Skip to Content

The Family Educational Rights and Privacy Act

Topics: 
Care Coordination/Care Management
Medical Records Collection, Retention, and Access
Privacy and Confidentiality
Public Health Data Collection and Reporting
Security of Health Information

The Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA)1 protects the privacy of information maintained in student education records.   It applies to all education agencies and institutions that receive federal funds including public elementary and secondary schools and both public and private colleges, universities, and professional schools.  Private and religious elementary and secondary schools are largely exempt from FERPA.

 

Education Records Defined

FERPA defines “education records” as “records, files documents, and other materials” that “contain information directly related to a student; and are maintained by an education agency or institution” or their agent.2 Consequently, this definition includes student health records, immunization records, and records maintained by school nurses.3 The definition does not include (1) records created by instructors, teachers, or administrators that are only accessible by the maker or a substitute; (2) records created for law enforcement purposes by a law enforcement unit of an education agency; (3) records regarding educational agency or institution employees that are made in the normal course of business and only pertain to employment; and (4) records regarding a postsecondary student or student over the age of 18 created by that student’s physician, psychologist, psychiatrist, or other professional for treatment purposes, if such records are only accessible to the persons providing treatment or another physician or professional specified by the student.4

 

HIPAA and FERPA

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule5 regulates the use and disclosure of “protected health information” (PHI) by health providers, health insurers, and other designated “covered entities.” The Privacy Rule broadly defines PHI as including information about an individual’s health status and receipt of care, but expressly excludes information maintained in records subject to FERPA regulation. The Departments of Health and Human Services and Education have issued a joint guidance to clarify the regulatory relationship between HIPAA and FERPA.6

 

Access to Education Records

FERPA requires educational institutions and agencies to allow parents to access their child’s education records.7 Parents must have the ability to challenge the content of their child’s education record “in order to insure that the records are not inaccurate, misleading, or otherwise in violation of [their] privacy rights…” Challenges may result in the correction or deletion of material.8

FERPA permits the Comptroller General, Secretary of Education, and state educational authorities to access education records when evaluating federally supported programs or enforcing related legal requirements.9 Unless otherwise provided by law, data for such purposes must be collected in a manner that limits access to information that identifies children or parents to these officials. Identifying information must be destroyed when no longer needed. FERPA does not prevent state and local authorities from accessing education records for program administration purposes so long as they comply with the aforementioned requirements regarding the access and destruction of identifying information.10

Educational agencies must maintain records of access requests that identify the requesting party and their “legitimate interest” in accessing the record. Parents, school officials, and persons that audit compliance may access these records. Third parties that receive access to these records may not make further disclosures. Violations of such prohibition will result in a minimum five-year ban from accessing these records.11

 

Release of Education Records

Educational institutions and agencies must obtain a parent’s written consent prior to releasing a child’s educational record. However, consent is not necessary in the following circumstances:12

  • When released to school officials or teachers that “have legitimate educational interests…”
  • When released to officials of a different school or schools system in connection with the students transfer or desired enrollment in such schools. Parents must receive notice of the transfer and have an opportunity to obtain a copy of the record and a have a hearing regarding the contents of the record.
  • When released to the Comptroller General, the Secretary of Education, state educational authorities, or representatives of these officials.
  • In relation to a student’s application or receipt of financial aid.
  • To state and local authorities if authorized by a statute adopted prior to November 19, 1974, “if the … disclosure concerns the juvenile justice system and such system’s ability to effectively serve the student whose records are released.” Release is permissible under statutes adopted after November 19, 1974, so long as the statute meets the above criteria and the officials that obtain the information “certify in writing to the educational agency or institution that the information will not be disclosed to any other party except as provided under state law without the prior written consent of the parent of the student.”
  • To organizations that conduct studies related to test development, student aid program administration, and instructional improvements, so long as the studies do not use the information in a way that allows identification of students or their parents by persons not affiliated with the organization and the organization destroys the information at the conclusion of the study.
  • To accrediting organizations in relation to their accreditation services.
  • To parents of a dependent student.
  • To persons that need the information in an emergency to protect the health and safety of the student or others. The Secretary of Education may establish regulations regarding such emergencies.
  • To persons or entities identified in a federal grand jury subpoena or any subpoena issued for law enforcement purposes. The court that issues the subpoena must order that the recipient not disclose the existence or contents of the subpoena or any information furnished in response.
  • To the Department of Agriculture or Food and Nutrition Services representatives that need the information to monitor and evaluate the child nutrition programs. Evaluation results must be reported in aggregate and may not identify individuals. Persons that obtain data must protect the identities of children and their parents and must destroy the information when it is no longer needed.

 

Consent

Consent for the release of education records must be in writing, specify the records to be released, and identify the persons that will obtain the record.13 Parents must receive a copy of the records upon request.  Educational agencies and institutions must notify parents and students prior to releasing records in compliance with a court order or subpoena. Students that turn 18 or enroll in a postsecondary institution may give their consent in place of their parents.14

 

Notice

Educational institutions and agencies must notify parents and students of their rights under FERPA and provide parents with notice regarding information that will be released in a public directory.15 Notice regarding public directories must occur in a manner that allows parents sufficient time to bar the disclosure. FERPA defines public directory information as including “the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.”16

 

Privacy & Security

The Secretary of Education must establish regulations and procedures for protecting the privacy of students and families in relation to surveys and other data gathering activities conducted by the Secretary or other educational agencies.17 These regulations must address use, disclosure, and security of the data. The Secretary and agencies may not conduct surveys or data gathering activities unless expressly permitted by law.18

 

Preemption

FERPA does not preempt states’ authority to enact further limitations on access to education records by state or local officials.19

 

Enforcement & Penalties

The Secretary of Education has the authority to enforce FERPA and terminate the funding of any institution or agency that fails to voluntarily comply.20

 


Current View

Footnotes

  • 1. 20 U.S.C. § 1232g.
  • 2. 20 U.S.C. § 1232g(a)(4).
  • 3. U.S. Dept. of Health and Human Services & U.S. Dept. of Education, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records 1 (2008).
  • 4. 20 U.S.C. § 1232g(a)(4).
  • 5. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 139 (1996) (codified as amended in scattered sections of 42 U.S.C.); 45 C.F.R. §§ 160.101- 552 (2012); 45 C.F.R. §§ 164.102-106; 45 C.F.R. §§ 164.500-534.
  • 6. Joint Guidance on the Application of the FERPA and HIPAA to Student Health Records, pgs. 4-5 (November 2008) available at www.ed.gov/policy/gen/guid/fpco/doc/ferpa-hippa-guidance.pdf (accessed on February 17, 2013).
  • 7. 20 U.S.C. § 1232g(a)(1).
  • 8. 20 U.S.C. § 1232g(a)(2).
  • 9. 20 U.S.C. § 1232g(c).
  • 10. 20 U.S.C. § 1232g(b)(5).
  • 11. 20 U.S.C. § 1232g(b)(4).
  • 12. 20 U.S.C. § 1232g(b)(1).
  • 13. 20 U.S.C. § 1232g(b)(2).
  • 14. 20 U.S.C. § 1232g(d).
  • 15. 20 U.S.C. § 1232g(e).
  • 16. 20 U.S.C. § 1232g(a)(5).
  • 17. See 34 C.F.R. Part 99.
  • 18. 20 U.S.C. § 1232g(c).
  • 19. 20 U.S.C. § 1232g(b)(1).
  • 20. 20 U.S.C. § 1232g(f).