The U.S. Department of Education and the Office for Civil Rights at the U.S. Department of Health and Human Services recently released updated guidance regarding the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to a student’s education and health records. 

FERPA generally prohibits educational agencies receiving federal funds from disclosing a student’s education records without the prior written consent of the parent or eligible student. On the other hand, HIPAA requires covered entities (health plans, health care clearinghouses, and health care providers) to protect an individual’s health records and other personal health information these entities maintain or transmit. 

Are Public Schools Subject to HIPAA’s Privacy Requirements?

In a few very limited instances, an educational institution subject to FERPA may also be subject to the HIPAA privacy requirements. A school may be considered a “health care provider” if it provides health care to students in the normal course of business and the transactions are those for which the U.S. Department of Health and Human Services has adopted a standard form. Even though a school may employ nurses, physicians, or psychologists, schools generally do not bill health care plans for their services. Thus, most schools are not entities covered by HIPAA. Even if a school that is considered to be an entity covered by HIPAA (e.g., when a school hires a health care provider that bills Medicaid for services provided under the IDEA), it will not have to abide by the privacy requirements if the school maintains health information only in “educational records” under FERPA. This is due to HIPAA’s Privacy Rule explicitly excluding FERPA “educational records” from the scope of the act. 45 CFR § 160.103.

Frequently Asked Questions

This new guidance includes a list of new frequently asked questions along with answers to when a student’s health information can be shared without the consent of the parent or eligible student under FERPA and HIPAA. We will discuss some of these new clarifications below.

  1. When can personal health information or personally identifiable information be shared about a student who presents a danger to themselves or to others?

FERPA allows educational institutions to disclose personally identifiable information to certain appropriate parties if knowledge of this information would be necessary to protect the health or safety of a student or others. This disclosure may take place with or without the consent of the student. 20 U.S.C. § 1232 g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36. In order to use this exception, the educational institution must look to the totality of the circumstances and determine that there is an articulable and significant threat to the health or safety of the student or others. 34 CFR § 99.36(c). An articulable and significant threat means that if the educational institution can reasonably explain why it believes a student poses a significant threat, such as bodily harm to himself or others, the school may disclose educational records to any person who would be able to assist in protecting a person from that threat. If the educational institution is able to show that it had a rational basis for disclosing the information, the U.S. Department of Education will not substitute its judgment for that of the educational institution making its decision. 34 CFR § 99.36(c). The ability to share this information expires once the danger is no longer present.

The Joint Guidance provided the following example: A student states that he knows where his parents keeps his guns and that he is going to come back and make sure that someone pays for what they have done. What is the district supposed to do? According to the U.S. Department of Education, FERPA permits the district to warn the appropriate parties that the student has made this statement and may be a threat to harm themselves or others. The district may inform the student’s parents, the police, or other parties that would be in a position to help protect the health and safety of the student or others.

  1. Under FERPA, can an educational institution disclose, without prior written consent, personally identifiable information from a student’s educational or health records to their law enforcement officials?

The short answer is yes, so long as certain conditions are met. If the person is an employee of the educational institution,  meets the school’s definition of a “school official” based on the school’s annual FERPA notice, and has a legitimate educational interest in the information/records then the law enforcement official may be considered a school official to whom a student’s personally identifiable information may be disclosed without prior written consent. 20 U.S.C. § 1232g(b)(1)(A); 34 CFR §§ 99.7(a)(3)(iii) and 99.31(a)(1)(i)(A). 

What about School Resource Officers and other law enforcement officials who are not employees of the educational institution? School resource officers are not employees of the educational institution but may be considered a “school official” if they:

  1. Perform an institutional service or function for which the school would otherwise use employees (e.g., ensure school safety or security);
  2. Are under “direct control” of the educational institution with respect to the maintenance of the educational records. (e.g., done through a memorandum of understanding (MOU) to establish restrictions and protections);
  3. Are subject to FERPA’s use and re-disclosure requirements in 34 CFR § 99.33, which provides that the personally identifiable information may only be used for the purpose for which the disclosure was made (e.g., school safety and security) and limits re-disclosure of the student’s educational records;
  4. The SRO meets the school’s definition of a “school official” provided in its annual notification of FERPA rights and has a “legitimate educational interest” in the records.

If the school resource officer or other law enforcement official is not a “school official” acting with a “legitimate educational interest” then the school may not disclose a student’s educational and health records without the prior written consent of the parent unless an exception applies. (i.e. health or safety emergency explained above.)