Privacy of personal information is a persistent issue in our society; this is particularly true with respect to health information. Yet information about individuals’ health leads to discovery of public health problems. Recent changes to a federal law setting privacy protections for student information held by schools highlight these competing concerns. The Network has created two blog posts on this important subject. Read below for a blog post from the Network’s Mid-States Region about how the federal privacy law has been tightened to protect student information. Read another blog post from the Network’s Eastern Region here about a change that will enhance the sharing of student health information between schools and public health departments.
As schools are dismissing their students for the summer, it is hard to look ahead to fall when schools will greet their students for the new academic year. However, because of a change in federal regulations that apply to student information, public health departments that receive or use routine “directory information” from schools need to be aware of potential school policies that could impact this important source of information. The United States Department of Education amended its administrative rules, 34 CFR Part 99, effective January 3, 2012, that implement the Family Education Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, to allow schools to adopt policies that could limit sharing of directory information.
FERPA is a federal law that protects the privacy of student education records. It applies to schools that receive funds under any program administered by the U.S. Department of Education. FERPA prohibits schools from disclosing personally identifiable information from students’ education records without the consent of a parent or eligible student (students who have reached 18 or attend a post-secondary institution). FERPA provides some exceptions, allowing a school to share certain information without parental consent. Unfortunately, unlike the HIPAA privacy regulations, FERPA does not allow schools to broadly share identifiable student information with public health agencies for public health purposes. Instead, FERPA allows such sharing only in connection with a health or safety emergency or to evaluate or improve educational programs.
FERPA does allow schools to provide certain directory information about students, which includes names, address, telephone number, email address, date and place of birth, dates of attendance, most previous school attended and grade level. To share directory information, a school must give public notice to parents and eligible students of the types of information designated as directory information, and give them the right to opt out. Usually, this notice is provided at the start of the school year along with or as part of the annual notice that schools must provide to parents and eligible students of their rights under FERPA. Unless the parent objects, directory information can be provided to requesters without parental consent. By obtaining this information, vendors are able to contact students about photos, class rings and yearbooks. Additionally, public health departments are able to obtain directory information to update their records about children they serve. For example, schools might provide updated addresses for children to immunization programs that send reminders to parents that their child is due for a vaccine. In some states, school personnel may even be provided with access to immunization registries to directly update contact information for its students since FERPA allows schools to provide directory information electronically.
FERPA regulations have been amended to state that in their yearly notice to parents of their disclosure practices, schools “may specify that disclosure of directory information will be limited to specific parties, for specific purposes, or both” 34 CFR 99.37(d). If the school identifies specific recipients, or specific purposes, the school cannot provide directory information to anyone or for purposes not named. Thus, if health departments are not identified, they may no longer be able to obtain directory information.
Presumably, most schools will not change their current disclosure policies. However, some schools may adopt policies to enhance privacy by limiting disclosure of directory information, overlooking the importance of this information to health departments. Thus, health departments that rely on directory information, or want to avoid barriers to future access, may wish to contact their school district well before the start of school in fall 2012 regarding potential changes in policy to ensure that public health is included in any list that identifies to whom directory information will be provided.
This information was developed by Denise Chrysler, J.D., director for the Network for Public Health Law – Mid-States Region at the University of Michigan School of Public Health.
The Network for Public Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.