Public Health and Schools Toolkit

Print
Schools Law Toolkit banner

Family Educational Rights and Privacy Act

Fact Sheet

Overview

The Family Educational Rights and Privacy Act (FERPA)1 is a federal law intended to protect the privacy of student education records while allowing students and parents greater access to the records. FERPA, among other things, prevents the disclosure of personally identifiable information from a student’s education record without the consent of a parent or eligible student unless an exception to the law’s general consent requirement applies.2 The law applies to all educational institutions (e.g., elementary, high school, college) and agencies that receive any funds for programs administered by the U.S. Department of Education (ED).3 (See ASTHO Public Health Access to Student Health Data Issue Brief for a more detailed analysis of FERPA.) (Download a printable PDF.)

What the Law Does

FERPA confers certain rights on parents or eligible students regarding access to and the privacy of the student’s educational records.3 “Eligible students” are students who have turned 18 or attend school beyond the high school level at any age.3 Schools must notify parents and eligible students annually of their rights under FERPA; the exact method of this notice (e.g., newsletter, student handbook, etc.) is left to the discretion of each school.3

FERPA applies to any educational institution or agency that receives funding from ED, including "non-school" entities that do not have students.5 Thus, all public schools and school districts, most public and private post-secondary institutions (e.g., colleges), and any other programs receiving ED funds are covered by FERPA.5 Private and religious elementary and secondary schools are not subject to FERPA because they generally do not receive funding from ED.5

Liability and Enforcement

FERPA and its implementing regulations do not address liability or immunity issues.1,4 There is no private cause of action in FERPA; individual parents or students may not bring a lawsuit to enforce the act’s provisions or to seek redress for violations of the act. Persons who believe their rights under FERPA have been violated may file a complaint with the ED’s Family Policy Compliance Office (FPCO), which investigates the complaint.2,4 FPCO is authorized to, among other things, revoke funding for institutions found in violation of FERPA and its regulations.2,4  

How the Law Works

Rights Under FERPA

FERPA gives parents and eligible students the right to: (1) review the student's education records maintained by the school; (2) request that a school correct records that they believe to be inaccurate or misleading; and (3) nondisclosure of the student’s education record or personally identifiable information from the record without prior written consent of a parent or eligible student (the “general consent requirement”) unless an exception applies.

An “education record” is defined as a record that is: (1) directly related to a student and (2) maintained by an educational agency or institution, or by a party acting on behalf of the agency or institution.4 A student’s health records, including immunization information and other records maintained by a school nurse, are considered part of the student’s education record and thus are protected from disclosure under FERPA. Medical and psychological treatment records of students at the post-secondary level are not considered to be education records unless they are disclosed for purposes other than treatment.4,5 The definition generally does not include records and videos kept by a school’s law enforcement unit, observations by instructors, or records created after the student no longer attends the school.4

FERPA regulations define “personally identifiable information” (PII) to include name, address, personal identifiers like Social Security number or date of birth, or other information that could be used alone or in combination to identify a student.4 However, schools may disclose, without consent, “directory information” such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.3 Schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.4,6  

Exceptions to FERPA

FERPA contains a number of exceptions that allow schools to disclose information from a student’s education record without consent of a parent or an eligible student. Schools may disclose de-identified information without written consent.4 FERPA rules identify the following parties and/or circumstances under which disclosure of PII may be made without consent3,4:

  • School officials with a legitimate educational interest.
  • Other schools to which a student is transferring.
  • Specified officials or their authorized representatives for audits or evaluations of federal- or state-supported education programs or enforcement of federal legal requirements of these programs.
  • Appropriate parties in connection with financial aid to a student.
  • Organizations conducting studies for or on behalf of the school related to predictive tests, student aid, or improving instruction.
  • Accrediting organizations.
  • To comply with a judicial order or lawfully issued subpoena.
  • Appropriate officials in cases of health and safety emergencies.
  • State and local juvenile justice authorities as required in state law.3

Historically, these exceptions have been narrowly construed to err on the side of protecting the student’s privacy over making a disclosure. Thus, ED interpretations have resulted in a narrow scope of circumstances and recipients for the release of education records without prior written consent by a parent or eligible student. This has been the case with the health and safety exception especially. FPCO guidance states that an “emergency” under FERPA means “a situation in which there is an articulable and significant threat to the health or safety of students or other individuals.”2 However, an “emergency does not include the threat of a possible or eventual emergency for which the likelihood of occurrence is unknown.”2

Recent Changes to FERPA Regulations

In December 2011, ED released amendments to the FERPA regulations.6 The revised regulations may make it easier for schools and education agencies to share student data with other state and local agencies in some narrow respects. The amendments in part: (1) broaden the scope of entities eligible to act as authorized representatives; (2) expand the types of education programs covered under the act; and (3) enforce FERPA for all entities receiving ED funds—not just those interpreted as “schools,” which may encompass some programs conducted by health agencies. However, the nexus of data sharing between schools/education agencies and other entities like health agencies remains linked to the conduct of evaluations and audits of federal- and state-supported education programs or the enforcement of federal legal requirements for these programs. Thus, health programs must relate to these purposes to be covered by the broader rules announced; such programs might include, for example, bullying and suicide prevention programs that promote safer learning environments. It is unlikely, however, that the amended rules would permit the sharing of routine public health data like immunization or school absentee data without consent. (See also ASTHO fact sheet on Public Health & Schools Current Issues—Winter 2012.)

How the Law Affects States

Any state law or regulation that conflicts with FERPA and its regulations is preempted by the federal law, and the federal requirements take precedence over the state requirements. However, if an educational agency or institution, a recipient of ED funds, or another party to which PII has been nonconsensually disclosed determines that it cannot comply with FERPA or the regulations because of a conflict with state or local laws, it must notify FPCO within 45 days and provide the text and citation to the conflicting state or local law.1,4,6 FPCO reviews the conflicting law and any interpretations of it made by the state and provides guidance to the requesting entity regarding FERPA’s applicability to the situation.

With respect to state and local public health agencies, FERPA’s restrictions on sharing health information acquired by an educational institution have been an ongoing source of concern and a barrier to sharing relevant data. School personnel who are concerned and uncertain about their ability to legally share information in keeping with FERPA requirements may be reluctant or even refuse to share information relevant for public health.

Practice Notes

  • Identify the student health and other data needed and whether it involves the use of PII.
  • Identify sources for the data such as schools, school districts, state education agencies, health providers, etc.
  • Given the data sources, determine if the data is covered by FERPA, HIPAA, or other federal and state privacy laws.
  • If it is covered by FERPA, determine if any exception applies.
  • If not, identify and obtain the consents required to use the data.


Sources

1 Family Educational Rights and Privacy Act (FERPA) codified at 20 U.S.C. § 1232g.
2 U.S. Dept. of Ed. “Family Educational Rights and Privacy Act (FERPA) and H1N1.” October 2009. Available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-h1n1.pdf. Accessed January 31, 2012.
3 U.S. Dept. of Ed. “Family Educational Rights and Privacy Act (FERPA).” Available at http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. Accessed January 31, 2012.
4 34 C.F.R. Part 99.
5 U.S. Dept. of Ed. and U.S. DHHS “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records.” November 2008. Available at http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf. Accessed January 31, 2012.
6 U.S. Dept. of Education. Final Rulemaking “Family Educational Rights and Privacy.” 76 F.R. 75604 (December 2, 2011).

 

Note: This document was compiled from June–December 2011 and reviewed May 2013; it reflects the laws and programs current then. It reflects only portions of the laws relevant to public health emergencies and is not intended to be exhaustive of all relevant legal authority. This resource is for informational purposes only and is not intended as a substitute for professional legal or other advice. The document was funded by CDC Award No. 1U38HM000454 to the Association of State and Territorial Health Officials; Subcontractor PI Elliott, Logan Circle Policy Group LLC.