HIPAA applies to school nurses only when the nurse is working for a HIPAA Covered Entity and the health information involved is protected health information under the HIPAA Privacy Rule, while most health records maintained by schools are outside HIPAA because they are education records or treatment records governed under education privacy requirements. A nurse employed by a public school district or private school typically documents student health information in school-maintained records that fall under the school’s education record framework rather than protected health information. HIPAA scope depends on the entity that employs the nurse, the system in which the records are maintained, and whether the school or program qualifies as a covered entity.
School nurses working in schools that receive federal education funding usually handle student records that are treated as education records, which are not protected health information under HIPAA. This includes immunization records, medication administration records, care plans maintained by the school, injury logs, and communications maintained as part of the student record. When a record is maintained by the school, HIPAA does not control disclosure decisions for that record, even when the content resembles a medical chart. Disclosure and consent rules follow the education privacy requirements that apply to student records, along with applicable state laws and district policies.
HIPAA can apply in limited school-related arrangements. When a nurse is employed by a healthcare provider that is a HIPAA Covered Entity, and the nurse provides services in a school-based clinic or under a provider contract, the provider’s records may be protected health information when they are maintained by the covered entity and relate to healthcare services. A school-based health center operated by a covered entity can create protected health information in the covered entity’s medical record system, and HIPAA governs those records and disclosures. A school that bills electronically for healthcare services in connection with standard transactions can meet the covered entity definition for that healthcare component, which can bring HIPAA obligations for that component’s records and operations.
Compliance controls should separate school-maintained student records from covered entity medical records when both exist. Workflows should define where documentation is stored, who owns the record, what consent model applies, and how information is shared between the school and external providers. When HIPAA applies, disclosures should follow the HIPAA Privacy Rule permissions and the HIPAA Minimum Necessary Rule, and electronic systems should follow HIPAA Security Rule safeguards when electronic protected health information is involved. When HIPAA does not apply, staff should follow the applicable education privacy rules and state confidentiality laws, with written procedures to prevent improper disclosures across systems.
The Applicable HIPAA Regulatory Text for School Nurses
HIPAA applies to school nurses only when the nurse is acting on behalf of a HIPAA Covered Entity and the information meets the definition of protected health information. The definition of protected health information in 45 CFR 160.103 excludes certain school-held records and states that protected health information excludes individually identifiable health information “in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g.”
HIPAA Staff Training
HIPAA training obligations apply when a school nurse is part of a HIPAA Covered Entity workforce or supports a covered component that creates or maintains protected health information. The HIPAA Privacy Rule requires that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information.” The HIPAA Security Rule also requires a workforce program and states “Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce.”
Training content and administration should align to the workforce member’s role, the covered entity’s documented policies and procedures, and the systems used to create, access, transmit, or store electronic protected health information in school-based clinics or contracted service models. The HIPAA Journal Training is online, comprehensive, suitable for onboarding and annual refresher training, and training selection criteria should address curriculum coverage, update recency, learner assessment, and training documentation for audit support.