Breaking News
More () »

No, school districts generally are not subject to HIPAA rules

A group claims a school district’s handling of students’ vaccination records violates HIPAA. But the health privacy law generally doesn’t apply to school districts.

Some school districts are starting to mandate students get vaccinated against COVID-19 to attend in-person classes.

One group opposed to a vaccine mandate by the San Diego Unified School District posted a picture on Instagram, claiming the district is using syringe icons next to students’ names to track vaccination status. The post has almost 2,000 likes.

The group claims the system violates their rights under the Health Insurance Portability and Accountability Act of 1996 – better known as HIPAA.


Are school districts generally subject to HIPAA rules?



This is false.

No, school districts generally are not subject to HIPAA rules.


HIPAA is a federal law that protects people’s sensitive health information from being shared without their knowledge, according to the Department of Health and Human Services (HHS) and Centers for Disease Control and Prevention (CDC). “Individually identifiable health information” related to a person’s past, present or future is protected under HIPAA, the HHS says.

The part of HIPAA that sets standards for sharing medical records is called the privacy rule.

The privacy rule applies to three groups that are known as covered entities, according to the HHS. One group is health care providers, such as doctors, clinics and dentists. Health plans, including health insurance companies and government programs such as Medicare and Medicaid, are the second group of covered entities. The third group is health care clearinghouses like billing companies.

HHS says the privacy rule also applies to business associates, essentially a person or group that uses protected health information as part of a service it provides to a covered entity.

Because school districts generally are not covered entities, HIPAA’s privacy rule does not apply to them. And typically, when school districts are considered a covered entity, the HHS says student health records are considered “education records” under the Family Educational Rights and Privacy Act, also known as FERPA, “and, thus, not ‘protected health information’ under HIPAA.”

An exception would be when schools are not subject to FERPA, which can be the case for private schools that don’t receive money from the U.S. Department of Education, but are considered a covered entity under HIPAA.

“For example, if a private elementary school that is not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity), the school is required to comply with the HIPAA Privacy Rule with respect to the individually identifiable health information of its patients,” the HHS explains.

Schools are also subject to state and local privacy laws regarding the sharing of student health records. But, generally, school districts are not subject to HIPAA.

More from VERIFY: No, most businesses won’t violate HIPAA by asking customers if they’ve been vaccinated

The VERIFY team works to separate fact from fiction so that you can understand what is true and false. Please consider subscribing to our daily newsletter, text alerts and our YouTube channel. You can also follow us on Snapchat, Twitter, Instagram, Facebook and TikTok. Learn More »

Follow Us

Want something VERIFIED?

Text: 202-410-8808

Before You Leave, Check This Out