Amendments to FERPA Regulations
New Changes Attempt to Balance Safety and Privacy in Student Records
by Laurie A. Rinehart-Thompson, JD, RHIA, CHP
HIM professionals are familiar with the HIPAA privacy rule, the federal law that serves to safeguard protected health information. However, they may be less familiar with the Family Educational Rights and Privacy Act (FERPA, 20 USC 1232g; CFR Part 99), which is also relevant to managing the privacy of health records.
Passed in 1974, FERPA prohibits disclosing without consent the educational records of students who attend or have attended an educational program that receives federal funding from the Department of Education. The right to consent belongs to the student’s parents until the student reaches age 18 or attends a school beyond high school, at which time it transfers to the student. The Department of Education’s Family Policy Compliance Office administers the FERPA regulations.1
FERPA strictly limits the disclosure of information including identifiers such as Social Security numbers, grades, and other indicators of student performance. Although an exception is made for the disclosure of directory information (e.g., name, degrees awarded, and enrollment status), individuals with the right to consent must be notified about the potential disclosure of directory information and given a reasonable amount of time to opt out.
FERPA has historically presented challenges in postsecondary academic programs, where parents who finance an adult student’s education request information from the student’s educational record with an expectation of access. However, FERPA prohibits the sharing of educational information about an adult or postsecondary student without the student’s permission, unless the student is a dependent of the parents for federal income tax purposes.2
Thus the historical intent of FERPA has been to safeguard the privacy of student information. However, regulatory changes introduced this year serve to broaden access under certain circumstances.
The 2009 Amendments
On January 8, 2009, significant changes to the FERPA regulations went into effect. The final regulations consist of three broad categories: school safety (health/safety emergencies and disclosures to parents); better access to education data for research and accountability; and safeguarding privacy and education records.
Receiving the greatest level of attention were the changes related to health and safety emergencies, which now allow greater flexibility in sharing information from a student’s education record. The changes were prompted by the 2007 Virginia Tech tragedy in which a student with documented behaviorial health issues killed 32 students and teachers. FERPA was viewed by many as an impediment to vital communications and information in the perpetrator’s education records that, if disclosed, may have resulted in professional intervention that could have prevented the tragedy.3
The final regulations give greater deference to administrator discretion in disclosing information from education records when there is a threat to student health and safety. According to section 34 CFR 99.36, educational agencies and institutions are now permitted to disclose personally identifiable information, without consent, from education records to appropriate parties, including parents, whose knowledge of the information is necessary to protect the health and safety of the student or others.
In making a decision regarding disclosure, the school must determine that a significant and articulable threat has been made, consider the totality of the circumstances, and document in the student’s record the reason it is believed a health or safety emergency exists. Although former language required that the determination of an emergency must be “strictly construed,” the Department of Education now will apply the less stringent “rational basis” standard and will not substitute its judgment for that of the educational institution that assessed the situation and used its own best judgment to disclose information from the student’s education record.
By granting broader discretion to the educational institution or agency, the fear of penalty for wrongful disclosure is significantly reduced. In addition to parents, whose knowledge about a student’s health condition (including impairments to judgment) may be necessary, other parties that may be notified include school and law enforcement officials. The obvious drawback is that students may be inhibited from seeking help if they believe the emergency provision may be triggered and their parents and officials notified.4
Under the school safety rubric, the final regulations also clarify that, even after the right to consent has transferred to a student, an institution may disclose information to a student’s parents without written consent under any circumstances if a student is a dependent for federal income tax purposes.
Further, even if the student is not a dependent, disclosure to parents may be made if a health or safety emergency exists. This clarification resulted from the Department of Education’s concern that educational agencies and institutions were applying FERPA’s prohibitions on information-sharing too stringently.
Better Access to Education Data
For purposes of better data sharing, the final regulations have loosened restrictions on the ability of state and local educational authorities to redisclose education records containing personally identifiable student information without consent to another institution where a student seeks to enroll, to outsourced entities, and for legitimate educational interests. FERPA also does not inhibit disclosure of de-identified information for educational research purposes.
These changes, in part, strive to enhance the sharing and use of data to improve the academic achievements of students and to advance legitimate research activities in education.
Safeguarding Privacy and Education Records
To reflect technological changes that enable the identification of individuals through additional mechanisms, the final regulations update the definition of “personally identifiable information” to include and define a biometric record. Personally identifiable information now includes the date and place of birth, mother’s maiden name, and “other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.”
The definition of “other information” was updated to provide greater clarity. The amendments also provide more specific parameters relating to the recording of redisclosures of personally identifiable information from education records.
Reconciling FERPA and HIPAA
Information relating to a student’s health, including a student health record, may be contained within a student’s school record, prompting questions about the applicability of the HIPAA privacy rule to this information. However, student health information is generally not subject to HIPAA privacy rule requirements.
First, the educational institution will likely not meet the definition of a HIPAA covered entity (i.e., a healthcare provider that conducts covered transactions electronically). However, even if it does, the records will not be considered protected health information. Rather, if the student’s health information is maintained by a school that receives Department of Education funds and is therefore subject to FERPA, it will meet the definition of “education record” or “treatment record.”
An education record directly relates to a student and is maintained by an educational agency or institution, including school employees or a party acting on its behalf such as a contractor. A treatment record is made, maintained, and used only in relation to treatment of the student and disclosed only to individuals providing treatment. Treatment records that have been disclosed for a purpose other than treatment meet the definition of education record. 5 Both education and treatment records are excluded from HIPAA coverage and are subject to FERPA.
Of particular interest are student records maintained by health clinics that are operated by postsecondary institutions. If FERPA applies to the institution, the records will qualify as either education or treatment records under FERPA because the health clinic provides healthcare services on behalf of the institution and with regard to the individual’s status as a student. HIPAA will not apply.
This is contrasted with students who are patients at university hospitals associated with universities subject to FERPA. In this situation, the hospital does not provide healthcare services to students either on behalf of the institution or with regard to the individual’s status as a student. FERPA will not apply, and the HIPAA privacy rule will. Schools that do not receive Department of Education funds and do not meet the definition of a HIPAA covered entity are not required to comply with requirements of either law.
Once it is determined that a health record meets the requirements of FERPA, HIPAA, both laws, or neither law, a determination may be made regarding the sharing of information with relevant parties, particularly where the health and safety of individuals are at stake.
Laurie A. Rinehart-Thompson (firstname.lastname@example.org) is an assistant professor of clinical allied medicine in the School of Allied Medical Professions at The Ohio State University in Columbus, OH.