Not a member? Register Here   Search
The Other Health Privacy Law: What FERPA Requires of Schools

January 13, 2003

The Other Health Privacy Law: What FERPA Requires of Schools

As an 14 deadline approaches for health care providers to comply with privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA), another law that protects the privacy of student health information in schools is getting new attention. That’s because the final regulations for HIPAA specifically exempt from HIPAA requirements any health information entered into a student’s education record by a school nurse and make that information subject instead to the older Family Educational Rights and Privacy Act (FERPA), with which schools have been expected to comply since 1974.

How exactly this will work out remains to be seen—for example, what if someone other than a school nurse enters a piece of health information into a student’s file—the principal, maybe, or the school secretary? But in its general outlines, what the regulation says is that FERPA, not HIPAA, is the protector of the privacy of information entered into a student’s record, including health-related information. That makes it important for school staff and administrators to know what is expected of them under FERPA.

Congress has amended FERPA a total of nine times since it was enacted in 1974, most recently as part of the Bush administration’s education law, the Leave No Child Behind Act. As it now stands, FERPA applies to any public or private entity that receives federal funds. Parents have the right to review their child’s "education record," defined as "those records, files, document, and other materials which contain information directly related to a student, and are maintained by an educational agency or institution or by a person acting for such agency or institution." When a student becomes 18 or is attending college, the right to view the record transfers to the student. Parents may request corrections of the records, with opportunity for a hearing if necessary.

With some exceptions, personally identifiable information in a student’s record, except "directory information," may not be released by the school to a third party without a parent’s written consent. ("Directory information" is defined to mean "the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student." Public notice must be given of the content of the directory information, with a reasonable time for parents to refuse to allow release of the data.)

In 2002, Congress amended FERPA to require schools to provide students’ names, addresses, and telephone numbers to military recruiters who request it—typically for junior and senior high school students.

There are some other exceptions to the privacy requirement.

  • A school may release information, including disciplinary actions taken against a student, to school officials, including teachers, who have "legitimate educational interests."
  • The education record can be sent to another school or school system in which the student seeks to enroll, upon condition that parents are notified and receive a copy of the record and opportunity to challenge it.
  • FERPA allows a school to release personally identifiable student data for purposes of federal, state or local audits; for law enforcement; and for some education research (provided the information will be destroyed when no longer needed).
  • Student education records can be released without prior consent in an emergency when the information is necessary to protect the health or safety of the student or other persons, and during investigations of acts of terrorism.

Of the exceptions, the one most frequently causing schools difficulty is the "legitimate educational interests" provision. Caught between the need to protect student privacy and the need to provide school staff with relevant information about students, as for example when a child has hearing or vision problems, is subject to seizures, is asthmatic, or has food allergies, schools sometimes exceed the privacy requirements of FERPA by failing to monitor casual exchange of such information by teachers or others, or by failing to train school staff in the proper use of such information.

Many schools also fail to take adequate steps to protect the information, including health status, in student records that are stored in computers or as paper files. At a minimum, FERPA, like HIPAA, requires that computer access be limited to qualified personnel, and that file cabinets be kept locked. FERPA has also been interpreted to require schools to treat as confidential information concerning drugs that may be administered to students during the school day.

The "need to know" provision of FERPA is similar to provisions in the new HIPAA law that allow transfer of personally identifiable information to others in a hospital, health plan, or clinic who have "need to know" in order to provide treatment or bill for services. Because HIPAA is new and compliance is a major interest, with "compliance officers" now appointed in most institutions, it’s expected that violations of confidentiality will be noted. Given the example of HIPAA, schools may find themselves more scrutinized than before on the issue of how they protect student medical records under FERPA.

Where FERPA Does Not Apply

When health care is made available to students on school property but is provided by a non-school institution or agency such as a hospital or community health center, health records of students who use the facility are retained by the health care providers and are subject to the privacy requirements of HIPAA, meaning they cannot be released to school personnel or other third parties without parental permission. These records will therefore not be entered into the student’s "education record" by school personnel, and their privacy is protected by HIPAA, not FERPA.

This InFocus paper is not intended as legal advice to schools about FERPA compliance. Schools are urged to contact their attorneys or state attorneys general if specific questions arise about federal or state health privacy requirements.