Top 5 FERPA & HIPAA Misconceptions for Schools

We live in an age filled with threats to student privacy. As an important member of your school community, you’re a defender of that privacy. And that role comes with a great deal of responsibility. Part of your responsibility is understanding two primary laws that protect against the unlawful disclosure of personal and health information: the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

These laws are complex and often misunderstood – which can lead to stress in school employees and can put your students and district at risk.

As an education law attorney representing schools, I help clarify many FERPA and HIPAA misconceptions that keep school personnel up at night.

Here are the top five misconceptions about FERPA and HIPAA that I regularly address in my work with schools.

1. “HIPAA applies to schools.”

Nope. 

Educators worry about the confidentiality of all student information, particularly the data relied upon in developing and implementing IEPs and Section 504 plans, often on account of “HIPAA” protection concerning diagnostic and medical records. Such concern is helpful and motivating, because virtually all information regarding students – certainly doctor notes and evaluations – are protected from disclosure and review by anyone without “legitimate educational interests.”

But those protections are not because of HIPAA.

HIPAA, the “Health Insurance Portability and Accountability Act of 1996,” restricts the access, use and disclosure of “protected health information” maintained by “covered entities.” These entities are typically health plans, health-care clearinghouses, and health-care providers. That means that your school is not a covered entity, unless you’re providing “health care,” like through a free clinic or other service beyond a day-to-day school nurse.

So, stop worrying about HIPAA. But pay attention to FERPA and your state’s student record laws and regulations.

2. “We can’t call the doctor who wrote the student note without a signed release.”

That depends on who’s talking and what they’re sharing.

FERPA, the Family Educational Rights and Privacy Act of 1974 (also known as the “Buckley Amendment”), ensures access by parents and students and protects against the non-approved disclosure of “personally identifiable information” about students. That information includes virtually all information you collect and maintain on an enrolled student, certainly including the contents of the special education and Section 504 files.

But when you call a doctor to confirm that she authored a note that your Section 504 committee is considering, or to ask a question about a diagnosis for purposes of IEP drafting, or to confirm a medically excused absence, usually you’re not sharing information about the student. You are not disclosing “personally identifiable information” protected by FERPA. Rather, you’re asking for information from the doctor or the doctor’s office. A parent, guardian, or adult student need not permit you to call the doctor. You have that right.

A release needed here, if any, is to be secured by the doctor from the parents/guardians, since any information shared is likely “health information” shared from the health provider to the school ― the school isn’t sharing information about the student.

Any release needed is up to the doctor to determine. You can make your call, and ask relevant questions, so long as that conversation is a one-way street.

3. “Parents have access to all documents that mention their student.”

Well, most documents, but actually ― not all.

Records that are kept in the “sole possession” of the maker, and not shared with any other person, are not considered “education records” under FERPA, regardless of the nature of the information they contain. This means that notes kept by a teacher, or a related service provider, regarding the implementation of modifications and/or accommodations, or notes kept by persons attending IEP team or Section 504 meetings, so long as not shared with or accessible by others, are not covered by FERPA.

Since this information is not considered to be FERPA-protected “education records,” it is not automatically accessible by parents.

Keep in mind though, those documents likely become education records if shared with colleagues or kept in a folder or file that is accessible by others. The information must be kept in the “sole possession” of the maker and maintained as confidential and not shared with others in order to remain outside of FERPA’s mandates.

4. “FERPA prohibits paraprofessionals/teacher aides from seeing IEPs and Section 504 plans.”

That’s probably not right.

FERPA prohibits the disclosure of personally identifiable information regarding students contained in education records by schools to third-parties without written consent (typically provided by parent or guardian).

But FERPA does not require written consent when “school officials” with “legitimate educational interest” review student records. Such access does not require prior notice to parents or guardians, other than the usual, annual FERPA notice provided by schools.

So, who are “school officials” with authority to review this information? And what is a “legitimate educational interest?” These terms are not defined by the law. Schools are required to define them in policy or regulation, and that information needs to be noted in the annual notice.

Typically, these terms may be defined by asking the question, “What’s the need to know?” or “What’s the job duty?” that requires access to the information?

If the answer involves the delivery of instruction, or the implementation of modifications or accommodations or related service provided in an IEP or Section 504 plan, then access to the record is likely permissible.

However, if the answer is curiosity, or some purpose unrelated to education, access is prohibited.

Which brings us to the paraprofessional or aide. Does that individual need to review an IEP or Section 504 plan to implement his or her responsibilities under that document? May the para be trained in some other way? May you simply provide a list of responsibilities? What’s best practice? What’s the consistent practice of the school?

The point is ― there is no blanket rule under FERPA (or otherwise) that “non-certificated” personnel have less authority to access student records. And that’s a good thing, because paras have similar ownership of IEP and Section 504 plans. They are valued members of our teams and should be treated as such.

5. “Students can’t see other students’ grades under FERPA.”

That depends on who’s grading.

Typically, grades are “personally identifiable information” set forth in education records which are protected from unauthorized disclosure under FERPA. But in the seminal case of Owasso Independent School District v. Falvo, 534 U.S. 426 (2002), the United States Supreme Court held (in favor of a school district) that students scoring each other’s tests and calling out the grades does not violate FERPA. The Court found that those grades were “pre” grade book and not yet within education records, thus not protected. (To the relief of elementary teachers nation-wide.)

So, the practice of “peer grading” is acceptable. But don’t interpret that to mean that teachers may disclose student grades without consent. Because they cannot. Once a teacher is in possession of a grade, it becomes a protected education record. That information may be shared with parental consent, like through the publication of an honor roll, or sharing records with another school — and as discussed above, those with “legitimate” purpose internally may review the grades. But absent those circumstances, the information is protected.

In Summary

Remember to reflect on “Why?” and “Who?” and “What?” regarding student information. And remember to consider the purpose of external communications. FERPA and HIPAA exist primarily to ensure access to information and to protect against the disclosure of that information to persons without the need to know. Be careful out there.