State and Local Action Steps and Practices to Improve School-Based Health
Key Federal Laws Protecting Student Data and Privacy
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that affords parents the right to have some control over the disclosure of personally identifiable information (PII) from the education records. The term "education records" means those records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See § 99.3 "Education records." Please note that, at the K-12 level, "education records" includes health records. FERPA generally requires that parents or eligible students provide prior written consent before schools can share PII from a student's education records, unless an exception to FERPA's general consent requirement applies.
IDEA also contains confidentiality provisions that protect the privacy of student information (20 U.S.C. 1417(c) and 34 C.F.R. §§300.610-300.626). Consistent with FERPA, these provisions generally require the prior written consent of a parent for disclosure of PII from education records, unless a specific exception applies. IDEA specifically requires public agencies to obtain written consent from the parent for release of personally identifiable information to a public benefits or insurance program, e.g., Medicaid. For more information about this parental consent requirement if public agencies seek to access a child's or parent's public benefits or insurance (e.g., Medicaid) to provide or pay for services required under Part B of IDEA for children with disabilities and parental rights and protections, see 34 C.F.R. §300.154(d)(2)(iv) and (v). See also Suggested Model for Written Notification of Parental Rights regarding Use of Public Benefits or Insurance, available at: https://www2.ed.gov/policy/speced/guid/idea/memosdcltrs/accmodelwrittennotification-6-11-13.pdf.
For more information about FERPA, please visit http://familypolicy.ed.gov/. General questions about FERPA may be submitted to the Department's Family Policy Compliance Office using the Contact Us tab on that website or directly at http://familypolicy.ed.gov/content/questionscomments.
For information on the connection between FERPA and the Health Insurance Portability and Accountability Act (HIPAA), maintaining student health records, and the role these laws play in ensuring student safety and security, visit http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf. For additional information about the HIPAA Rules, visit http://www.hhs.gov/ocr/privacy/.