faculty and staff, family members of students, and community clients who walk in for services, often on a sliding scale. When your institution is a HIPAA covered entity and you provide care to non-students, the health information of those non-student patients is subject to the HIPAA Privacy Rule.1,3 Meanwhile, your student patients' records stay under FERPA. So a clinic that's open to the public complies with FERPA for its student patients and with HIPAA for its non-student patients, side by side.1,2
There's a different wrinkle worth knowing too. If a health center on campus is actually operated by an outside HIPAA covered entity, say a hospital or a broader health system rather than the school itself, then those records fall under HIPAA.2 Who runs the clinic changes the answer.
The practical takeaway is simple to state and harder to execute: your documentation system has to sort records by who the patient is, not treat every chart the same way. A one-size-fits-all approach to university clinic privacy will eventually apply the wrong rule to somebody.
The Trap: When Treatment Records Become Education Records
Here's the nuance that trips up clinics that otherwise have this figured out. A treatment record stays outside HIPAA only as long as it's used for treatment. Disclose it for a purpose other than treatment, and it stops being a treatment record and becomes an "education record," which means it picks up all of FERPA's general rules, including the eligible student's right to inspect and review it.2,4
Read that again, because it matters more in a training clinic than almost anywhere else. Your whole model depends on reusing clinical work for teaching. Supervisors review student notes. Cases get discussed in seminars. Documentation becomes the raw material of grading and feedback. Every one of those is a legitimate part of educating a clinician, and every one is a moment where a treatment record could be used beyond pure treatment.
You don't have to stop teaching, obviously. But you do need to be deliberate about how and why treatment documentation gets reused, and to understand that the reuse can change which FERPA rules attach to it. Being thoughtful here is a lot cheaper than untangling it after a student files a request to see everything in their file.
What HIPAA FERPA Compliance Means for Your Documentation System
Strip away the statutory language and something reassuring emerges. Underneath the two laws sits one shared demand: access should be limited to the people actually providing treatment. FERPA's treatment-record definition builds that limit right in. HIPAA's minimum-necessary principle lands in the same place. If your system enforces tight, role-appropriate access, you're serving both masters at once.
So what does real HIPAA FERPA compliance look like in the tool you document in? A few things earn their keep:
- Role-based permissions, so students, supervisors, and administrators each see what their job requires and nothing more.
- Patient-level caseload restrictions, so a student clinician can only open the charts of the clients assigned to them.
- Multi-factor authentication and IP address restrictions, the security controls university IT departments tend to insist on before they'll approve any system.
- Completion and audit tracking, so you can actually show who accessed what and when.
Consent and disclosure workflows deserve their own attention, because they genuinely differ between the two laws. Under FERPA, disclosing a student's education records generally requires the eligible student's prior written consent unless a specific exception applies.5 That's a different posture than HIPAA's treatment, payment, and operations model. Your intake and release process should reflect which law governs the patient in front of you, not just default to one form for everybody.
This is the one place ClinicNote fits naturally into the conversation. It was built for university clinics, and it enforces caseload-level access as a matter of course, so a first-semester student clinician sees only the patients assigned to them and nothing else in the system. That's not a compliance feature bolted on afterward. It's the same access boundary FERPA and HIPAA both assume you're already drawing.
Get the Classification Right, Then Enforce It
So where does that leave you? For your student patients, FERPA almost always governs their records as treatment records. HIPAA covers your non-student patients. And a clinic that serves both answers to both, at the same time. The single most useful habit is to stop asking "is this HIPAA or FERPA" in the abstract and start asking "who is this patient, and how is this record being used." When in doubt on a specific case, your institution's counsel or privacy officer is the right call.
The deeper point is that knowing the law is only half the job. The other half is enforcing it, and that comes down to whether your documentation system actually limits access the way both laws expect.
Need a documentation system built for the university clinic reality? ClinicNote is an EMR designed for training clinics, with role-based permissions, patient-level caseload restrictions, MFA, and IP filtering that keep student, supervisor, and community records where they belong. Get a demo and see how it fits your clinic.
Sources
- https://www.hhs.gov/hipaa/for-professionals/faq/518/does-ferpa-or-hipaa-apply-to-records-on-students-at-health-clinics/index.html
- https://studentprivacy.ed.gov/resources/joint-guidance-application-ferpa-and-hipaa-student-health-records
- https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html
- https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Know%20Your%20Rights_FERPA%20Protections%20for%20Student%20Health%20Records.pdf
- https://www.exabeam.com/explainers/hipaa-compliance/hipaa-vs-ferpa-similarities-differences-and-where-they-intersect/

