Protecting Student Privacy: What Educational Institutions Need To Know About Student Health Records

The US Department of Education has issued new guidance for schools and postsecondary institutions that emphasizes their obligation to protect student privacy under the Family Educational Rights and Privacy Act (FERPA). The guidance focuses specifically on the confidentiality of student health records.

FERPA was established to protect the confidentiality of student records and grant parents the power to oversee their children’s academic files. Educational agencies, including school districts, public primary and secondary educational institutions, and colleges and universities that receive funding through any program directed by the US Department of Education fall under FERPA’s purview. FERPA allows parents and eligible students to exercise some control over the disclosure of personally identifiable information (PII) contained within student educational records. The law also prohibits the release of educational records without written consent from a parent or eligible student unless an exception to FERPA’s general consent requirement applies.

The Department of Education has reiterated to educational institutions covered by FERPA that health records of eligible students held by the institutions or their representatives fall under the definition of educational records under FERPA, provided that these health records do not fall under the category of treatment records. If a postsecondary educational institution holds health records that meet specific criteria related to their creation, maintenance, and usage in providing treatment to an eligible student who is over 18 years old, those health records are considered treatment records. However, if those treatment records are disclosed for any purposes other than providing treatment to the eligible student or for personal review by a physician or appropriate professional of the student’s choice, they will be classified as educational records and will be covered by FERPA. This means that the records will not be considered as protected health information subject to the HIPAA Rules.

The guidance emphasizes that health-related records of eligible students, which are utilized for purposes other than treatment, are classified as educational records. This includes instances where such records are employed for medical forms and questionnaires to evaluate eligibility for involvement in school-sponsored athletic events. In the case of students under 18 years of age attending primary or secondary schools, treatment records are also regarded as educational records, thereby making them subject to FERPA’s restrictions on disclosure. FERPA allows the release of student educational records, including certain health records, exclusively with prior written approval from an eligible student or the student’s parent/legal guardian for non-eligible students. Alternatively, FERPA permits but does not mandate disclosure when an exception to the general consent requirement is applicable. In instances where student information is divulged, it should be limited to the minimum amount of information required to achieve the desired disclosure goal.

Moreover, the guidance distinguishes between health records covered by FERPA and those covered by HIPAA. FERPA applies to student health records held by campus health clinics and other healthcare facilities operated by educational institutions, as these records qualify as educational or treatment records under FERPA, thereby excluding them from the scope of the HIPAA Privacy Rule. On the other hand, if a postsecondary institution that is a HIPAA-covered entity provides healthcare services to non-students, the non-student data falls under protected health information subject to the HIPAA Privacy Rule, while the student health records remain subject to FERPA as educational or treatment records. 

As per the new guidance, it is crucial for educational institutions to ensure compliance with FERPA requirements when handling student health records.Institutions are required to obtain written consent from eligible students or parents prior to disclosing PII contained in student educational records, which may include student health information. Exceptions to this rule include disclosures to parents of eligible students if the student is a dependent, disclosures to school officials with a “legitimate educational interest” in the PII, disclosures in connection with emergencies to protect student health or safety, and disclosures pursuant to judicial orders or lawfully issued subpoenas.

The US Department of Education has also released further¬† resources to assist educational institutions in complying with FERPA regulations. These resources include guidance on addressing emergencies on campus and a document on HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care. These materials provide a clearer understanding of FERPA regulations and promote compliance with the law. In addition, a “know-your-rights” resource is available for parents and eligible students, offering a comprehensive overview of the rights granted under FERPA, with a specific focus on student health records. It emphasizes that the HIPAA Privacy Rule generally does not extend to student health records, except for those falling outside the categories of “education record” or “treatment record” as defined by FERPA.

FERPA is an essential law that protects student privacy by ensuring that educational institutions safeguard personal identifiable information, including student health records. The new guidance from the US Department of Education emphasizes the importance of compliance with FERPA regulations when handling student health records, and educational institutions should take steps to ensure that their policies and practices adhere to these guidelines. By doing so, they can create a safe and secure environment that respects and upholds the privacy rights of their students.