Daystage
Teacher reviewing a privacy checklist before sending a school newsletter
Guides

HIPAA, FERPA, and School Newsletters: What Teachers and Administrators Must Know

By Dror Aharon·June 28, 2026·8 min read
Document showing FERPA and HIPAA compliance guidelines for school communications

Two federal laws govern what you can and cannot include in a school newsletter: FERPA and, in limited cases, HIPAA. Most teachers know these laws exist. Fewer know exactly what they require when it comes to routine parent communication. This guide covers both, clearly and practically.

What FERPA covers

The Family Educational Rights and Privacy Act protects personally identifiable information in students' educational records. In practice, this means you cannot publish or distribute information that links a student's name to their academic performance, disciplinary history, attendance records, special education status, or any other protected record.

For newsletters, the clearest violations look like this: naming a student as being placed in an advanced reading group, mentioning that a specific child received a disciplinary consequence, or publishing test scores next to student names. Even positive recognition can create a problem when it reveals information parents did not consent to share publicly.

Directory information (name, grade, school, participation in clubs or sports) is handled differently. Schools can designate certain fields as directory information and publish them unless a parent has opted out. Check your school's directory information policy before including student names in any context.

What FERPA does not cover

FERPA does not prohibit all mentions of students in newsletters. A classroom photo with names in the caption is permitted if the school has photo release consent from each child's parents. Mentioning that the class worked on a science project this week is not a FERPA issue. Saying a student won the science fair is typically acceptable as directory information if your school policy allows it.

The line is whether the information reveals something from an educational record. "Our class built a model volcano" is fine. "Marcus struggled with this unit and needed extra support" is not.

Where HIPAA comes in

HIPAA applies to healthcare providers and their business associates. Most K-12 schools are not HIPAA-covered entities, so HIPAA technically does not govern most school communications. The exception is school nurses and health clinics operating as healthcare providers.

If your newsletter includes any information from a school health professional (a nurse, counselor, or clinic), treat that content with HIPAA standards. That means no disclosure of individual student health information without written authorization. A school nurse cannot contribute a newsletter section that identifies a specific student's health condition, allergy, or treatment, even indirectly.

General health reminders (hand-washing, allergy season tips, lice prevention notices) are fine because they are not tied to individual students.

Photos: the most common mistake

Publishing student photos in a newsletter without current consent forms on file is the most common privacy error schools make. Consent must be obtained from a parent or guardian (not the student), it must be specific about how the photos will be used, and it must be documented.

Some schools get annual blanket consent forms. Others require per-use authorization. Know your school's policy. When in doubt, photograph classroom materials, student work without names visible, or the room itself rather than students.

If a parent has opted out of directory information sharing, their child should not appear in photos in any public-facing communication, including newsletters sent by email to a broad list.

Group mentions vs. individual mentions

A useful rule: group mentions are almost always safer than individual ones. Saying "our class read 500 books this month" is fine. Saying "four students in our class qualified for the gifted program" is borderline. Naming those four students is a clear FERPA issue if the gifted program status is an educational record.

When you want to highlight student achievement, make the recognition general enough that it does not link a student to a specific educational record. "Several students earned perfect scores on the math unit" is safer than anything that names names alongside performance data.

What to ask before sending

Before each newsletter goes out, run through this checklist:

  • Does any content link a student's name to academic performance, behavior, attendance, or special services?
  • Are any student photos included? If yes, are current consent forms on file for every child shown?
  • Does the newsletter include any content from a school health professional that identifies an individual student?
  • Has any parent on your list opted out of directory information sharing?
  • Is the newsletter going to a third-party platform? If so, does that platform have a FERPA-compliant data agreement with your school or district?

That last point matters more than most teachers realize. When you send a newsletter through any email platform, that platform receives your subscriber list. FERPA requires schools to have a signed agreement with any third party that receives student data. Platforms built for school communication, including Daystage, are designed with this requirement in mind and maintain the necessary data agreements.

When you are unsure

If you are not sure whether something is compliant, take it out. A newsletter that omits a borderline detail is always safer than one that includes it and creates a privacy complaint. Err on the side of group language, general descriptions, and omitting names when the context could reveal protected information.

For anything beyond routine content questions, your school's legal counsel or district compliance officer is the right resource. Privacy law is specific to your state and district in ways that a general guide cannot fully address.

The practical bottom line

FERPA is the primary law governing school newsletters. HIPAA applies narrowly to school health communications. Photos require documented consent. Individual student mentions linked to protected records are off-limits. Group language is almost always safe. And any platform you use to send newsletters must have appropriate data agreements in place.

Following these rules does not make newsletters less useful. It just makes them careful. Most of what teachers want to communicate, class activities, upcoming events, reminders, and general curriculum updates, falls cleanly within what is permitted.

Ready to send your first newsletter?

40 newsletters per school year, free. No credit card. First one ready in under 5 minutes.

Get started free