“HIPAA doesn’t apply to public schools.” That statement is technically correct, and dangerously misleading.

Artificial IntelligenceAIAI GovernanceAIEducationEdTechEdTech GovernanceStudent PrivacyFERPAHIPPA
Written By Tricia Blum

Why EdTech Leaders Can’t Ignore HIPAA

For years, the education sector has operated on the belief that FERPA (Family Educational Rights and Privacy Act) is the only law that matters when it comes to student data. And for much of the traditional classroom environment, that’s true. But the moment health-related services intersect with educational technology whether through telehealth platforms, mental health apps, or digital IEP tools, the ground shifts.

Suddenly, the boundary between FERPA and HIPAA isn’t just academic. It’s operational, legal, and reputational.

The Real Risk: When the Wrong Privacy Law Is Assumed

EdTech companies often design tools with one regulatory framework in mind, usually FERPA. But that assumption becomes a liability when their product touches:

  • School-based telehealth or remote counseling services

  • Behavioral health screeners administered via app

  • Third-party IEP management systems with medical components

  • Mobile health clinics operated in partnership with districts

Here’s the problem:
If the entity providing the service is not acting under the direct control of the school, and the data collected falls outside “educational records,” then HIPAA may apply. And HIPAA comes with a completely different set of privacy, breach, and enforcement requirements.

It’s not about whether a school is public or private. It’s about who holds the data and why.

So Which Law Applies—FERPA or HIPAA?

This isn’t a simple yes-or-no. It depends on context: When in doubt?

Assume both laws could apply—and build for the stricter one.

Too many EdTech firms stop at “we’re FERPA-compliant.” That’s not enough anymore.

Smart operators now ask:

  • Who has access to which data?

  • Is the tool ever used outside a school-controlled environment?

  • Do we trigger HIPAA requirements by hosting or transmitting medical info?

  • Are we clear with schools about what data is governed by which law?

HIPAA-related violations carry steep penalties.

But the bigger risk is reputational. Parents and districts don’t care if you got the legal nuance wrong. They care that their child’s health data ended up in the wrong place.

For EdTech Companies: Ensure Compliance and Good Reputation

Too many EdTech firms stop at “we’re FERPA-compliant.” That’s not enough anymore.

Smart operators now ask:

  • Who has access to which data?

  • Is the tool ever used outside a school-controlled environment?

  • Do we trigger HIPAA requirements by hosting or transmitting medical info?

  • Are we clear with schools about what data is governed by which law?

HIPAA-related violations carry steep penalties. But the bigger risk is reputational. Parents and districts don’t care if you got the legal nuance wrong. They care that their child’s health data ended up in the wrong place.

For Schools: Governance Is Not Optional

Many school districts are caught flat-footed here. A counselor signs up for a well-meaning screening tool. A nurse partners with a local clinic. A principal approves a pilot mental health program.

Suddenly, the district is managing medical data through an EdTech platform it doesn’t fully understand and neither party realizes HIPAA was triggered.

Districts need to:

  • Ask detailed questions about data governance in every EdTech contract

  • Understand when a “school official” designation protects them—and when it doesn’t

  • Train staff on the difference between educational and health records

For Families: You Deserve Clarity

Parents often assume schools are keeping their children’s personal data safe—and that privacy laws are being followed. But when the lines between education and healthcare blur, parents lose visibility.

You should always know:

  • Who has access to your child’s health or behavioral data

  • Whether that information is stored by the school, a third-party vendor, or a clinic

  • What your rights are under FERPA and HIPAA—and how to exercise them

Bottom Line

Privacy law in schools isn’t just about FERPA anymore.

If you’re in EdTech, you need to understand HIPAA.

If you’re in a school, you need a governance plan that matches today’s hybrid reality.

And if you're a parent, you need transparency.

Because student health privacy isn’t just a legal issue. It’s a trust issue.

Ready to Build EdTech Trust Instantly?

Want a quick-reference guide on how HIPAA and FERPA intersect? Drop us line. Or…

If you’re tired of delays, ghosted deals, or endless redlines, and you’re ready to become the vendor districts want to say yes to, let’s talk.

📞 Book a 30-minute Trust Readiness Call

We’ll walk you through your product, pinpoint where trust is quietly breaking down, and provide a clear plan to fix it quickly.

👉 Book your call now.

Don’t leave your AI journey to Chance.

At AiGg, we understand that adopting AI isn’t just about the technology; it’s about so much more, it’s about the people, the efficiencies, and the innovation. And we must innovate responsibly, ethically, and with a focus on protecting privacy. We’ve been through business transformations before and are here to guide you every step of the way.

Tricia Blum
Next

How to use AI as a tutor, boosting the brain