Public Health and Schools Toolkit


Schools Law Toolkit banner

Current Issues and Updates

Winter 2012

Current Issues and Updates provides periodic updates on new and evolving issues related to the topics covered in the ASTHO Public Health and Schools Toolkit. (Download a printable PDF.)

Analysis of Revised FERPA Regulations

In December 2011, the U.S. Department of Education (ED or the Department) released amendments to its regulations implementing the Family Educational Rights and Privacy Act (FERPA).1 The revised regulations may make it easier in some respects for schools and education agencies to share student data with other state and local agencies but likely will not allow data sharing without consent for all public health purposes. The amendments went into effect January 3, 2012.

FERPA Overview

FERPA is a federal law intended to protect the privacy of student education records while allowing students and parents greater access to the records. FERPA prevents the disclosure of a student’s education record or personally identifiable information (PII) contained in the record without the consent of a parent or eligible student unless an exception to the law’s general consent requirement applies.2 “Eligible students” are students who have turned 18 or attend school beyond the high school level at any age.3 An “education record” is defined as records that are directly related to a student and maintained by an educational agency or institution or by a person acting on behalf of the agency or institution.4 A student’s health records, including immunization information and other records maintained by a school nurse, are considered part of the student’s education record and thus are protected from disclosure under FERPA. While FERPA contains a number of exceptions to the general consent requirement, these exceptions have been narrowly construed by ED historically and have resulted in difficulties when schools (collectively referencing elementary, secondary, and post-secondary schools) attempt to share data with health agencies. (See ASTHO Fact Sheets on FERPA and Accessing School Health Data.)

Changes to FERPA Regulations

ED proposed changes to the FERPA regulations4 with the goal of continuing to protect the privacy of education records while “allowing for the effective use of data in statewide longitudinal data systems (SLDS) as envisioned in the America Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science (COMPETES) Act” and the American Recovery and Reinvestment Act of 2009 (ARRA).5 SLDS “promote the linking of data across time and databases, from early childhood into career.”6 The amendments are intended to provide clearer authority and guidance for schools, local school districts, and state educational agencies in sharing data with other non-educational agencies and organizations, as well as expand the types of programs covered under the rules.8 The following is a partial summary of the changes; the full text of the amendments and ED’s commentary are published at 76 Federal Register 75604.8

  • Defining “Authorized Representative”—The existing rules permit disclosure of PII without consent to authorized representatives of state and local educational authorities and selected federal officials; however, the term “authorized representative” is not defined in the FERPA statute or existing regulations. The amended rules define “authorized representative” as giving state and local educational authorities discretion to designate “any outside party”—including other state and local governmental agencies—as their authorized representative in connection with evaluations and audits of federal and state-supported education programs or the enforcement of federal legal requirements for these programs.8 Previous ED interpretations of FERPA excluded other state and local agencies (such as health agencies) from serving as authorized representatives because they were not viewed as being under the “direct control” of state educational authorities as employees or contractors.5,7 ED now notes that such a restrictive view is not warranted under FERPA and that Congress’s intent under the America COMPETES Act and ARRA to have states link data across sectors via SLDS requires a broader definition of the term.8 ED also rescinds the prior restrictive interpretations with the amended rules.8 The revised rules also require that state or local educational authorities use “reasonable methods” to ensure that their authorized representatives comply with FERPA and that education authorities enter into written agreements with their representatives specifying the information disclosed and the handling of the information to protect PII.8 ED states that, although there is the increased potential for unauthorized disclosure of PII because more entities will have access to the data, it does not believe that “the staff in the additional agencies who will have access to PII from education records are any more likely to violate FERPA than existing users.”8
  • Defining “Education Program”—The existing rules allow nonconsensual disclosure of PII to authorized representatives of educational authorities in connection with evaluations and audits of federal and state-supported education programs or the enforcement of federal legal requirements for these programs; however, the rules did not define the term “education program.” The amended rules newly define “education program” as “any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, adult education, and any program that is administered by an education agency or institution.”8 The definition is an acknowledgement that all education programs funded by ED may not be administered by a state’s educational agency and is intended to facilitate disclosure of PII, as necessary, to evaluate a range of education programs.8 ED further notes that if student health PII is necessary to evaluate the effectiveness of an education program, education agencies and their authorized representatives can access such data without prior consent. However, if the same information is needed to evaluate a health program, the agency seeking the data must obtain consent before disclosure.8
  • Clarifying Enforcement Authorities—FERPA authorizes the ED Secretary to take appropriate actions to address FERPA violations and to create an office to enforce FERPA.5 The Family Policy Compliance Office (FPCO) within ED is the office charged with FERPA enforcement. While FERPA broadly defines “education agency or institution” as “any public or private agency or institution” which receives funds under any ED program, the Department has historically interpreted FERPA to exclude “non-school” entities, which are not attended by students, from coverage under the act.1,5 The rule changes acknowledge that the agency funds entities beyond those that students attend and authorize FPCO to enforce FERPA for programs administered by ED that do not have students but receive ED funds or will be disclosing or using PII.8 Specifically, the revised rules clarify FERPA’s enforcement procedures to authorize ED to “investigate, process, and review complaints and violations of FERPA alleged to have been committed by educational agencies and institutions, as well as other recipients of Department funds under any program administered by the [ED] Secretary.”8 The revised enforcement provisions list examples of the types of other recipients subject to the act, including “state educational authorities ... and state postsecondary agencies, local educational authorities, nonprofit organizations, student loan guaranty agencies, and student loan lenders.”8 While the examples provided do not specifically mention other state or local agencies, if the agencies receive funds from any ED program or receive PII from education records under one of the exceptions to FERPA’s general consent requirement, then arguably these agencies could also be subject to FERPA enforcement.

Other changes in the revised rules amend the definition of “directory information” and the conditions that apply to the disclosure of directory information. The changes also clarify the authority of state and local education agencies to conduct research studies, audits, and evaluations. The amendments further clarify that all educational authorities and agencies covered by FERPA may enter into written agreements that specify the information disclosed and the handling of that information to protect PII during the conduct of research studies regarding instruction, financial aid, or testing.5,8

For More Information

Impact of the Changes

The revised regulations may make it easier for schools and education agencies to share student data with other state and local agencies in some limited respects. The broader interpretations given to the entities eligible to act as authorized representatives and the education programs covered under the act, as well as enforcing FERPA for all entities receiving ED funds—not just those interpreted as “schools”—may encompass some programs conducted by state and local health agencies. However, the nexus of data sharing between schools/education agencies and other entities like health agencies is tied to the conduct of evaluations and audits of federal and state-supported education programs or the enforcement of federal legal requirements for these programs. Thus, health programs must relate to these purposes to be covered by the broader rules announced; such programs might include, for example, bullying and suicide prevention programs that promote safer learning environments. It is unlikely, however, that the amended rules would permit the sharing of routine public health data like immunization or school absentee data without consent. While FERPA’s health and safety emergencies exception can be used to access school health and other PII data without consent, there must be a significant and articulable threat to a student or others for nonconsensual access. The current rules changes do not alter the health and safety emergencies exception or ED’s interpretation of it.


1 Family Educational Rights and Privacy Act (FERPA) codified at 20 U.S.C. § 1232g.
2 U.S. Dept. of Education. “Family Educational Rights and Privacy Act (FERPA) and H1N1.” October 2009. Available at Accessed January 31, 2012.
3 U.S. Dept. of Education. “Family Educational Rights and Privacy Act (FERPA)” webpage. Available at http://www.ed/gov/policy/gen/guid/fpco/ferpa/index.html. Accessed January 31, 2012.
4 34 C.F.R. Part 99.
5 U.S. Dept. of Education. Notice of Proposed Rulemaking “Family Educational Rights and Privacy.” 76 F.R. 19726 (April 8, 2011).
6 U.S. Dept. of Education, National Center for Educational Statistics. “20 States Win Grants for Longitudinal Data Systems” webpage. Available at Accessed January 31, 2012.
7 U.S. Dept. of Education. “Memorandum from William D. Hansen, Deputy Secretary of Education, to State Officials.” January 30, 2003. Available at Accessed January 31, 2012.
8 U.S. Dept. of Education. Final Rulemaking “Family Educational Rights and Privacy.” 76 F.R. 75604 (December 2, 2011).


Note: This document was compiled from June–December 2011 and reviewed May 2013; it reflects the laws and programs current then. It reflects only portions of the laws relevant to public health emergencies and is not intended to be exhaustive of all relevant legal authority. This resource is for informational purposes only and is not intended as a substitute for professional legal or other advice. The document was funded by CDC Award No. 1U38HM000454 to the Association of State and Territorial Health Officials; Subcontractor PI Elliott, Logan Circle Policy Group LLC.