Introduction *

The Federal Policy Compliance Office (FPCO)  is responsible for administering, interpreting, and enforcing the Family Education Right to Privacy Act (FERPA) and the Protection of Pupil  Rights Amendment. (PPRA).   An index to all of their materials can be found on FPCO’s Home Page.

For additional information on preserving privacy visit the Privacy Technical Assistance Center. PTAC

It describes its function in part as:

“The U.S. Department of Education is committed to student privacy.  We administer the Family Educational Rights and Privacy Act (FERPA), and we provide technical assistance to help schools and school districts use best practices in their use and management of information about students.  This site aims to assist stakeholders in protecting the privacy of students by providing official guidance on FERPA , technical best practices and the answers to Frequently Asked Questions.”

In 2012, the FERPA regulations at 34 CFR 99  were revised.  For a complete copy, click on the FERPA image below.

ferpa lock

FERPA protects educational records, including students’ health records.   When records are protected by FERPA, HIPAA does not apply. Although both laws are about protecting confidentiality,  the protection afforded to education records (including health information in those records) is considerably less than HIPAA gives to records in your family doctor’s possession.


How long should a school psychologist keep psychological records (A Q and A  9/17/2017) *

When school psychologists work for the school system, their work products become part of a child’s education records which are governed by FERPA and (usually since we’re working under special ed rules) the IDEA.  It is  correct important to be aware of one’s own state’s rules and regulations, which may impose additional burdens.  Typically, however, school psychologists are licensed or certified by the SEA, not a state psychology board.  In Texas, the state board controls the licensure of both private psychologists and school psychologists.  Nevertheless, even Texas licensure law  (p 141) requires LSSPs to comply with state education law, FERPA, and the IDEA.  Texas state education rules and regulations do not impose any additional requirements over those listed in 300.624 below with respect to the Destruction of Information, and in the public schools it is most usually a school administrator, not the school psychologist, who is responsible for enforcing compliance with those requirements.  Even if a SP maintained a separate copy of all his/her work products, those records would still be considered a part of the education record and would still be subject to FERPA and IDEA maintenance of record requirements.

In North Carolina, we typically kept our records until a student was no longer eligible for consideration for services by age.  In NC, children aged three through 21 are eligible for services, so we didn’t start pulling records on students until the summer following their 22nd birthday.  What the  Part B regulations say, and this is as applicable  in Texas as in North Carolina, is:

§ 300.624 Destruction of information. (a) The public agency must inform parents when personally identifiable information collected, maintained, or used under this part is no longer needed to provide educational services to the child. (b) The information must be destroyed at the request of the parents. However, a permanent record of a student’s name, address, and phone number, his or her grades, attendance record, classes attended, grade level completed, and year completed may be maintained without time limitation. (Authority: 20 U.S.C. 1412(a)(8); 1417(c)) Last Amended: 71 FR 46804, Aug. 14, 2006    (p. 261, Special Education Rules and Regulations, Texas State Laws)

Section 624 from Part B of the 2006 Final Regulations imposes an additional burden not found in FERPA, which is that parents must be notified before sped records for children evaluated and/or served under the IDEA are destroyed.  (FERPA, actually, does not provide any explicit advice regarding the destruction of records, other than to prohibit their destruction if there is an on-going request from a parent to review them.)

Schools will of course need to maintain records of students for whom headcount funds were received in case of an audit, which may go back six years in some states.  Additionally, while lawsuits alleging denial of FAPE are time limited, those time limitations are only applicable if the school can show it had made parents aware of them.   So (for headcount purposes or for legal contests), while a six year limitation might seem reasonable, it is not statutory, and parents would need to be informed prior to their destruction even if a school system did adopt such a policy.   In documenting progress, there is no specific time limitation on when older information is no longer useful.  And of course there are those cases where destroying some information that is more than six years old would be counter productive.   Your state requires a opthalmological or optometric evaluation to document visual impairment (blindness).   You have an opthalmological  report from when the child was two documenting that he was born without eyes.  Six years later, you tell the parent you’re going to destroy that report, s/he doesn’t object, and you burn it.  Now you would need a new opthalmological  or optometric evaluation to document Johnny, now 8,  has no eyes.

Another scenario may arise when a parent exercises the rights given to him/her by the 2008 Amendment to the Part B regulations, allowing them to revoke consent for services.  That right is not retroactive, and the amended Section 300.9 now reads ” If the parent revokes consent in writing for their child’s receipt of special education services after the child is initially provided special education and related services, the public agency is not required to amend the child’s education records to remove any references to the child’s receipt of special education and related services because of the revocation of consent. “

There is additionally a separate issue, not specifically germane to the discussion above, which is, “When is a record destroyed?”  In my era, it was a pretty simple question to answer, because a student turned 22,  we put an ad in the paper, waited a decent amount of time,  pulled the child’s folder, shredded it, and it was gone.  In this digital age, things are not nearly as simple,  as merely deleting a digital record does not ensure that the record could not still be retrieved.  The federal government maintains the Privacy Technical Assistance Center (PTAC) which provides schools with technical information on how to ensure that a destroyed record really is destroyed.  PTAC itself recently moved its website.  (Click here.)

Private psychologists would of course be bound by their state rules or APA ethics or both and HIPAA requirements depending on their state’s rules and regulations even when providing evaluations for school use for records maintained in their possession.  Records submitted to the school system, of course, would no longer be in their possession, would be protected by FERPA, but  would no longer would be their responsibility.

In a state where school psychologists’ licensure is governed by a state licensing board, if there is still some question as to which rules should apply . . . state licensing rules and regulations for private psychologists or FERPA/IDEA, this writer would recommend contacting the state board for clarification.

Federal Publications Explaining FERPA *

A complete listing of materials specifically designed for school officials, LEAs, and SEAs can be found at FERPA for School Officials.

In October, 2012, FPCO developed a presentation summarizing the FERPA regulations for school officials.

FPCO Presentation on FERPA


Exceptions: *

In this instance, FERPA provides not one but 10 exceptions where written parental consent is NOT required.  For more details, see 34 CFR 99.31.  FERPA does not require prior written parental consent when

  1. The information is considered directory information or when sharing with
  2. Teachers or other district officials with a legitimate educational interest in the child
  3. Officials of another school system in which the child intends to enroll
  4. State juvenile court systems and their officials
  5. State and federal educational authorities
  6. In compliance with a judicial order or a lawfully issued subpoena (some states only exempt compliance with a judicial order
  7. In connection with an application  for financial aid
  8. Organizations conducting educational studies
  9. Accrediting organizations
  10. Health and safety emergency (at the discretion of the school system; FPCO will not second guess a school system.)


FERPA and Medicaid *

In 2005, Iowa asked FPCO whether records disclosing information to Medicaid were considered education records or whether they were just federal records (not requiring consent.)

FPCO responded in a letter to Stevens, October 21, 2005,

There is no exception to the definition of “education records” for records used to submit reimbursement claims to a State Medicaid fiscal agent or for forms used by other Federal agencies. Nor is there any exception to the written consent requirement in FERPA that permits an educational agency or institution to disclose personally identifiable information to the Iowa Medicaid fiscal agent for reimbursement unless a parent or eligible student has provided prior written consent. Student records are protected under FERPA unless there is another Federal law that presents an irreconcilable conflict with FERPA requirements and governs as a later-enacted statute. See Watt v. Alaska, 451 U.S. 259, 267-268 (1981). We are aware of no such conflicting Federal law that applies to the circumstances you have described.”

Of course, there was an amendment to the IDEA in 2013 to 34 CFR 300.154 (d)

The amendment allows school systems to access public benefits with parental consent, but now they only have to get that written consent once, although they would still have to notify them annually thereafter on the consent provision, the no cost provisions, their  right to withdraw that consent, and that if they did withdraw their consent, the public agency would still be responsible for providing those services to the child at no cost to the parent.

OSEP also issued non regulatory guidance on the Amendment, entitled “Non-Regulatory Guidance on the IDEA Part B Regulations Regarding Parental Consent for the Use of Public Benefits or Insurance to Pay for Services under the IDEA.

supreme court

Supreme Court Decisions *

A Supreme Court case regarding FERPA in 2002 illustrates (in the opinion of at least one of the editors) the ridiculous lengths some people will go to in order to get very expensive answers to very simple questions.  The question this time was “Is it a violation of FERPA for teachers to let students grade other students’ papers.”  The Supreme Court, in a three page decision, said “No.”  The Supreme Court held that FERPA’s only penalty was the termination of federal funds to a school system that was substantially in violation of the FERPA requirements and that their cooperation could not be secured voluntarily.  Links to both  decisions are provided below:

Owasso v. Falvo, Supreme Court, February 19, 2002
Key Terms:  FERPA, Grading Papers, Consent
Published:  Yes
Decided for:  The school system

The instant holding is limited to the narrow point that, assuming a teacherís grade book is an education record, grades on studentsí papers are not covered by the Act at least until the teacher has ecorded them. The Court does not reach the broader question whether the Act protects grades on individual assignments once they are turned in to teachers

Gonzaga University v. Doe, Supreme Court, February 19, 2002
Key Terms:  FERPA, Section 1983, Damages
Published:  Yes
Decided for:  The university

The defendant in this case had successfully argued that even though FERPA contains no language giving people whose rights were violated under that law, there wass nevertheless a right to sue for damages under Section 1983 of the Civil Rights Act.  Damages and punitive damages had been awarded.  The university appealed, and the Supreme Court overturned the lower courts’ decisions.

 The fact that recipient institutions can avoid termination of funding so long as they “comply substantially” with FERPA’s requirements, § 1234c(a), also supports a finding that FERPA fails to support a § 1983 suit.

Although it may appear that FPCO wields a big stick, its power to apply punitive measures to schools whose employees violate FERPA is limited to situations where there has been substantial non compliance as a matter of policy; and even then schools have the opportunity to correct the situation before FPCO takes any action.  That these limitations are significant is attested to by the fact that FPCO has never in the history of FERPA ever actually withheld federal funds from a school system because of a substantial violation.

However:   The reader is cautioned that education law is hardly ever quite what it seems.   The IDEA incorporates FERPA by reference and adds several provisions of its own.  While FPCO is responsible for enforcing FERPA in public agencies, the states are responsible for enforcing FERPA with respect to students identified as disabled under the IDEA.  (See OSEP’s Letter to Anderson, below.)   Another  fly in the ointment  is that states may enact laws supplementing FERPA rights, and readers are cautioned to review their state laws regarding education records and confidentiality.  The review of state statutes below shows that for the most part, most states offer nothing more than is provided by FERPA in the way of penalties.   States that do provide for stricter penalties are highlighted in bold.  However, even in states where no additional penalties were imposed, there may be additonal rights afforded to students and their parents.   Clicking on the link to your state is therefore suggested for further information.

State Confidentiality Laws *

United States Map


Important Caveat:  For the most part, the review below does not take into account state department of education policies on confidentiality.  Even if there are no state statutes giving teeth to FERPA violations, in some states a FERPA violation may also be a violation of a state’s ethics rules.   Violations of a state education department’s ethics rules can if reported and confirmed result in a finding of unprofessional conduct.   Unprofessional conduct can result in a loss licensure.

Alabama:  No additional penalties found.

Alaska:  No additional penalties found.

Arizona: Injunctive or special relief may be granted by Superior Court

Arkansas: Records regarding handicapped students or foster children are to be kept confidential by respective school districts and the Department of Education.  No state penalty for confidentiality violations.

California: No additional penalties for confidentiality violations found.

Connecticut: Communication relating to alcohol or drugs between the nurse and student need not be disclosed to a parent.

District of Columbia: Student’s health file shall be confidential and subject to inspection, disclosure, and use only as applicable under District and federal law.

Florida:  Injunctive relief and attorney’s fees and court costs may be awarded

Georgia:  Unlike other states, Georgia’s privacy of school records law does not specify a punishment for violating the statute

Hawaii:   No additional penalties found

Idaho: No additional penalties found.

Indiana: No additional penalties found.

Illinois:  Illinois statutes explicitly allow parents to seek  damages in a state court if confidentiality laws  are broken.  Inspection allowed by students and parents but restricted to third parties. Information communicated in confidence by a student or parents to school personnel is not available. All rights and privileges become the student’s exclusively at age 18.

Iowa:  No additional penalties found.

Kansas:  No additional penalties found.

Kentucky:  No additional penalties found.

Louisiana: No additional penalties found.

Maine:  No additional penalties found.

Maryland:  No additional penalties found.

Massachusetts: If a school fails to provide a transcript within thirty days of the initial request, the student or parent may petition the court. The court may issue any remedies it deems necessary under the circumstances, including court costs and attorney’s fees.

Michigan:  No additional penalties found.

Minnesota:  Under state law, a person who suffers damage as a result of a school district violating data practices law can bring a civil action against the school district for damages. If a violation is willful, the plaintiff can recover exemplary damages of up to $15,000 per violation plus costs and attorney fees.

Missouri: No known state laws

Mississippi:  No additional penalties found.

Montana: No additional penalties found.

Nebraska:  Violation by official: subject to removal or impeachment and Class III misdemeanor

Nevada:   No additional penalties found

New Hampshire:  No additional penalties found.

New Jersey:  No additional penalties found.

New Mexico:  No additional penalties found.

New York:  No additional penalties found.

North Carolina: No additional penalties found.

North Dakota:  No additional penalties found.

Ohio:  No additional penalties found.

Oklahoma:  If a teacher reveals information obtained about a student unlawfully, it’s a misdemeanor. The maximum penalty for misdemeanors in Oklahoma, unless otherwise specified, is a $500 fine and a year in jail.

Oregon:  No additional penalties found.

Pennsylvania:   No additional penalties found.

Rhode IslandNo additional penalties for FERPA violation reported, but with respect to the PPRA, it would be a Misdemeanor to circulate a questionnaire “so framed as to ask intimate questions about themselves or families, thus trespassing upon the pupils’ constitutional rights and invading the privacy of the home” without approval of local school commissioner and department of education; can be fined $50 or imprisoned for not more than 30 days

South Carolina:  Any person who unlawfully removes or destroys records is fined between $200 and $5,000 and guilty of a misdemeanor; failure to deliver is a misdemeanor and may yield a fine of $500 .

Texas: No additional penalties found.

Tennessee: No additional penalties found.

Utah: No additional penalties found.

Vermont:  No additional penalties found in state law.  However, school personnel can be charged with unprofessional conduct under  the state education department rules and potentially lose their licenses for violating the following rule(s):


“  Principle VII. A professional educator complies with state and federal laws and regulations, relating to the confidentiality of learner and employee records, unless disclosure is required or permitted by law. Unprofessional conduct includes, but is not limited to:

  1. a)  Sharing of confidential information concerning learner academic or disciplinary records, health and medical information, family status and/or income, and assessment/testing results, with unauthorized individuals or entities;
  2. b)  Sharing of confidential information by an administrator about employees with unauthorized individuals or entities”

Virginia:  No additional penalties found.

Washington:  No additional penalties found.

West Virginia:  No additonal penalties found.

Wisconsin:  No additonal penalties, however, health records are treated as health records, not as education records.

Wyoming:  Wyoming Attorney General’s Office or local county attorney’s office can bring a civil action against anyone violating Wyoming’s privacy records laws. The maximum penalty is $750 and courts can award damages.

osep letters

OSEP Letters on FERPA *

Although FPCO has primary responsility for enforcing FERPA in public schools, the IDEA provides parents with additional rights.  As a consequence, OSEP has issued more than 40 letters since 1997 that address FERPA; some of those after 2006 are summarized below.

Letter to Flinn, May 8, 2013.  This is a wide ranging letter address issues relevant to parental consent; protected health information; PHI; confidentiality; education records; FERPA; HIPAA; Part C; Infants and toddlers; early intervention records; Family Educational Rights and Privacy Act; and the  Health Insurance Portability and Accountability Act.   The question from a Part C provider was whether it could release early intervention records to a healthcare provider without written parental consent under the HIPAA rules.   The answer, in brief, was “No.”  Where FERPA applies, FERPA rules alone.  In their more detailed response, OSEP said, “The term “early intervention records” was added to the September 28, 2011 final IDEA Part C regulations in 34 CFR §303.403(b) and is the same operationally as the term “education records” for purposes of the applicable confidentiality provisions in the FERPA regulations in 34 CFR Part 99. The more specific provisions in the IDEA Part C regulations in 34 CFR §§303.401 through 303.417 govern the confidentiality rights of infants and toddlers with disabilities and their parents under IDEA Part C and incorporate provisions in the FERPA regulations in 34 CFR Part 99 that refer to “education records.” As noted in the IDEA Part C regulations in 34 CFR §303.414(b)(1)(ii), “education records” under the FERPA regulations in 34 CFR §99.31 means “early intervention records” as defined in the IDEA Part C regulations in 34 CFR §303.403(b). With regard to your question about the HIPAA implications, the HIPAA Privacy Rule in 45 CFR §160.103 exempts from the definition of “Protected Health Information” (PHI), those “education records” that are covered by FERPA. 

Letter to Gran, November 12, 2012.  The IDEA gives parents the option of having either an open or closed hearing.  The question was whether the district could allow personnel without a legitimate educational interest attend the hearing without written consent.   The short answer, based on FERPA, was “No.”

Letter to Gray, March 18, 2008.  The question was whether written consent was needed to invite a representative from another agency to an IEP meeting just once or for every IEP team meeting.  Answer:  Consent consistent with 300.309 must be obtained for every IEP team meeting, but not for other informations where personal information wiill not be released.

Letter to Anderson, March 7, 2008.   In general, FERPA is enforced by FPCO.  However, the IDEA includes FERPA by reference and adds several additional requirements.   States are responsible for enforcing IDEA.  Are they, this letter asks, also responsible for enforcing FERPA as it applies to children with disabilities?  Short answer:  Yes.  OSEP’s answer: “In summary, a State educational agency (SEA) is required under Part B of the IDEA to enforce all Part B requirements, including those Part B Confidentiality of Information regulations that restate or paraphrase FERPA requirements. The Part B Confidentiality of Information regulations do not simply incorporate or restate FERPA; they contain several provisions that are tailored specifically to the special education environment. We note also that public agencies and participating agencies (as defined in Part B of the IDEA) are subject to the Part B Confidentiality of Information regulations even if they are not also an educational agency or institution under FERPA. In developing special confidentiality requirements for Part B of IDEA rather than simply applying FERPA to all Part B agencies, the Department recognizes that SEAs have unique expertise for addressing confidentiality issues in the special education context. FPCO  works with the Office of Special Education Programs (OSEP), which oversees and monitors SEA compliance with Part B of the IDEA, to ensure that SEAs enforce the Part B Confidentiality of Information requirement.

Letter to Shuster, August 7, 2007.   The question of parent access to test protocols arises sporadically even into the present day, with concerns over copyright vs. FERPA access rights continuing to perplex educators.   In this letter, OSEP directly addressed that issue; but the language of its response actually for the most part dates back to the 1999 FR for the IDEA 1997.

Records that are not directly related to a student and maintained by an agency or institution are not “education records” under FERPA and parents do not have a right to inspect and review such records. For example, a test protocol or question booklet which is separate from the sheet on which a student records answers and which is not personally identifiable to the student would not be part of his or her ” education records.” However, Part B and FERPA provide that an educational agency or institution shall respond to reasonable requests for explanations and interpretations of education records. (34 CFR §300.562(b)(1); 34 CFR §99.10(c)). Accordingly, if a school were to maintain a copy of a student’s test answer sheet (an “education record”), the parent would have a right under Part B and FERPA to request an explanation and interpretation of the record. The explanation and interpretation by the school could entail showing the parent the test question booklet, reading the questions to the parent, or providing an interpretation for the responses in some other adequate manner that would inform the parent. *** With respect to the issue of liability for disclosing information to parents when other laws or contractual obligations would prohibit it, public agencies are required to comply with the provisions of IDEA and FERPA and must ensure that State law and other contractual obligations do not interfere with compliance with IDEA and FERPA. Federal copyright raw protects against the distribution of copies of a copyrighted document, such as a test protocol. Since IDEA and FERPA generally do not require the distribution of copies of an education record, but rather parental access to inspect and review, Federal copyright law generally should not be implicated under these regulations.

Despite the above, a key phrase is “generally do not require.” FERPA does provide an exception,

If circumstances effectively prevent the parent or eligible student from exercising the right to inspect and review the student’s education records, the educational agency or institution, or SEA or its component, shall – (1) Provide the parent or eligible student with a copy of the records requested; or (2) Make other arrangements for the parent or eligible student to inspect and review the requested records.

Another important difference in parental rights under the IDEA that OSEP references in the above letter is the right referenced in the Letter to Shuster, above, that is, the right to file a complaint with the SEA under Section 300.151 of the 2006 FR.


FPCO Enforcement of FERPA (and the PPRA) *

To the best of our knowledge, FPCO has never withheld funds because of a FERPA (or PPRA) violation, and it has only once ever taken an educational institution, a university in this instance, to court.  It has a limited number of staff members, and no attorneys are employed by the agency, although they have access to ED lawyers.  The single case is summarized below.

U.S. v. University of Miami, Sixth Circuit, July 27, 2002
Key Words:  FERPA
Published:  Yes
Decided for:  FPCO

The only instance where FPCO took an educational institution to court.  The Sixth Circuit affirmed a district court ruling permanently enjoining Miami State University and Ohio State University ” from releasing student disciplinary records or any “personally identifiable information” contained therein, except as otherwise expressly permitted under the FERPA. ”  Both universities had released unredacted disciplinary information to a newspaper.  In the Ohio case, the state’s Supreme Court had ruled that state laws required disclosure.  For a variety of reasons (see decision) the Sixth Circuit concluded that FPCO has the authority to bring a lawsuit and seek injunctive relief. It also concluded that disciplinary records are indeed education records.  The twenty three page decision rejected other arguments presented by the Chronicle because in the court’s opinion there were no issues of fact, just of law, and that irreparable harm to the students could have resulted had the Chronicles’ motions been approved by the court.  Federal law, of course, preempts state law.  A potentially powerful tool, a court injunction, but as noted above . . . apparently only used by FPCO once.


A Case History:  What Can Happen When There are No Sanctions *

New York State, like most of the states reviewed above, provides no additional sanctions to those noted by the Supreme Court.   .

On October 30,2015, Fatima Geidi filed a FERPA complaint against the principal of Upper West Success Academy charter school in NYC.  She wrote, “On October 12, 2015, PBS News Hour ran a segment with an interview of my son [name removed] who spoke about his experiences at Upper West Success Charter Schools, where he was repeatedly suspended for minor offenses. His face and name appeared in the video, and his name in the transcript as well.”

She went on to say “On October 19, Ann Powell, Executive Vice President of Public Affairs and Communications at Success Academy Charter Schools, sent out a media release to reporters, composed of a long letter from Ms. Moskowitz to Judy Woodruff of PBS that included non-directory personally identifiable information from my son’s education record in connection with certain disciplinary issues.”  She attached copies of a Media Alert from the school in support of her allegation.  Mrs. Geidi informed the school that she was not waiving her privacy rights, but the school went ahead and issued another letter, saying that the ten year child had been suspended for behavior that was dangerous to others and himself.   Mrs. Geidi alleged that this was a falsehood.

According to Slate.com, Mrs. Geidi may have understated the volume of data released.  Slate reported “that listed 19 specific incidents of misconduct, some of them violent, along with long excerpts of teacher reports on Jamir’s behavior. (Her letter referred to Jamir as “John Doe,” but since he was the only student named in the PBS segment, there was no question about who she was talking about.)”

Moskowitz, the principal, replied in a letter to Geidi, saying “The First Amendment limits a person’s ability to use privacy rights to prevent others from speaking. When somebody chooses to make statements to the press, they waive their privacy rights on the topics they have discussed, particularly when, as here, those statements are inaccurate.”  Ms. Moskowitz was misinformed.  Talking to the Press does NOT automatically mean that a parent has waived her privacy rights.

The article went on to explain, “Unfortunately for Fatima and Jamir Geidi, individuals can’t bring claims under FERPA. Only the Department of Education can. The question of whether Moskowitz is held accountable for publishing Jamir’s records may thus be as much political as legal, and Moskowitz—until recently seen as a possible challenger to mayor Bill de Blasio—is politically powerful.”

And concluded by saying, “FERPA is supposed to protect such children. We’ll see if it does.”

There is no evidence that FPCO took any effective action, and, indeed, history suggests that it was unlikely.  At most, FPCO would have issued a cease and desist order . . . too late to compensate the parent and child for the damage already done.  FPCO’s response to this complaint is not available on-line, but its response to a situation where a university faculty member disclosed protected information is illustrative of FPCO’s requirements before closing out a complaint.

Letter to Bartel, October 11, 2005. “There is no indication from the information you have provided that the FERPA violation that occurred, as described in your letter, was due to the College’s failure to take reasonable and appropriate steps to protect the education records it maintains. Further, it appears that once the College became aware of the problem it promptly investigated the breach and took reasonable and appropriate steps to prevent any further unauthorized disclosures by adding workshops for existing and new faculty on FERPA issues. In that regard, the College’s FERPA training should include specific instruction on the type of violation that you reported to this Office. We would also ask you to provide specific instruction on this matter to the professor who published the student information in question except that it is our understanding that this individual no longer provides services for the College. Failure to take these steps could constitute a policy or practice of violating FERPA by permitting the disclosure of personally identifiable information from education records without the required prior written consent.”

Other troubling questions also arise, touched upon but not fully explored by the Huffington Post on October 26, 2015  In brief, the school in trying to defend itself against the charges originally brought against it . . . that it suspended students who did not measure up to its standards in an effort to get them to leave . . . but in doing so, it made was clear that that the school had provided “absolutely no evidence that Success Academies attempted to discover what might trigger the student’s outbursts/meltdowns in order to formulate a plan of action to help the child learn to manage his own behavior.”

In New York, Charter Schools are responsible for implementing the IEPs of identified students.  There does not appear to be a corresponding responsibility NY SED Charter School regulations  to refer children suspected of disabilities for an evaluation by the LEA in the district of residence.   In NY,  “the school district of residence is generally responsible for due process procedures relating to the evaluation, identification, educational placement and the provision of a free appropriate public education to charter school students.”   Regardless, there is also no evidence that the charter school contacted the child’s public school to evaluate the child and, if eligible, develop an appropriate IEP.

confidentiality laws

IDEA — Additional Rights *

For an authoritative comparison of the provisions in Part B, Part C, and FERPA, see the United States Department of Education’s comparison at;
ED Comparison of IDEA and FERPA Confidentiality Rights (2014)

In June 2014, the United States Department of Education issued a document comparing the rights of children without disabilities and those with disabilities as provided by Congress in the IDEA entitled IDEA and FERPA Confidentiality Provisions.  This document compares, side by side, relevant regulations from Part B, Part C, and FERPA.  Part B and Part C regulations supplement, but do not supplant, FERPA regulations.    For regulatory references in Part B of the 2006 FR, see:

34 CFR 300.560 – 300.577

The IDEA regulations included some additional protections tailored to special confidentiality concerns for children with disabilities and their families:

Public agencies must inform parents of children with disabilities when information is no longer needed and, except for certain permanent record information, that information must be destroyed at the request of the parents (34 CFR 300.573).

If a state transfers the IDEA rights of parents to children at the age of majority, the parents’ rights under the IDEA regarding educational records also transfer, but the public agency must provide any notice required under the due process procedures of the IDEA to both the student and the parent (34 CFR 300.574).

The state education agency must give public notice about the collection of personally identifiable information in the state and a summary of the policies and procedures that public agencies must follow regarding storage, disclosure to third parties, and retention and destruction of personally identifiable information (34 CFR 300.561).

Each public agency must have one official who is responsible for ensuring the confidentiality of any personally identifiable information, must train all persons who are collecting or using personally identifiable information regarding the state’s policies about confidentiality and FERPA, and must maintain for public inspection a current listing of the names and positions of individuals within the agency who have access to personally identifiable information (34 CFR 300.572).

hipaa ferpa

Where FERPA Applies, FERPA Rules *

In order to assist in resolving any disputes that might arise over the application of these two laws, the United States Department of Education the Department of Health and Services issued the following Joint Guidance in 2008.


School psychologists working exclusively in preschool, elementary, secondary (or even Infant Toddler) educational settings will have minimal involvement with the requirements of HIPAA regulations.  The only exception will be when seeking written consent from parents for the release of HIPAA protected records.  HIPAA’s requirements for a valid written consent differ from the consent requirements in FERPA.  The simplest way to comply with a healthcare provider’s requirements would be to use a model form developed for school use.   Several states already have such forms available, e.g., Connecticut, Maine, and the Oregon Department of Education (the most comprehensive.)

If a school wanted to develop its own model form to send to physicians (re-inventing the wheel), the federal regulations governing healthcare providers’ requirements before releasing protected records are extensive:

General Authorization content: The rule states that a valid authorization must be in plain language and contain at least the following core elements:

  • A specific and meaningful description of the information to be used or disclosed
  • The name or other specific identification of the person(s) or class of persons authorized to use or disclose the information
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity may make the use or disclosure
  • A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is sufficient when an individual initiates the authorization and does not provide a statement of the purpose
  • An expiration date or event that relates to the individual or the purpose of the use or disclosure.
    • For research purposes only – The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure for research, including for the creation and maintenance of a research database or repository
  • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act for the individual must be provided

In addition to the core elements, the rule states that a valid authorization must include:

  1. A statement of the individual’s right to revoke the authorization, in writing, and either:
  • A reference to the revocation right and procedures described in the notice, or
  • A statement about the exceptions to the right to revoke, and a description of how the individual may revoke the authorization

Exceptions to the right to revoke include situations in which the covered entity has already taken action in reliance on the authorization, or the authorization was obtained as a condition of obtaining insurance coverage.

  1. A statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization:
  • The covered entity must state that it may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization, or
  • The covered entity must describe the consequences of a refusal to sign an authorization when the covered entity conditions research-related treatment, enrollment or eligibility for benefits, or the provision of healthcare, solely for the purpose of creating protected health information for a third party on obtaining an authorization
  1. A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and may no longer be protected by the rule

Some school psychologists and psychologists working in schools also have a private practice.  HIPAA rules would apply to them.   The consequences for violating HIPAA’s rules are potentially more painful in private practice then a similar violation would be under FERPA in a school setting.

For those private practitioners (or for school personnel working with teacher healthcare records not covered by FERPA), differences between FERPA and HIPAA can be found by reviewing the Save our Schools link.

The key phrase missing from FERPA with respect to enforcement is “Violators that knowingly and improperly disclose identifiable health information are subject to civil monetary and criminal penalties.”

Civil and Criminal Penalties Under HIPAA *

Civil monetary and criminal penalties?  What are those?  If I’m in private practice, should I worry?


Short Answer:  Yes.  Definitely.

Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing:

  • Four categories of violations that reflect increasing levels of culpability
  • Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation
  • A maximum penalty amount of $1.5 million for all violations of an identical provision
Civil monetary penalties
Tier Penalty
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
2. The HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
4. The HIPAA violation was due to willful neglect and was not corrected.
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
Criminal penalties
Tier Potential jail sentence
Unknowingly or with reasonable cause
Up to one year
Under false pretenses Up to five years
For personal gain or malicious reasons
Up to ten years