Do School-Based OT Practitioners Follow HIPAA, FERPA, or Both?

As school-based OT practitioners, we’re trained to focus on student goals, classroom participation, and meaningful occupations. Unfortunately, federal privacy laws are often an afterthought.

While most of us learned about HIPAA in OT school and its rules about protected health information (PHI), working in schools introduces us to the lesser-known Family Educational Rights and Privacy Act (FERPA). Though they sound and seem similar, these laws serve different purposes and apply in different ways.

Understanding which privacy law we need to follow affects how we document services, share information, and even where we provide therapy.

I learned this firsthand when questioning whether or not a shared OT/SLP therapy space was legal.

What I discovered changed how I viewed privacy in schools. While HIPAA may prevent shared therapy spaces, FERPA does not. And as it turns out, most school-based OT practitioners are governed by FERPA, not HIPAA.

So, let's explore the key differences between HIPAA and FERPA and get an idea of which one applies to school-based OT practice.

What’s the Difference Between HIPAA and FERPA in school-based OT?

HIPAA in a Nutshell

HIPAA (Health Insurance Portability and Accountability Act) protects protected health information (PHI) held by "covered entities," like healthcare providers and insurance companies.

HIPAA:

• Applies to clinics, hospitals, and medical providers who bill electronically for health services

• Requires safeguards for PHI and limits on information sharing

• Does not apply to education records protected by FERPA (This is possibly the most important line in this article. Keep reading for more details)

FERPA in a Nutshell

FERPA (Family Educational Rights and Privacy Act) protects the privacy of student education records in schools that receive federal funding. That includes your session notes, evaluations, and progress logs if they are maintained by or for the school.

At a high level, FERPA:

• Applies to public schools AND private institutions receiving federal funds

• Grants parents (and eligible students) rights over access, amendment, and disclosure of educational records

• Protects students’ PII (Personally Identifiable Information), which refers to information in educational records that can identify a student, such as name, student ID, disability status, or educational performance.

• Covers OT documentation if it's part of the student's educational file

  
  

In schools, FERPA protects PII in education records, even if that information overlaps with what would be considered PHI in a clinical setting. That means your therapy notes, student emails, and progress logs aren’t PHI. Instead, they’re PII, and FERPA is what governs them.

According to Joint Guidance from the U.S. Departments of Education and Health and Human Services (2019), when a school receives federal funds and maintains student records, those records are considered FERPA-protected education records, even if they contain medical information.

So, even if you bill Medicaid, as long as the documentation is kept by the school and not a private clinic, FERPA applies, not HIPAA. See page 8 in the joint guidance above if you want to see how it is noted in the official document.

Additional helpful references can be found at the end of the article.

What Is Protected under FERPA (and What’s Not)?

It’s vital to note that FERPA protects records and disclosures, not student visibility. Thus, students receiving services in school settings do not have the same level of anonymity as in a medical clinic bound by HIPAA laws.

So, what's protected then?

Protected Under FERPA:

• OT evaluation reports and therapy notes stored in the IEP system

• Progress monitoring logs and data sheets

• Emails with school staff about a specific student

• Student information discussed in an IEP meeting

• Records used for Medicaid billing (if maintained by the school)

  
  

Not Protected (or Not a Violation):

• A peer noticing a student walking with the OT to the therapy room

• A bulletin board sign that says “Therapy in Progress” (without student names)

• A student saying, “I have OT next” in front of others

• Shared therapy rooms when conversations related to PII are kept confidential

What FERPA Violations Might Look Like

Here are some practical, real-world examples that could lead to a FERPA violation:

• Leaving a printed report on a shared copier or a teacher’s lounge table. Although FERPA allows you to share PII with teachers, it should only be shared with teachers who have a current interest in the student’s education.

• Sending student info through a personal email or an unsecured platform

• Recording a therapy session and sharing it without written parental consent

• Discussing a student's diagnosis or progress loudly in a hallway or staff meeting

• Using a student’s full name and details in publicly visible documents or shared drives

• Posting a picture of a student completing a therapy intervention on your Instagram, even if their face is not shown.

These examples all involve either improper disclosure or storage of identifiable student information. Using your personal computer for work may be the easiest way to lead to a FERPA violation.

Practical Tips to Stay FERPA-Compliant

1. Use school-approved platforms for email, documentation, and file sharing.

2. Avoid discussing students in public areas or with staff who aren’t part of the IEP team.

3. Lock up physical records and password-protect digital ones. (with 2-factor authorization when possible)

4. Don’t store student files in personal cloud apps (like your personal Google Drive).

5. Use initials or pseudonyms when collecting data that might be viewed by others. (The same applies if you are putting any data into AI)

6. Get parent consent in writing before taking photos or videos for any reason.

   
   

Common Questions from School-Based OT Practitioners:

"Who oversees FERPA, and can schools get in trouble for violating it?"

FERPA is overseen by the U.S. Department of Education, specifically the Student Privacy Policy Office (SPPO). While families can't sue for FERPA violations, they can file a complaint. If a school is found out of compliance, the Department may require corrective action or, in rare cases, withhold funding.

Even without formal penalties, these issues can erode trust. That’s why understanding FERPA matters for school-based OT practitioners.

"What if I’m contracted through an agency, not employed by the school?"

You still must follow FERPA if you are acting on behalf of a public school. Your documentation and actions are covered by the same laws as school employees.

"Does HIPAA apply because we bill Medicaid?"

Not necessarily. According to federal guidance, FERPA supersedes HIPAA if the records are maintained by the school and used for educational purposes, even when Medicaid billing occurs.

"Can I post a faceless picture of a student on Instagram to show a cool treatment I did?"

Maybe, but proceed with caution.

Even if a student’s face isn’t shown, other elements (like unique clothing, assistive devices, or the setting) may still make the student identifiable. FERPA protects personally identifiable information in education records, including photos linked to educational services.

Unless you have written parent consent and district approval, it’s best to avoid posting any images that include students, even if their faces aren't visible. Instead, consider using a reenactment, a staged photo without students, or a graphic/illustration.

I always look at it from this perspective. If I were browsing Instagram or TikTok and found my child's OT account, I would be furious if there was a picture of my child. And as every parent knows, you can recognize your child without seeing their face.

Wrap up: It's a FERPA World

Navigating student privacy laws as a school-based OT practitioner can feel overwhelming, especially when you’re balancing your clinical background with the rules of the education system. It’s no wonder there’s so much confusion between HIPAA and FERPA, since we were trained under one, but in schools, we’re governed by the other.

The good news is this: you don’t need to memorize every federal statute. You just need to understand the basics:

• FERPA protects student education records and personally identifiable information (PII).

• HIPAA usually doesn’t apply in public schools.

• If in doubt, always err on the side of confidentiality and check with your district.

From shared therapy spaces to documenting services, knowing when and how FERPA applies helps you to protect yourself, the child, and the district.

Plus, when someone asks whether HIPAA applies in schools, you’ll be able to answer with confidence (and maybe even share this article).

Thanks for reading through this article. I hope it helped.

📬 If you'd like to know when I publish future articles about school-based OT, be sure to subscribe to the OT Schoolhouse Newsletter. I share tips, research updates, and evidence-based practices for school-based OT practitioners every week.

References:

• U.S. Department of Education & U.S. Department of Health and Human Services. (2019). Joint Guidance on the Application of FERPA and HIPAA to Student Health Records.

• U.S. Department of Education. Student Privacy Website – Central resource for FERPA regulations, FAQs, and guidance.

• Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99.

• Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191; 45 CFR Parts 160, 162, and 164.

• U.S. Department of Education. FAQs on Photos and Videos under FERPA – Official guidance on handling photos and videos in educational settings.