Patient Privacy Rights

Protecting Americans from health data harms

Know Your Rights Summit | Videos Research | Tech Policy | Advocacy About Donate

 

Get Patient Privacy Updates    |     Report an Incident     |     Contact

Your Patient Privacy Rights in Education

Explore Your Patient Privacy Rights in Context

 

In U.S. schools and colleges, "patient privacy rights" usually come from the Family Educational Rights and Privacy Act (FERPA), disability laws (Section 504 of the American with Disabilities Act and a few special rules. HIPAA (Health Information Portability and Accountability Act) governs your personal information with your health care providers, health plans, and their business associates, but HIPAA does not apply to student health records maintained by schools.

 

  1. Your Rights to Access and Correct School Health Records

    Parents (and usually students once they become age 18) can inspect and review the student's education records, which often include school health records kept by a nurse or clinic. Schools must provide access within a reasonable time, and no later than 45 days after the request. Even after rights transfer to a student at age 18, a school may disclose records to parents without the student's consent if the student is a tax dependent under the Internal Revenue Service (IRS)' tax rules.

    You can request that the school amend records you believe are inaccurate or misleading, with a process that can include a hearing if denied.

    Under FERPA, schools must provide annual notice of FERPA rights and related policies as they will be implemented at the school so you can know what information may be shared.

    What to do: Submit a written request to the school to inspect or obtain copies of the education and health records, review them carefully for accuracy, and promptly request corrections in writing if you find errors or misleading information; keep copies of all requests and responses, and if access or amendments are denied, ask about the school's formal appeal or hearing process under FERPA. If you have an incident to report, please let us know.

     

  2. Who Can See Your Student Health Records Without Permission

    In general, schools must have your written consent before disclosing your personally identifiable information from your education records. But there are exceptions in which FERPA allows release of student information without consent including:

    • to school officials with "legitimate educational interests" (including certain contractors or consultants performing institutional services under the school's control).
    • to another school where the student seeks or intends to enroll (or is already enrolled).
    • to authorized representatives for audits or evaluations of federal, state, or local education programs, or for enforcing compliance.
    • to determine financial aid eligibility, amount, conditions, or to enforce terms of financial aid.
    • to develop, validate, or administer tests; improve instruction; etc., under required controls.
    • to carry out accrediting functions.
    • to parents of a dependent student (as defined by IRS tax dependency)
    • to courts in response to a judicial order or lawfully issued subpoena
    • to appropriate parties when necessary to protect the health or safety of the student or others (limited to a health or safety emergency).
    • to the public or schoolwide in directory information that lists students in the school, but only if the school has given public notice of what will be listed and the student has had an opt-out opportunity.
    • to state or local authorities within a juvenile justice system, as required by state law.
    • in criminal or disciplinary related matters (e.g., to an alleged victim of a crime of violence).
    • to the public, consultants, researchers or others if the school removes all personally identifying information so a student cannot reasonably be identified. (Here is an example of accurately putting names back on de-identified education records.)

    What to do: Ask the school for its annual FERPA notice and disclosure policy so you understand what information may be shared without consent; submit written instructions opting out of directory information disclosures if applicable; request a list of any third parties with whom your records have been shared; and, if you believe information was disclosed improperly or beyond what FERPA allows, document the details and file a complaint with the U.S. Department of Education's Student Privacy Policy Office. If you have an incident to report, please let us know.

     

  3. Your Privacy Rights in College Clinic and Counseling Records

    At postsecondary institutions, such as colleges, some clinic or counseling records can be "treatment records" (handled differently under FERPA while used only for treatment). Once disclosed for non-treatment purposes, the student can typically access and review those clinic/counseling records like other education records, and the records are subject to FERPA's broader consent-and-disclosure framework, including:

    • Right to inspect and review the records (the school must provide access within 45 days of the request).
    • Right to request amendment of information the student believes is inaccurate, misleading, or otherwise violates privacy (with a process/hearing if the school denies the request)
    • Right to control most disclosures of personally identifiable information from those records—i.e., the school generally needs the student's written consent unless a FERPA exception applies.
    • Right to file a FERPA complaint with the U.S. Department of Education about alleged FERPA violations.

    What to do: If you believe your clinic or counseling records at a college have been used beyond treatment—for example, shared with others or used in administrative decisions—you can request access to review them, seek correction of any errors, and require written consent for most future disclosures. Submit all requests in writing, keep a copy for your records, and if the school denies access or refuses to amend the records, ask about the appeal process and consider filing a FERPA complaint with the U.S. Department of Education. If you have an incident to report, please let us know.

     

  4. Privacy Rights When Schools Request Disability Documentation

    If a student has a disability, federal disability laws provide protections that may involve submitting limited health documentation:

    • Right to nondiscrimination and accommodations (Section 504 of the Americans with Disabilities Act): Schools receiving federal funds must not discriminate based on disability and may need to provide reasonable accommodations (often documented via a 504 plan).
    • Right to special education services (Individuals with Disabilities Education Act): Eligible students can receive special education and related services under an Individual Education Plan that outlines the student's learning goals, the special education services and supports they'll receive, and how progress will be measured.
    If the disability or need for accommodation isn't obvious, schools may ask for limited documentation to support eligibility/need—but requests should be narrowly tailored, not a demand for your entire medical history. (How this plays out is often guided by federal agency guidance and school policy.)

    What to do: If you are seeking disability-related accommodations or services, submit a written request to the school identifying the accommodation or support you need and provide only the limited documentation necessary to establish eligibility; ask the school to explain what information is required and why, keep copies of all materials and communications, and if you believe the school is requesting more health information than permitted or denying appropriate accommodations, consider using the school's appeal process or filing a complaint with the appropriate federal or state agency. If you have an incident to report, please let us know.

     

 

Staying informed about your privacy rights—and how schools may request, use, or disclose your health information—empowers you to safeguard your records, assert your access, and respond effectively if your rights are violated. To stay informed as rules and practices evolve and incidents occur, join our mailing list. And if you experience a concerning situation tied to your health information, please report the incident so we can track patterns and strengthen public accountability. Donate, as you are able, to support this work.

 

Select another context in which to examine your patient privacy rights:

Healthcare Employment Finances Credit Reports Housing Education Insurance eHealth Internet Marketing Purchases Reputation Mental Health Addiction Children Adolescents Law Enforcement Courts Prison Genetics HIV/AIDS Abortion Domestic Violence Harassment Data Collections Medical Insurance Life Insurance Disability Insurance Long-term Care Workers' Compensation Auto Insurance

 

Note: The content above is general information for the public and is not legal advice for any specific situation. Rights and processes relevant to a particular situation can vary based on circumstances and additional state or federal laws.

This document was created and is maintained by PPR President Dr. Latanya Sweeney. Please share your feedback and let Dr. Sweeney know about the ways you've used it, and if you have any suggestions.

Join Report DONATE

PPR logo

Independent public-interest organization advancing patient privacy through research, policy, and accountability.

People

Coalition

Summit

Brandeis Privacy Award

Know your rights

FAQs

Glossary

Our Privacy Policy

Research

Legislation

Posts

Press Releases