FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryeducationFERPA

Student Health Centers, FERPA-HIPAA Boundary, and AI Tools

By Basel IsmailMay 29, 2026

Student Health Centers, the FERPA-HIPAA Boundary, and AI Tools

University student health centers sit in one of the most genuinely confusing regulatory overlaps in U.S. data privacy law. The records they generate can be education records under FERPA, health records under HIPAA, both, or neither, depending on factors that are surprisingly granular. And now that universities are piloting AI tools for triage, mental health screening, appointment scheduling, and clinical decision support, the stakes of getting the classification wrong have gone up considerably.

Where the Boundary Actually Falls

The core issue is straightforward in principle and messy in practice. FERPA (20 U.S.C. § 1232g) governs education records, which are records directly related to a student and maintained by an educational institution. HIPAA (45 CFR Parts 160 and 164) governs protected health information (PHI) held by covered entities, primarily health care providers who transmit health information electronically in connection with standard transactions.

Here is where it gets interesting. HIPAA explicitly excludes education records covered by FERPA from its definition of PHI. See 45 CFR § 160.103. So if a student health center's records qualify as education records under FERPA, HIPAA does not apply to them. The Department of Education and HHS issued joint guidance on this back in 2008, updated in November 2019, and the upshot is:

If the health center is operated by the university and its records are maintained as education records, FERPA applies and HIPAA does not.
If the university contracts with an outside health care provider to run the health center, and that provider conducts HIPAA-covered transactions, HIPAA likely applies to those records.
If the health center treats non-students (community members, faculty, staff), the records for those individuals are not education records. HIPAA may apply to those records even if the same clinic's student records fall under FERPA.

This means a single health center can have two different regulatory regimes applying to records stored in the same EHR system, depending on who the patient is. If you are running compliance for a university, you already know this creates headaches. Adding AI tools makes it significantly more complex.

The Treatment Records Exception (and Why It Confuses People)

FERPA has a carve-out for "treatment records" under 34 CFR § 99.3. Records made or maintained by a physician, psychiatrist, psychologist, or other recognized professional acting in a treatment capacity are excluded from the definition of education records, as long as they are used solely for treatment and disclosed only to individuals providing treatment. The moment those records are shared with anyone outside the treatment context, they become education records subject to FERPA.

This matters for AI tools because many of them function by aggregating, analyzing, or transmitting data across systems. A mental health screening tool that feeds results into a student's broader advising profile has arguably moved treatment records into education record territory. A clinical decision support tool that pulls data from both the counseling center and the health center and shares insights with a care coordinator who is not a treatment provider could trigger reclassification.

The 2019 joint guidance from ED and HHS does not address AI specifically, which is not surprising given the timing. But the functional test it describes, focusing on who maintains the record, for what purpose, and to whom it is disclosed, applies directly to how AI tools route and process data.

AI Tools and the Classification Problem

Consider a few scenarios that are already happening or about to happen at universities:

AI triage chatbots: A student interacts with a chatbot operated by the health center to describe symptoms before an appointment. The chatbot logs the interaction. Is that log a treatment record, an education record, or something else? It depends on whether the chatbot is "acting in a treatment capacity" and whether the logs are shared beyond treatment providers.
Predictive analytics for student retention: Some universities are using health center visit frequency (not clinical details) as a signal in retention models. Even metadata about health center visits, stripped of clinical content, could be an education record if it is maintained by the institution and directly related to the student.
Third-party mental health platforms: Services like Mantra Health, Uwill, or TimelyCare contract with universities to provide telehealth. If these providers conduct standard HIPAA transactions, their records may fall under HIPAA rather than FERPA, even though the students access them through university portals.
Clinical decision support: An AI tool that recommends treatment protocols based on a student's health history needs to pull from existing records. If it is operated by a FERPA-covered entity, the inputs and outputs are likely education records. If it is operated by a HIPAA-covered contractor, different rules apply to consent, breach notification, and minimum necessary standards.

The practical problem is that many AI vendors do not understand this boundary and build their products assuming a uniform HIPAA framework. Universities that deploy these tools without mapping the regulatory classification of every data flow are taking on real risk.

Enforcement and Consequences

FERPA enforcement has historically been less aggressive than HIPAA enforcement, relying primarily on the threat of losing federal funding rather than per-incident fines. But the Department of Education's Student Privacy Policy Office (SPPO) has been increasingly active, and a FERPA violation at a university health center could jeopardize Title IV funding, which for most institutions is existential.

On the HIPAA side, the Office for Civil Rights (OCR) has shown willingness to pursue cases involving improper disclosures through technology. The 2022 OCR bulletin on tracking technologies in healthcare, which addressed pixels, cookies, and similar tools on hospital websites, signaled that OCR is paying attention to how digital tools handle PHI. Universities operating health centers that fall under HIPAA should assume the same scrutiny applies.

There is also a state law layer. California's CCPA/CPRA, Illinois's BIPA, and state student privacy laws like New York Education Law § 2-d can add requirements on top of FERPA and HIPAA, particularly when AI tools involve biometric data or behavioral profiling.

What Compliance Teams Should Be Doing

If you are responsible for compliance at a university deploying AI tools in or near student health services, a few things are worth prioritizing:

Map every data flow. For each AI tool, document what data it ingests, where it stores outputs, and who can access results. Classify each flow as FERPA, HIPAA, both (for dual-regime clinics), or state law.
Audit vendor assumptions. Ask AI vendors explicitly whether their product was designed for FERPA compliance, HIPAA compliance, or both. Many will say "HIPAA compliant" and assume that covers everything. It does not.
Watch the treatment records boundary. Any AI tool that causes treatment records to be shared outside the treatment context reclassifies those records. Build technical controls that prevent inadvertent disclosure.
Revisit BAAs and data sharing agreements. If a vendor is a HIPAA business associate for non-student records but handles FERPA-covered student records through the same system, your agreements need to address both frameworks explicitly.

How FirmAdapt Addresses This

FirmAdapt's architecture was built for exactly this kind of overlapping regulatory environment. The platform allows organizations to tag data flows by applicable regulatory framework, so a university health center can enforce FERPA-specific access controls on student treatment records while applying HIPAA safeguards to non-student records within the same deployment. Policy enforcement happens at the data layer, not as an afterthought bolted onto a general-purpose AI tool.

For universities evaluating AI tools for student health services, FirmAdapt provides the compliance mapping and audit trail infrastructure needed to demonstrate that the FERPA-HIPAA boundary is being respected in practice, not just in policy documents. The platform's logging and access controls are designed to satisfy both FERPA's disclosure requirements and HIPAA's minimum necessary standard, which matters when a single system needs to serve both regimes simultaneously.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free