Privacy & compliance

Consent, HIPAA, FERPA, and Your Baseline Data: The Privacy Guide for Schools and Clinics

Baseline data is protected health information — here's how to handle it correctly in every setting.

April 7, 20265 min read

Baseline concussion testing generates protected health information — cognitive scores, symptom reports, medical history, and balance data that are subject to privacy regulations. Understanding which regulations apply and how to comply is essential for any organization managing a baseline program.

HIPAA in healthcare settings

In healthcare settings (clinics, hospitals, private practice): HIPAA (Health Insurance Portability and Accountability Act) governs the handling of protected health information (PHI). Baseline data stored in a clinical system is PHI and must be handled accordingly: secure storage with access controls, minimum necessary disclosure, written patient authorization for release, and breach notification procedures.

FERPA in school settings

In school settings: FERPA (Family Educational Rights and Privacy Act) governs student education records. If baseline testing is conducted as part of a school-sponsored athletic program and the results are maintained by the school, they may constitute education records subject to FERPA protections. Parents have the right to inspect and review these records and to request corrections.

When schools contract with external providers

This is where complexity arises. If a school contracts with a concussion clinic (like Headquarters) to provide baseline testing, the resulting data may be subject to both FERPA (as a school-program record) and HIPAA (as health information held by a covered healthcare entity). The contract should specify which entity is the custodian of the data, what privacy framework applies, and how data will be handled in the event of an injury.

Consent process for minors

Baseline testing of athletes under 18 requires informed written consent from a parent or legal guardian. The consent form should clearly state what data will be collected, how it will be stored, who will have access (athletic trainer? team physician? school nurse? coach?), how long it will be retained, and what happens to the data if the student transfers or graduates.

Who should NOT have access

Coaches should not have direct access to individual baseline scores or medical data. Opposing teams should never receive an athlete’s baseline data. College recruiters should not be provided baseline information without explicit family authorization.

At Headquarters, our data management practices comply with both HIPAA and FERPA requirements. We provide template consent forms for partner schools and organizations, and our data platform includes role-based access controls that restrict information to authorized clinical personnel. See our compliance page for more.

Frequently asked questions

FAQ

Which privacy law applies to baseline data?

HIPAA governs healthcare settings (clinics, hospitals, private practice). FERPA governs school-held education records. When schools contract with clinics, both may apply — contracts should specify the custodian and applicable framework.

What should a parent consent form include?

What data is collected, how it's stored, who has access, retention period, and what happens to the data if the student transfers or graduates.

Should coaches have access to individual baseline scores?

No. Coaches should not have direct access to individual baseline scores or medical data. Opposing teams should never receive baseline data. College recruiters should not receive it without explicit family authorization.

Is Headquarters compliant with both HIPAA and FERPA?

Yes. Our data management practices comply with both frameworks. We provide template consent forms for partner schools, and our platform includes role-based access controls.