FERPA – The “HIPAA” in Education: Protecting Student Privacy and Ways to Avoid Common Violations

With the pandemic and navigating student illness which may be related to COVID, it seemed like a good idea to revisit FERPA and to include its role in relation to COVID. FERPA or the Family Educational Rights and Privacy Act of 1974 is education’s version of the Health Insurance Portability and Accountability Act of 1996 or HIPAA.

FERPA is a federal law that protects the privacy of student records (U.S. Department of Education, 2020, March). This law protects the privacy of student educational records for any school that receives federal funding. Although FERPA gives some rights to parents regarding their children’s education records, once a student becomes 18 or enters higher education, those rights transfer to the student. At this point, a student must provide written consent for an educational institution to disclose personally identifiable information (PII). Educational records include any and all information that is directly related to the student and maintained by an educational program or institution which can include files, documents, grades, transcripts, disciplinary records, advising notes, contact and family information, immunization, or other health records include COVID and student accommodations. A student’s name and identification number and any other information that could identify the student fall under FERPA as protected personally identifiable information (PII). Formal written consent must be attained before any such information is released to anyone other than the student. Specifically, regarding COVID, no one should be releasing student identifiable information about COVID status. However, the release of such information about teachers is not protected under FERPA as this law pertains to students, although other laws may be in place to protect teachers’ PII such as HIPAA.

It is not uncommon for a parent or even a partner or spouse to call the program to ask about how their son, daughter, partner, or spouse is doing in the program. I’m sure you can imagine their surprise to learn we cannot disclose any information. We are legally bound as teachers by FERPA and cannot share this information without consent from the student or permission from the institution. Sometimes, it is best to directly state our legal obligation when dealing with a parent, spouse, family member, or significant other (U.S. Department of Education, 2020, 2021).

Ways to avoid some of the most common FERPA violations

WHAT'S ON YOUR DESK?

One of the most common FERPA violations occurs as a result of a teacher leaving items with student information such as files, post-its, advising notes, examinations, grading sheets, etc., out on his or her desk or table. This includes having the computer screen on and open with student data displayed.

Here’s how it happens.

A faculty member was grading exam papers. She had them on her desk and her computer on with the spreadsheet open with all the students’ names and their grades. She stepped out of her office, walking two doors down to talk with one of her colleagues about a student’s response to one of the exam questions. She wasn’t concerned about leaving her office because the students were in class, so she left her office door open. Unbeknownst to her, a student left class to come and talk to her about his exam. He walked into her open office and saw all the tests on her desk and her computer screen with the grades. Not finding her, he returned to class. Two hours later, another student comes to talk to this same faculty member, and she is in tears. The student tells the faculty member that she has been told by one of her classmates that he saw her failing exam score on her desk and now the whole class knows.

In this situation, the teacher failed to protect student privacy. It is never safe or ok to leave student documents on your desk or open on your computer. If you are working on things and need to leave the office – turn them over, turn off your computer screen and lock your office door. When you leave your office at night, all student documents should be placed in a locked drawer, close all open documents on your computer, and lock your office door.  I know some teachers prefer not to keep their office doors locked, but securing the door is critical. Experience has taught me that even when a faculty office door is closed and the faculty member is not present, students try the door handle and if unlocked, some will enter.

Although it was common practice in the past, teachers cannot post-test scores on a bulletin board or ask another student to distribute graded papers to the class. Graded work, such as term papers, quizzes, or H&P write-ups, cannot be placed in a student’s “mailbox” unless it is locked and only the student has access.

THINK BEFORE YOU SHARE OR TELL

Never discuss, reveal, or compare one student’s performance with another student in the class. I know this may sound obvious, but here is how this one usually happens.

Two students who are best friends score very differently on an exam even though they studied together. Student A is talking to you because she barely passed, but she knows her friend (Student B) scored a 90. Student A is sure there must be a mistake and wants to see how the scores could be so different. BEWARE.  It is easy to fall into talking about Student B here, but you cannot. It’s best to start by telling Student A you are happy to talk about her grade, but you cannot speak about Student B. If needed, you could choose to let her know you are legally bound to protect each student’s information and therefore you can only discuss her performance.

As mentioned previously, this situation could and does occur when you receive a phone call from a parent, family member, or spouse inquiring about their child’s or family member’s performance in the program. Unless the student has given explicit written consent that you may discuss their educational record with this individual, you are legally required to protect the student’s privacy.

TIP:

If you do or don’t share information - DOCUMENT! DOCUMENT! DOCUMENT!  I know this sounds familiar from a clinical perspective. However, documentation is also critical in education. If you ask permission of a student to share their information, you must obtain consent and I would strongly encourage this be in writing, such as the completion of a standardized form or a student encounter note that the student signs.  It is also important to document those encounters when you inform individuals that you cannot release information.

WATCH WHAT YOU THROW IN THE TRASH!

Most of us don’t think about what we toss in the trash can. After all – it’s trash. However, as teachers, sometimes we make hard copies of student examinations, papers, projects, or grading rosters to review or file them. Therefore, what we toss in our waste paper basket could be a FERPA violation. Discarding any documents that contain personal student information should be shredded. If you don’t have time to shred it, it would be better to place it in a locked file or drawer until you can.

USE CAUTION WITH STUDENT DIRECTORY INFORMATION

Student directory information includes items such as name, address, phone number, and e-mail. Although this type of data can be released without consent under FERPA, universities, and colleges must offer students the option to opt out. Upon entry into an institution of higher education, students are informed about their directory information and are allowed to withhold consent, meaning they do not give their permission for this information to be released (U.S Department of Education, 2013, 2018).  However, this information may not reach individual teachers or faculty within a particular program. Therefore, it is better to always check with the student first.

One way this commonly happens is that a current student, such as the class president or other class officer asks you for the contact information of the new class of students, such as name, phone numbers or e-mails. The class president is requesting this information so they can send a welcome note and invite the new students to a luncheon. While it seems harmless enough, as the teacher, you should not release this information because you do not know if anyone in the class has not given consent for this “directory” information to be released. It is better to find an alternative and make it a simple rule that you do not disclose any student information. Alternative options could be suggesting that the new students be informed either through an in-class announcement or through a signup process if they are interested. This way, the decision to provide such information rests with each student, rather than you disclosing it.

SOCIAL MEDIA AND EMAIL – CHECK BEFORE YOU SEND

In today’s internet world where sharing is commonplace, teachers sometimes forget to think about FERPA. It is not that you can’t post or share, but you need to stop and be mindful of what you post and how you post it and make sure it does not contain any student private or protected information. This is especially true around emails, as they can also pose a problem. Sometimes, we want to send off a quick e-mail reply to a student’s question about this exam before we leave the office for the day. But we didn’t notice that this student copied other students in his e-mail, and so our reply has now gone to other students. I know all of us have hit the send button and then realize we sent it to the entire class.  Of course, the content of the e-mail would determine whether this could be a FERPA violation. The point here is to check before you click send.

KEY POINT

In general, use common sense and your best judgment to comply with the FERPA rules. It is our responsibility to protect each student’s information. Other than directory information, everything else, referred to as non-directory information must remain private until student consent is obtained.

REACH OUT FOR HELP OR SUPPORT – LEARN MORE

Although it is imperative you know about FERPA and how to ensure you comply, it is a federal law and thus has several exceptions and special considerations. Each University usually has at least one person who is a FERPA expert and responsible for ensuring the University and all faculty are following its requirements. If you have not received any training as part of your onboarding, you may want to reach out and meet with this person to learn more. As with any law, ignorance does not protect us should we violate it. Thus, consider stopping to ask for help before releasing information.

Violation of this law can result in disciplinary and legal actions taken against the teacher as well as the potential loss of federal funding for the institution. Violations are a serious matter so if in doubt – ASK first before releasing information

TIP

Keep the name and phone number of the office or individual who is the FERPA officer for the University close at hand should you need to refer someone to them. Sometimes, parents can become distraught when we are unable to give them the information they seek.

Footnote

¹There are specific circumstances when parents can obtain access to their college child’s educational record. They include if the student is claimed as a dependent for tax purposes, for emergency health or safety issues or if the student is under the age of 21 and has violated any law or policy related to the use or possession of alcohol or controlled substances (U.S. Department of Education).

For more information about FERPA, please contact your Human Resources or Legal department or go to the US Department of Education webpage https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

References

Nazarian, T (2018, September 12). The Unintentional Ways Schools Might Be Violating FERPA, and How They Can Stay Vigilant. EdSurge. Retrieved from https://www.edsurge.com/news/2018-09-12-the-unintentional-ways-schools-might-be-violating-ferpa-and-how-they-can-stay-vigilant

Student Privacy Compass. Educators Guide to Student Privacy.  Retrieved from https://studentprivacycompass.org/audiences/educators/

U.S. Department of Education Student Privacy Office (2020, March). FERPA and Coronavirus Disease 2019:Frequently Asked Questions. Retrieved from https://studentprivacy.ed.gov/sites/default/files/ resource_ document/file/FERPA%20and%20Coronavirus%20Frequently%20Asked%20Questions.pdf

U.S. Department of Education. (2020, April). Guidance for eligible students. https://studentprivacy.ed.gov/sites/default/files/resource_document/file/FERPAforeligiblestudents.pdf

 U.S. Department of Education. (2021, July). FERPA General Guidance for Parents. Retrieved from https://studentprivacy.ed.gov/resources/ferpa-general-guidance-parents

U.S. Department of Education. (2021, March 25). Family Educational Rights and Privacy Act (FERPA). Retrieved from https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html?src=rn