FERPA and HIPAA Guidelines for Staff


The Family Education Rights and Privacy Act of 1974, commonly known as FERPA, is a federal law that protects the privacy of student education records. Students have specific, protected rights regarding the release of such records and FERPA requires that institutions adhere strictly to these guidelines. Therefore, it is imperative that the faculty and staff have a working knowledge of FERPA guidelines before releasing educational records.

Educational Records

FERPA gives students and custodial parents (for students under the age of 18) the following rights regarding educational records:

  • The right to access educational records kept by the school;
  • The right to demand educational records be disclosed only with student consent; The right to amend educational records;
  • The right to file complaints against the school for disclosing educational records in violation of FERPA.

Students have a right to know about the purpose, content, and location of information kept as a part of their educational records. They also have a right to expect that information in their educational records will be kept confidential unless they give permission to the school to disclose such information. Therefore, it is important to understand how educational records are defined under FERPA. Educational records are defined by FERPA as:

Records that directly relate to a student and that are maintained by an educational agency or institution or by a party acting for the agency or institution.

Educational records are directly related to the student and are either maintained by the school or by a party or organization acting on behalf of the school. Such records may include:

  • Written documents; (including student advising folders) Computer media;
  • Microfilm and microfiche; Video or audio tapes or CDs; Film;
  • Photographs.

Any record that contains personally identifiable information that is directly related to the student is an educational record under FERPA. This information can also include records kept by the school in the form of student files, student system databases kept in storage devices such as servers, or recordings or broadcasts which may include student projects.

Records Not Considered As Educational Records

The following items are not considered educational records under FERPA:

  •  Private notes of individual staff or faculty; (NOT kept in student advising folders) School security records;
  • Medical records (HIPAA protections may apply);
  • Statistical data compilations that contain no mention of personally identifiable information about any specific student.

Faculty notes, data compilation, and administrative records kept exclusively by the maker of the records that are not accessible or revealed to anyone else are not considered educational records and, therefore, fall outside of the FERPA disclosure guidelines. However, these records may be protected under other state or federal laws such as the doctor/patient privilege. Please check to make sure that you fully comply with these disclosure guidelines before disseminating any of this information.

Two Types of Educational Records

There are two types of educational records as defined under FERPA. Each type of educational record is afforded different disclosure protections. Therefore, it is important for faculty and staff to know the type of educational record that is being considered for disclosure.

Directory Information

Some information in a student's educational record is defined as directory information under FERPA. Under a strict reading of FERPA, the school may disclose this type of information without the written consent of the student. However, the student can exercise the option to restrict the release of directory information by submitting a formal request to the school to limit disclosure. Directory information may include:

  • Name;
  • Address
  • Phone number and email address;
  • Dates of attendance;
  • Degree(s) awarded; Enrollment status; Major field of study.

Though it is not specifically required by FERPA, institutions should always disclose to the student that such information is considered by the school to be directory information and, as such, may be disclosed to a third party upon request. Schools should err on the side of caution and request, in writing, that the student allow the school to disclose directory information to third parties.

Non-directory Information

Non-directory information is any educational record not considered directory information. Non-directory information must not be released to anyone, including parents of the student (if the student is over 18 and the requesting parent is the custodial parent), without the prior written consent of the student. Further, faculty and staff can access non- directory information only if they have a legitimate academic need to do so. Non- directory information may include:

  • Social security numbers;
  • Student identification number;
  • Race, ethnicity, and/or nationality;
  • Gender
  • Transcripts; grade reports

Transcripts are non-directory information and, therefore, are protected educational records under FERPA. Students have a right to privacy regarding transcripts held by the school where third parties seek transcript copies. Schools should require that students first submit a written request to have transcripts sent to any third party as the privilege of privacy of this information is held by the student under FERPA. Schools should never fax transcripts because this process cannot guarantee a completely secure transmission of the student's grades to third parties.

Prior Written Consent

In general, a student's prior written consent is always required before institutions can legitimately disclose non-directory information. Schools may tailor a consent form to meet their unique academic needs. However, prior written consent must include the following elements:

  • Specify the records to be disclosed; State the purpose of the disclosure;
  • Identify the party or class of parties to whom the disclosure is to be made;
  • The date;
  • The signature of the student whose record is to be disclosed (parental signature if minor);
  • The signature of the custodian of the educational record.

Prior written consent is not required when disclosure is made directly to the student (or parent of minor student) or to other school officials within the same institution where there is a legitimate educational interest. A legitimate educational interest may include enrollment or transfer matters, financial aid issues, or information requested by regional accrediting organizations.

Institutions do not need prior written consent to disclose non-directory information where the health and safety of the student is at issue, when complying with a judicial order or subpoena, or where, as a result of a crime of violence, a disciplinary hearing was conducted by the school, a final decision was recorded, and the alleged victim seeks disclosure. In order for institutions to be able to disseminate non-directory information in these instances FERPA requires that schools annually publish the policies and procedures that the institutions will follow in order to meet FERPA guidelines.

FERPA has strict guidelines regarding disclosing the educational records of dependent students (students who have reached the age of 18 but still live with parents. Though FERPA allows such disclosure, the act mandates that the institution first publish clearly delineated policies and procedures for the disclosure of these records. The institution must publish these guidelines annually in a format that is easily accessible to interested parties. It is recommended that both the dependent student and parents sign written disclosure agreements stating, at minimum, the following:

  • The dependent student understands and allows parental access to these educational records;
  • The dependent student and his/her parents have been given a copy of the institution's policies and procedures for the disclosure of students' records.



The Family Education and Privacy Act was enacted by Congress to protect the privacy of student educational records. This privacy right is a right vested in the student. Generally:

  • Institutions must have written permission from the parent or eligible student in order to release any information from a student's educational record.
  • Institutions may disclose directory information in the student's educational record without the student's consent.
  • It is good policy for the institution to notify the student about such disclosure and to seek the written permission of the student to allow disclosure of any educational records including directory information.
  • Institutions should give the student ample opportunity to submit a written request that the school refrain from disclosing directory information about them.
  • Institutions must not disclose non-directory information about students without their written consent except in very limited circumstances.
  • Institutions should notify students about their rights under FERPA through annual publications.
  • When in doubt, it is always advisable to err on the side of caution and to not release student educational records without first fully notifying the parent/eligible student about the disclosure.

Finally, the school should always seek a written consent from the parent or eligible student before disseminating educational records to third parties.


HIPAA is the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996.

A discussion of some of the issues which may be of general interest to school districts follows.

Q: What is the Privacy Rule?

A: Entities regulated by the Rule ("covered entities") may not disclose "protected health information" without consent or authorization, except as permitted or required by law. "Protected health information" is generally defined as individually identifiable health information. This definition is subject to important exceptions, which will be discussed below.

Q: What are "covered entities?"

A: Covered entities are "health plans, health care clearing houses, and health care providers who transmit health information in electronic form" relating to transactions concerning health claims, health plans, injury reports, and referral certification and authorization.

Q: Are Massachusetts public school districts covered entities?

A: School districts, in the course of providing school psychological, nursing, and some special education related services fall within the definition of a "health care provider," which is a "covered entity." For purposes of the privacy regulation, a "health care provider" is any "person or organization who furnishes, bills, or is paid for health care in the normal course of business." 45 CFR § 160.102. The regulations define "health care" broadly enough to include the school functions listed above. Although school districts are technically "covered entities," the vast majority of the health information they process or maintain is exempt from Privacy Rule protections. The definition of "protected health information" subject to the Privacy Rule excludes education records covered by the Family Educational Rights and Privacy Act ("FERPA"). 45 CFR § 164.501. FERPA defines "education records" as including those records which are directly related to a student and maintained by an education agency or institution, or by a person acting for such agency or institution. 20 USC § 1232g(a)(4)(A). This definition encompasses essentially all student health-related records. Based upon the foregoing, school districts are in the unusual position of being "covered entities" which deal almost exclusively with health information not subject to the HIPAA Privacy Rule.

Medicaid billing and other similar functions for school districts may eventually require districts to submit information to health insurance providers in a HIPAA-compliant manner as a condition of doing business. Although this administrative burden may not be placed upon schools immediately, it may occur when compliance is substantially achieved with the statutory mandate to adopt standards for transactions and data elements which will enable health information to be exchanged electronically. 42 USC § 1230d-2.

Q: How will the Privacy Rule affect school district child immunization record keeping requirements?

A: Some additional administrative hurdles may be encountered in obtaining immunization information. The HIPAA Privacy Rule generally provides parents and guardians with control over their children's health care information. 45 CFR § 164.502(g). Although child immunization information may be released directly to the parent, a written release is required to allow the health care provider to give the immunization information directly to school districts. The parent must execute an authorization including a description of the information to be used or disclosed, the specific persons authorized to make the disclosure, the name of the person(s) to whom the disclosure will be made, the purpose of the disclosure, and the date upon which the authorization expires. 45 CFR § 164.508(c). Any previous practices involving less formal authorization for disclosure of child immunization information must be discontinued.

School officials, however, likely may continue to disclose immunization information to public health officials in accordance with previous practice. Once the immunization record is provided and maintained by the school district, the FERPA exception described above would apply.

Q: Do school officials require written authorization before providing medical information supporting a report of suspected child abuse?

A: No authorization is required, even if the information has not been reduced to an "education record" exempt from the Privacy Rule. A covered "health care provider" need not treat a parent as a child's personal representative when abuse or harm to the child is a concern. 45 CFR § 164.502(g)(5). Moreover, a covered entity may disclose protected information if necessary to prevent or lessen a serious and imminent threat to the health or safety of the involved person or the public. 45 CFR § 164.512(j).

Q: How does the Privacy Rule impact the school district's personnel function?

A: No effect is intended. Employment records are expressly excluded from the definition of "protected health information." 45 CFR § 164.501. When the individual gives his or her medical information to the covered entity as the employer, such as when submitting a doctor's statement to document sick leave, or when the covered entity as employer obtains the employee's written authorization for disclosure of protected health information, such as an authorization to disclose the results of a fitness for duty examination, that medical information becomes part of the employment record, and, as such, is no longer protected health information. 67 FR 53192 (2002). Medical information used solely in a school district's personnel function is thus exempt from the Privacy Rule.

Please let me know if you have any questions. Thank you.