The records created by a behavioral health provider employed by a school are usually covered under FERPA and the records created by a behavioral health provider employed by an independent health care agency are usually covered under HIPAA. However, providers should review the HIPAA FERPA Flowchart to determine which law applies to their particular circumstances. 

Once you determine if your records are subject to HIPAA or FERPA, you can review the more detailed questions below.  We start off with FERPA specific questions, including questions about educational counseling.  For the Sharing and Disclosure Questions, each question has an answer for HIPAA and FERPA.  You can just read the answer that applies to you, or you can read both and see how it affects your counterparts!  The last section covers minor consent laws and how it can interact with HIPAA and FERPA.

“Educational counseling” means specialized services provided by a school counselor possessing a valid credential with a specialization in pupil personnel services who is assigned specific times to directly counsel pupils. ^{3 Cal Educ. Code 49600(b)}

California law says that “information of a personal nature”⁵² disclosed by a student 12 and older, or the student’s parents, to a school counselor⁵³ as part of receiving “educational counseling”⁵⁴ does not become part of the pupil record, and access to that information is very limited. ⁵⁵ (See endnote for limitations.) The statute goes on to say that “[i]t is the intent of the Legislature that counselors use the privilege of confidentiality under this section to assist the pupil whenever possible to communicate more effectively with parents, school staff, and others.” Before relying on this rule, it is critical to discuss this law with school district legal counsel to understand its scope and any possible conflicts with FERPA.

Generally, records created by a school counselor are subject to FERPA, even if the records are kept in a separate file cabinet or file. Thus, while a school counselor may maintain a separate file as a means to limit accidental disclosures, the file still would be subject to FERPA in most cases. There are two types of records that are not considered part of an education record, though, and would not be subject to FERPA.

1. Records that are kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to any other person except a temporary substitute for the maker of the record¹⁰¹; and
2. Treatment records of a student 18 and older when used only in connection with treatment and not made available to anyone other than those providing treatment. ¹⁰²

In addition, California law states that certain educational counseling records do not become part of the pupil file. (See FERPA Basics page “Do exceptions in FERPA allow educational agencies to disclose information without a release form?” and Endnotes 53 and 54.) Whether either of these two exceptions applies to exempt school counselor files from FERPA is something to address with legal counsel.

HIPAA/Confidentiality of Medical Information Act (CMIA): If a provider’s records are subject to HIPAA/CMIA, then the provider can share information pursuant to a HIPAA/CMIA-compliant signed authorization. Otherwise, there is no exception under HIPAA that would allow a provider to share protected health information with a teacher for this purpose.

FERPA: If the records are subject to FERPA, yes in several situations. The provider can release if a FERPA-compliant release form is in place. In addition, an exception in FERPA allows school staff to share information with “school officials” in the same educational agency who have a “legitimate educational interest” in the information. The term “school official” includes school staff, such as teachers, counselors, principals, and school nurses. A school or district may define this term more broadly in its school policies so that it also includes outside consultants, contractors   or volunteers to whom a school has outsourced a school function if certain conditions are met.⁷⁶ The school official must have a “legitimate educational interest” in the information. This phrase has been defined to mean that the school official needs the information to perform his or her official duties.⁷⁷ FERPA requires schools to include in their annual notices to parents a statement indicating whether the school has a policy of disclosing information from the education file to school officials, and, if so, which parties are considered school officials for this purpose and what the school considers to be a “legitimate educational interest.”⁷⁸

HIPAA/CMIA: If the records are subject to HIPAA/CMIA, they may be shared in some cases. The information may be disclosed pursuant to a valid HIPAA/CMIA-compliant written authorization. (See Requirements for Release of Information Forms) In addition, HIPAA and state medical confidentiality law permit behavioral health providers to share information related to outpatient care (except psychotherapy notes) with other health and behavioral health care professionals for purposes of treatment. The therapist has discretion to determine what disclosures are appropriate in these cases.¹⁰⁴ Providers also are allowed to disclose information to other providers absent authorization in a few other circumstances, such as in certain medical emergencies pursuant to an emergency exception (described below in “May a behavioral health provider disclose protected health information in an emergency?”). 

FERPA: If the records are subject to FERPA, they may be shared in some cases. The information may be disclosed pursuant to a valid FERPA-compliant written authorization. (See Requirements for Release of Information Forms) If there is no authorization in place, information can only be disclosed in a few limited circumstances. For example, the school could provide the health provider access to directory information about a specific student absent parent consent. What that would include will depend on how directory information has been defined by that school district in its annual notice to parents and whether parents have opted out. In addition, the school also may disclose information to the provider that is not contained in the education record, such as information from oral communications or personal observation that have not been recorded as long as the disclosure does not violate professional codes of conduct or contractual obligations.¹⁰⁶ In an emergency, the information in the education record may be disclosed to appropriate persons pursuant to the emergency exception. (For more information, see “May a behavioral health provider disclose protected health information in an emergency?”)

HIPAA/CMIA: If the records are subject to HIPAA/CMIA, they may be shared in some cases. The information may be disclosed pursuant to a valid HIPAA/CMIA-compliant written authorization. In addition, HIPAA and state medical confidentiality law permit behavioral health providers to share information related to outpatient care (except psychotherapy notes) with other health and behavioral health care professionals for purposes of treatment. The therapist has discretion to determine what disclosures are appropriate in these cases.¹⁰⁴ Providers also are allowed to disclose information to other providers absent authorization in a few other circumstances, such as in certain medical emergencies pursuant to an emergency exception (described below in “May a behavioral health provider disclose protected health information in an emergency?”). 

It is important to note that once disclosed to a school employee, if the school employee places the information in the pupil file, FERPA likely will apply when determining access to the information in the file, not HIPAA.¹⁰⁵ This means that information that was once protected under HIPAA may lose those protections once it is placed in a student’s education file.

FERPA: If the records are subject to FERPA, yes in several situations. The provider can release if a FERPA-compliant release form is in place. In addition, an exception in FERPA allows school staff to share information with “school officials” in the same educational agency who have a “legitimate educational interest” in the information. The term “school official” includes school staff, such as school employed counselors. The school official must have a “legitimate educational interest” in the information. This phrase has been defined to mean that the school official needs the information to perform his or her official duties.⁷⁷ FERPA requires schools to include in their annual notices to parents a statement indicating whether the school has a policy of disclosing information from the education file to school officials, and, if so, which parties are considered school officials for this purpose and what the school considers to be a “legitimate educational interest.”⁷⁸ In addition, FERPA authorizes disclosures to “appropriate parties” if “knowledge of the information is necessary to protect the health or safety of the student or other individuals”¹¹³ in response to a specific situation that poses an imminent danger. The release may occur “if the agency or institution determines, on a case-by-case basis, that a specific situation presents imminent danger or threat to students or other members of the community, or requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals.”¹¹⁴ The school based provider will be required to protect the information subject to FERPA.¹¹⁵

HIPAA/CMIA: If the records are subject to HIPAA and CMIA, yes. HIPAA and CMIA allow a health care provider to disclose otherwise protected health information in order to avert a serious threat to health or safety. Specifically, HIPAA says that a provider may disclose information, consistent with applicable law and ethical principles, if the provider in good faith believes the disclosure:

• is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and 
• is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

There is a presumption that a provider acted in good faith in making such a disclosure if the provider’s belief is based on actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.⁷⁹ Therapists are permitted to disclose psychotherapy notes without authorization under emergency circumstances.⁸⁰

It is important also to review which California law may apply to the records in question and under what circumstances disclosure absent written authorization is allowed in an emergency under the applicable law.

Under California law, a therapist may disclose medical information as necessary to prevent or lessen a threat to the health or safety of a reasonably foreseeable victim or victims. Exactly when and to whom such information can be disclosed will depend on which California law the therapist is providing services under. For example, if the health information is subject to CMIA, the therapist may disclose information to any person reasonably able to prevent or lessen the threat, including the target of the threat.⁸¹ Therapists should consult their own legal counsel for more information and guidance on which California confidentiality law applies to their records. Providers also should consult their ethical and licensing rules for applicable guidance, such as guidance on when the Tarasoff duty to warn may apply.

FERPA: If the records are subject to FERPA, yes. FERPA authorizes disclosures to “appropriate parties” if “knowledge of the information is necessary to protect the health or safety of the student or other individuals.”⁸² This exception allows disclosure in response to a specific situation that poses an imminent danger. The release may occur “if the agency or institution determines, on a case-by-case basis, that a specific situation presents imminent danger or threat to students or other members of the community, or requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals.”⁸³

“In making [this] determination”, FERPA goes on to say, “an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the health or safety of a student or other individuals. If the educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. If, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.”⁸⁴

Providers also should consult their ethical and licensing rules for applicable guidance, such as guidance on when the Tarasoff duty to warn may apply.

HIPAA/CMIA: If the records are subject to HIPAA and CMIA, yes. Under California’s Child Abuse and Neglect Reporting Act, mandated reporters⁸⁵ of child abuse must make a report to child protective services or law enforcement whenever they have knowledge of or observe a child in their professional capacity whom they know or reasonably suspect has been the victim of  child abuse or neglect.⁸⁶  If information protected   by HIPAA and CMIA is relevant to making that report, the information still must be disclosed to CPS or law enforcement.⁸⁷ This does not mean that the information loses its confidentiality protections. While relevant information must be disclosed to CPS or law enforcement, disclosure to anyone else or for any other reason still must comply with HIPAA and CMIA.

FERPA: If the records are subject to FERPA, yes. Under California’s Child Abuse and Neglect Reporting Act, mandated reporters⁸⁸ of child abuse must make a report to child protective services or law enforcement whenever they have knowledge of or observe a child in their professional capacity whom they know or reasonably suspect has been the victim of child abuse or neglect.⁸⁹ If information protected by FERPA is relevant to making that report, the information still must be disclosed to CPS or law enforcement. This does not mean that the information loses its confidentiality protections. While relevant information must be disclosed to CPS or law enforcement, disclosure to anyone else or for any other reason still must comply with FERPA.

HIPAA/CMIA: When information is subject to HIPAA and CMIA, parents generally have a right to inspect their minor child’s health and mental health records when the parents consented to the care.⁶⁶ However, there are exceptions. A few such exceptions are listed here:

1. Minor Consent: Certain records, such as records related to services minors consented to or could have consented to, are not automatically available to parents.⁶⁷ For example, records regarding pregnancy or birth control services provided to a minor cannot be disclosed to parents without the minor’s written authorization.⁶⁸ California Minor Consent Laws lists the rules regarding parent ability to access minor consent related health records.
2. Court Order Limiting Access:  There may be court orders in place that remove legal custody from a parent or limit the parent’s right to access their child’s health information.
3. Discretion of Provider to Withhold Information: Both HIPAA and California law give a health care professional discretion to withhold the child’s health record from the parent where the “health care provider determines that access to the patient records requested . . . would have a detrimental effect on the provider’s professional relationship with the minor patient or the minor’s physical safety or psychological well-being.”⁶⁹

Depending on the types of services provided by a clinic or provider, other laws also may apply and impact confidentiality rules. It is important to consult legal counsel regarding other applicable laws and exceptions.

FERPA: When health information is part of an education record subject to FERPA, FERPA says that parents of a student under age 18 may access their child’s education record.⁷⁰ “Parent” includes a parent, guardian or person acting in the role of parent.⁷¹ The only exception is if a court order explicitly limits a parent’s right to access the record. In California, each school district is required to have procedures in place to grant requests by parents to access student records. Schools must provide access to student records no later than five business days after the date of the request, not including some school breaks.⁷² If a school believes the release of information may put a student at risk, then the school should contact school district legal counsel for advice before any release. It is also important to remember that certain educational counseling records do not become part of an education record and are not subject to FERPA. (For more information, see “What is “educational counseling” and what confidentiality rules apply to educational counseling records?”) In these cases, parents may not be able to access certain educational counseling records.

Yes. The same consent rules apply whether the services are provided on or off campus and whether the records created are subject to HIPAA or FERPA confidentiality laws. Under California law, minors 12 and older may also consent to mental health counseling, and certain other services, in many cases. A clinic or school cannot adopt a policy that requires obtaining parent consent for these services, as such a policy would conflict with state constitutional and statutory law. (See California Minor Consent Laws).

State law requires school officials to excuse students from school to attend confidential medical appointments. Confidential appointments are appointments to receive services that minors can obtain on their own consent under state or federal law. This includes the mental health and sexual and reproductive health services described in California Minor Consent Laws. The school cannot require that the student have parent or guardian consent in order to attend the appointment and cannot notify parents or guardians when students choose to leave for an appointment during the school day.¹²⁸ For more information on confidential medical release, including implementation and documentation of absences, please see National Center for Youth Law’s “Confidential Medical Release: Frequently Asked Questions from Schools and Districts”.

If a school-based provider is subject to FERPA, the provider cannot promise that a parent will not be able to access SRH information documented in the education file. Providers subject to HIPAA and CMIA, however, must provide minor patients additional confidentiality protections. For some students, this guarantee of confidentiality is critical. These students may choose not to access needed care if confidentiality cannot be guaranteed. In these cases, the provider whose records are subject to FERPA may wish to consider referring the student to a provider operating under HIPAA, and confidential medical release is one mechanism the student can use to make such an appointment possible.