Skip Navigation
Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies

2.E. Other Federal Laws Affecting Information Privacy in Schools

Student records may be protected simultaneously by laws administered by the U.S. Department of Education, as well as by other state and federal agencies. FERPA establishes a high level of privacy protection, but statutes administered by agencies within the U.S. Departments of Agriculture, Health and Human Services, and Justice also protect records privacy and may apply to the records of students in schools. Professional standards of ethical practice, under which school doctors and nurses, psychologists, and other professionals operate, may also establish privacy restrictions. Following are some examples:

  • Information about students certified eligible for free and reduced-price school meals is covered by confidentiality restrictions administered by the U.S. Department of Agriculture.
  • Records of drug and alcohol prevention and treatment services for students are covered by confidentiality restrictions administered by the U.S. Department of Health and Human Services.
  • Some laws establish minors’ rights to seek treatment for certain health and mental health conditions, including sexually transmitted diseases, HIV testing and treatment, pregnancy, and mental health counseling.
  • Some state laws protect records pertaining to HIV status, medical records, child abuse, privileged communications, and state-specific records retention and destruction regulations.

Confidentiality issues may arise in schools in cases where FERPA is not the broadest protection or where the application of FERPA may be unclear. As a result, school personnel must develop an understanding of the principles underlying legal statutes and regulations and make every effort to maintain the privacy of any information they receive in the course of providing services. School officials increasingly have access to sensitive health and family information.

When uncertainty occurs about when and with whom information should be shared, individuals in schools should act with caution and understand that their fundamental obligation is to maintain confidentiality. School personnel should never share with another individual—even a professional—more than is necessary to benefit the student. Legal counsel and school officials are available to interpret matters where privacy issues are involved. Teachers, paraprofessionals, and principals should not hesitate to consult these individuals when they are uncertain about their obligations or responsibilities. The references at the end of this section contain additional contacts for guidance related to the information presented here.

Individual student records held by schools or education agencies are primarily education records and are therefore subject to FERPA regulations, even when other statutes also may apply. If officials perceive a conflict between FERPA and any state or other federal statutes or regulations, they should seek counsel from appropriate legal authorities to identify the issues involved and to establish policies that accurately reflect applicable legal statutes. Officials should also contact the FPCO in the Department of Education regarding any apparent conflicts between FERPA and other federal or state laws.

The Children’s Online Privacy Protection Act of 1998 (COPPA) also has an impact on student privacy. Teachers are increasingly using the Internet as an instructional method to enhance student learning. Effective April 2000, certain web sites must obtain parental consent before collecting personal information from children under age 13. The main goal of the Act is to protect the privacy of children using the Internet. The privacy notice of these web sites must state that the parent can review and have deleted their child’s personal information, and must inform users how the information will be used and whether personal information is disclosed to third parties. Consent is verified through print forms, credit cards, digital signature, e-mail accompanied by a pass code, and so on.

NSLA safeguards the confidentiality of students receiving free and reduced-price school meals

The Richard B. Russell National School Lunch Act (NSLA), which has stricter privacy provisions than FERPA, restricts who may have access to records on students who are eligible for free and reduced-price meals. This includes student and household information obtained from the free and reduced-price eligibility process and the student’s (free or reduced-price eligibility) status. Individuals who may be permitted access to this information under FERPA may be denied access under the more restrictive provisions of NSLA. Refer to exhibits 2–5 through 2–9 for guidance concerning the allowable use of free and reduced-price eligibility data.

The National School Lunch Program, administered by the U.S. Department of Agriculture, operates in most elementary and secondary schools. Many of these schools also participate in the School Breakfast Program. Any child at a participating school may purchase a meal under the lunch and/or breakfast program. However, students from households with incomes at or below 130 percent of the federal poverty level are eligible for free school meals, and children from households with incomes between 130 percent and 185 percent of the federal poverty level are eligible for reduced-price school meals.

For many schools and school districts, information from the lunch program is likely to be the best and maybe the only source of data available to schools on “economically disadvantaged” students.

The NSLA strictly limits how school districts may use individual student and household information obtained as part of the free and reduced-price school meals eligibility process once students are identified to receive program services. The NSLA also includes civil and criminal penalties for unauthorized disclosures and improper uses of students’ school lunch eligibility information.

School officials may obtain parental consent to use students’ free and reduced-price meal eligibility information for a purpose other than determining the households’ eligibility for free and reduced-price meals for their children. However, the NSLA specifies that persons “directly” connected to the administration or enforcement of certain programs or activities are permitted access to children’s free and reduced-price meal eligibility information without parental consent. Additionally, the statute specifies that some of these programs or activities may have access to students’ eligibility status only (whether they are eligible for free meals or reduced-price meals), while other individuals and programs may have access to all eligibility information (all information from the households’ free and reduced-price school meal application). Exhibits 2–5 to 2–9 provide the programs and activities that may be permitted access to and use of students’ free and reduced-price meal eligibility information, the amount of information that may disclosed, and whether parental notification and consent are required. For example, under the NSLA, federal and state education programs are eligible recipients of students’ free and reduced-price eligibility status. Although a program or individual may be authorized under the NSLA to receive free and reduced-price eligibility information, there must be a legitimate “need to know” to provide a service or carry out an authorized activity. Whenever possible, aggregate data should be used rather than personally identifiable data. Additionally, the disclosure of students’ school meal eligibility information should be made available only to a limited number of individuals. The agency responsible for making the free and reduced-price meal eligibility determination makes the decision on whether or not to disclose students’ eligibility information. This agency will be the school food authority or school administration.

If an agency’s database includes (free and reduced-price eligibility) information that is personally identifiable, database managers must impose controls on the disclosure of that information so that only eligible recipients have access to students’ school meal eligibility information.

The Food and Nutrition Service of the U.S. Department of Agriculture has issued several memoranda on limited disclosure of children’s free and reduced-price meal or free milk eligibility information. (See exhibits 2–5 and 2–6). School officials may contact the district’s food service director or the state education office responsible for the administration of the school nutrition programs in their state for further information or for a copy of the Eligibility Guidance for School Meals Manual (August 2001), which includes a section on the confidentiality of students’ free and reduced-price meal information.

The Drug and Alcohol Patient Records Confidentiality Law protects drug prevention and treatment records

Federal confidentiality laws and regulations prohibit the disclosure of information about students who apply for or receive alcohol or drug abuse treatment services. The federal Drug and Alcohol Patient Records Confidentiality Law (42 CFR) is administered by the Substance Abuse and Mental Health Services Administration of the U.S. Department of Health and Human Services. The Department of Health and Human Services confidentiality regulations apply to records of any patient, even a minor student in school, who receives treatment from a federally assisted program. Under the law, patients include students who receive counseling because they are children of alcoholics or drug abusers.

The confidentiality rules, known as 42 CFR, apply to assessment, diagnosis, counseling, group counseling, treatment, or referral for treatment in most programs in which students participate, including programs sponsored by public and many private schools. They generally forbid the release of any information without a patient’s consent, even when the patient is a student in school and under 18 years of age.

The 42 CFR restrictions may conflict with the obligations of school-based programs to provide parent access to the education records of their student. However, the U.S. Department of Education and the Substance Abuse and Mental Health Services Administration issued a joint opinion in 1990 that suggests potential solutions to this conflict. One solution requires students to consent to parent access to records as a condition of receiving diagnostic, treatment, or referral services; a second solution limits the information kept in school records, recognizing that parents may have access to them. Both solutions are imperfect, however, and school officials are advised to seek information and advice about potential confidentiality conflicts from the FPCO.

HIPAA protects the confidentiality of personal health information and access of health records

While education records are protected under FERPA, individual health information is protected under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. This mandate establishes federal standards for the privacy of individually identifiable health information. The Privacy Rule of the law:

  • gives patients more control over their health information;
  • sets boundaries on the use and release of health records;
  • establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information;
  • holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights; and
  • strikes a balance when public responsibility supports disclosure of some forms of data—for example, to protect public health.

HIPAA affords patients rights of access to their own medical records, as well as the right to examine and obtain a copy of their own health records and request corrections. It is important to note that there is a broad exemption in HIPAA’s Privacy Rule that excludes health information contained in education records as defined in FERPA. In other words, any health information that is maintained by an education agency or institution is subject to FERPA access and disclosure rules, regardless of whether the information was created and used by health professionals.

Under HIPAA, there are three different rules that apply to covered entities such as medical providers and hospitals. The three rules apply to certain entities if they meet the definition of covered entity. “Covered entities” are entities that are health plans, health care clearinghouses, or health care providers that transmit health information in electronic form in connection with a transaction for which the Secretary of Health and Human Services has adopted a standard (covered transaction).

Even if a state lead agency under Part C is a “covered entity” under HIPAA, its individually identifiable health information may not be subject to the Privacy Rule if those records are covered by FERPA, 20 USC § 1232(g) (which is administered by the U.S. Department of Education). Whether the state lead agency’s individually identifiable health information is subject to the Privacy Rule depends on whether the information is an education record under the FERPA, 20 USC § 1232(g). In short, records relating to Part C services for the child are exempt from the Privacy Rule because HIPAA’s Privacy Rule applies only to information that is “protected health information” (45 CFR 160.103). Under the Privacy Rule, education records covered by FERPA are excluded from the definition of “protected health information.”

The U.S. Department of Health and Human Services (DHHS) establishes national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. The standards set forth in HIPAA also address the security and privacy of health data. The main objective is to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care. More information about these requirements can be found at the web sites of Centers for Medicare and Medicaid Services (cms.hhs.gov/hipaa) and Office for Civil Rights (www.hhs.gov/ocr/hipaa).”

The Paperwork Reduction Acts monitor the paperwork burden

The federal government monitors the paperwork burden of federal legislation through the Paperwork Reduction Acts of 1980 and 1995, which authorize the Office of Management and Budget (OMB) in the Executive Office of the President to restrict the information that agencies may collect from the public. Federal agencies and noneducation agencies receiving federal funds must obtain OMB clearance authorizing each approved data collection instrument or form. An approved information collection form is assigned a clearance number and an expiration date to confirm that it is authorized. Approved federal data collections must explain the data collection purpose prominently on the form, whether the data collection is mandated or voluntary, and the benefit(s) to be obtained from the data collection.

The clearance process also requires that plans for data collection stipulate how the data are to be used, along with provisions for ensuring the confidentiality of any personal data collected. OMB clearance is not required for the clearance of state or local forms, however. OMB clearance ensures that requests for information from student records meet the requirements of FERPA.

The Privacy Act governs the use of social security numbers

Section 7(a) of the Privacy Act of 1974 addresses the use of social security numbers by federal, state, or local governments. It states that it is:

...unlawful for any federal, state, or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number...

When government agencies collect social security numbers for reasons other than those allowed in the original law, they must specify how the numbers will be used and the limits of their use. Requests for social security numbers must be accompanied by the following notice:

Any federal, state, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

State and local education agencies can minimize challenges to their use of social security numbers for student records identification by creating alternative identification numbers for students whose parents object to using social security numbers for identification.

Top