Is the SBHC's medical record a FERPA record or a HIPAA record?

Generally HIPAA. Records created and maintained by the SBHC for clinical care are HIPAA-protected. Educational records held in the school's enrollment system are FERPA. The line is the originating/maintaining entity, not the location.

How does the SBHC handle a parent who demands access to their teen's confidential reproductive-health records?

If the minor consented independently to those services under applicable state law, the parent's HIPAA-personal-representative right is restricted. The NPP should describe this; the SBHC's privacy officer typically handles parent-access requests in confidential-service contexts.

Can the SBHC share information with school counselors?

Generally only the minimum necessary for school health/wellness coordination — not specific PHI without authorization. The NPP should describe what is shared with school personnel and what requires the patient's (or parent's) consent.

What about telehealth visits in the SBHC?

Telehealth visits are HIPAA-covered just like in-person care. Consent rules for minors apply identically. Record-keeping and NPP-distribution rules apply identically.

Is the SBHC subject to the school district's data-protection rules?

Often yes. SBHCs are commonly governed by school-district data-protection policies in addition to HIPAA. The NPP should describe which set of rules applies and how they interact.

Specialty Guide

NPP for School-Based Health Centers

By NPP Generator Research Team · Published Apr 25, 2026 · Last reviewed Apr 28, 2026 · 6 min read

Need to update your NPP?

Update → Generate new →

Quick answer: School-Based Health Centers (SBHCs) operate at the intersection of HIPAA and FERPA. The HIPAA NPP requirement applies to the SBHC as a covered entity. The complications are minor consent rules (which vary by state), parental access (which is partially restricted in some states for adolescent confidential services), and the FERPA boundary (which protects educational records but generally not SBHC clinical records).

School-Based Health Centers (SBHCs) are HIPAA covered entities providing primary care, mental-health, and reproductive-health services on school campuses. The NPP requirement is the same as any clinical practice, but the implementation has to handle minors, parental access rights, and a FERPA-HIPAA boundary that surfaces in surprising places.

Family resources. For HIPAA fundamentals, see ComplyCreate's What Is HIPAA?. For broader state-law context, see ComplyCreate's HIPAA vs state privacy laws guide.

FERPA vs HIPAA: the SBHC boundary

FERPA (Family Educational Rights and Privacy Act) protects educational records. HIPAA protects health records. The default rule for SBHCs:

Records created and maintained by the SBHC for clinical care are HIPAA-protected, NOT FERPA records
Records held in the school's educational system (e.g., immunization status in the school's enrollment file) are FERPA records, not HIPAA records
SBHCs that are part of school-district covered entities may have hybrid status — work with school-district counsel to define the scope of HIPAA coverage

Minor consent rules: state-specific

Most states allow minors to consent independently to certain healthcare services without parental involvement. Common services with minor-consent rights:

Reproductive health (contraception, STI testing/treatment, pregnancy)
Mental-health treatment (typically minors 13+ in many states)
Substance-use treatment
HIV testing and treatment

Parental access in mixed scenarios

Parents are HIPAA-personal-representatives for their minor children for most purposes. Exceptions:

When the minor consented independently to confidential services (per state law), the parent's representative status doesn't extend to those records
When the parent's access would harm the minor (abuse cases, etc.) — HIPAA allows the practice to restrict in these scenarios
When state law specifically prohibits disclosure to the parent

Mandatory NPP content for SBHCs

Standard HIPAA content plus SBHC-specific:

FERPA-HIPAA boundary description (which records are HIPAA, which are FERPA)
Minor-consent rules and parental-access boundaries
Reporting obligations (mandated child-abuse reporting, communicable-disease reporting)
School-district communication policies (how SBHC communicates with school personnel about a student's care — typically restricted to general health/wellness, not specific PHI without authorization)
Specific reference to applicable state law for adolescent confidential services

Distribution and acknowledgment in school settings

Some practical distinctions:

Initial enrollment: parents typically sign at SBHC enrollment, often integrated with school's annual paperwork. Provide the NPP and obtain acknowledgment from parent.
Adolescent confidential services: when a minor seeks confidential services independently, present the NPP to the minor and obtain their acknowledgment (in addition to or in lieu of parent's).
Public website: most SBHCs are part of broader provider organizations or school-district health departments. Post the NPP on that organization's public website.

How this fits with the HHS February 2026 revised model

The HHS February 2026 final rule revised the NPP model and clarified several content requirements. Practices issuing or updating an NPP after February 16, 2026 should align to the new model. Key changes that affect every NPP regardless of specialty include: the addition of mandatory language describing the practice's safeguards against unauthorized AI-driven uses of PHI; updated breach-notification language reflecting Cures Act information-blocking interactions; refined Right of Access language describing electronic-format options; and updated language around marketing communications.

For practices that updated to the HHS Feb 2026 model upon publication, no further regulatory NPP work is required until the next material change. Practices still on pre-February-2026 templates should update before their next material-change cycle to avoid drift.

Common implementation pitfalls

Across audits and routine compliance reviews, several specific implementation pitfalls recur:

Privacy Officer drift. The named Privacy Officer leaves or moves to a different role; the NPP isn't updated.
Acknowledgment-form mismatch. The acknowledgment form references an outdated NPP version. The form should always reference the current effective date.
Multi-site inconsistency. Multi-location practices inadvertently use slightly different NPPs at different sites. Standardize on a single document.
Translation drift. Practices providing Spanish or other-language NPPs sometimes update one language and not the other. Maintain version parity.
Vendor-relationship update lag. When the practice adds or removes a major vendor relationship, the NPP isn't updated to reflect the new data flow until much later.

Audit-readiness considerations

When OCR or a state regulator audits, the NPP review typically asks for:

Current NPP version with effective date
Sample acknowledgment forms from the past 12 months
Documentation of distribution process (front-desk procedure, telehealth workflow)
Evidence of website posting (URL of public-facing NPP page)
Evidence of physical posting (typically a photograph of the lobby posting)
Documentation of material changes and re-distribution events
Privacy Officer contact and complaint-log
Training records (HIPAA-required workforce training, plus any state-specific requirements)

Quick reference checklist

When producing or updating an NPP, work through this checklist:

Identify the legal covered entity. One NPP per legal entity. If you have multiple legal entities, you need multiple NPPs.
List all clinical locations covered by this entity, including any virtual-only telehealth presence
Confirm the Privacy Officer. Name, title, contact information. Update when this person changes.
Inventory uses and disclosures. What data flows happen in your practice? Each major flow should be reflected in the NPP's permitted-use section.
Confirm authorization-required disclosures. Marketing, sale of PHI, psychotherapy notes, and any state-specific authorization-required categories.
Verify HIPAA-required content. Header statement, all eight individual rights, entity duties, complaint procedures, breach notification rights, paper-copy availability.
Add state-law overlay. If your state has additional protection (mental health, HIV, genetic, biometric), reflect it in the NPP.
Set effective date and last-revised date. Both should be current and visible.
Distribution mechanics. First-encounter delivery, website posting, physical posting, electronic availability, multi-language versions if applicable.

How NPP Generator helps

Producing a HIPAA-compliant Notice of Privacy Practices from scratch — even with the HHS February 2026 model as a starting point — typically takes a few hours of attention to entity-specific details: practice name, locations, Privacy Officer, vendor relationships, state-specific overlays, sensitive-record categories, communication preferences, and effective-date management.

NPP Generator's tool walks through a guided intake, captures the practice-specific information, and produces a formatted PDF and editable Word document aligned to the HHS February 2026 model in about five minutes. The tool also handles state-specific overlay language for the major state-law regimes and produces a current-effective-date document ready for distribution. For practices that need state-specific overlay (Texas HB300, Illinois MHDDC, California CMIA/CCPA, etc.), the tool's state-handler ensures the right elevated-protection language appears in your final document.

About state-law and federal preemption

HIPAA establishes a federal floor for health-information privacy. State laws are not preempted where they are more protective of patient privacy than HIPAA — that's the basic preemption rule under 45 CFR § 160.203. The interaction can be subtle: a state law may be stricter on a specific topic (HIV records, mental-health records, genetic information) without being globally stricter than HIPAA. The NPP must reflect the stricter rule wherever it applies. Practices serving patients in multiple states often issue a single NPP that incorporates the strictest applicable rules across those states; multi-state organizations sometimes use state-specific NPP versions for clarity. For organizations subject to specific federal regimes beyond HIPAA — 42 CFR Part 2 for SUD, FERPA for educational records, Title X for federally-funded family-planning services — the NPP should describe how those regimes interact with HIPAA's framework.

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: Niche specialty guides

ABA therapy Cash-pay practices Dental practices guide Dialysis centers Direct primary care Employer clinics Pediatric Rural health clinics