The Federal Family Educational Rights and Privacy Act ("FERPA") provides parents of students and eligible students (students who are 18 or older) with privacy protections and rights for "education records" maintained by federally funded educational agencies or institutions (either private or public) or persons acting for these agencies or institutions .

The privacy regulations under the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA privacy regulations") contain a specific exemption for "education records" covered by FERPA. In fact, the HIPAA privacy regulations specifically exclude from the definition of "protected health information" any individually identifiable health information defined under FERPA as "education records" (See 45 CFR Part 164.501). The HIPAA privacy regulations also do not apply to certain records exempt from FERPA requirements. These are records:

Essentially, a HIPAA covered entity cannot use or disclose protected health information for any purpose other than treatment, payment, or health care operations without either the authorization of the individual or under an exception in the HIPAA regulations.

HIPAA requires covered entities to do the following:

1. Institute a required level of security for health information, including limiting disclosures of information to the minimum required for the activity;

2. Designate a privacy officer and contact person;

3. Establish privacy and disclosure policies to comply with HIPAA;

Summary of HIPAA Technical Security Services are explained below:

1. Access control: Covers various types of role-, user-, and context-based access; treats encryption as optional

2. Audit controls: Mechanisms to log and record electronic activity to create audit trails

3. Authorization controls: Provide for user- and role-based access

4. Data authentication: Refers to message integrity; mentions digital signatures as a solution to maintain message integrity

Summary of HIPAA Physical Safeguards explained below:
Security Role: Assignment of the security role to particular organization or individual
Media controls: Protection of storage media used, for example, in backups
Physical access controls: Physical controls for access to information systems

Summary of HIPAA Administrative Procedures explained below:

Security certification: Independent mechanisms for security compliance
Chain of trust: Agreements establishing equal security and integrity protection between trading partners
Contingency plan: Covers standard business continuity plans
Processing records mechanism: Describes how information is manipulated
Information access control: Describes access authorization, establishment, and modification