FERPA Regulation Knowledge Hub
Compliance, Disclosure, and Security Information
XMedius provides the education market with powerful communications solutions designed to streamline workflows, minimize breach risks, and simplify regulatory compliance.
Our solutions have enabled FERPA-compliant document & file communications for:
Colleges & Universities
Whether this is your first time investigating FERPA, or you have some experience but are looking to expand your knowledge, this guide is designed to help you understand the complexities of the law so you’re better equipped for compliance.
Please note that this guide is not provided as legal advice. While XMedius has helped institutions across the US protect their communications and achieve compliance, our products do not guarantee FERPA compliance. Your organization will need to ensure it has implemented any policies and procedures necessary to achieve and maintain compliance.
FERPA is the key regulation regarding managing student records in the United States. It not only helps protect students’ education records from prying eyes, but also ensures that parents or eligible students have access to records. As part of this mandate, it requires certain recordkeeping procedures to ensure rules are followed and actions tracked. Our secure document exchange solutions facilitate easy communication between schools and other educational entities while preventing breaches and automatically keeping records of disclosures.
Table of Contents
The Basics of FERPA
FERPA stands for the “Family Educational Rights and Privacy Act” (aka “The Buckley Amendment”).
FERPA was signed into law by President Gerald Ford in August of 1974. Amendments have been made since then by the Department of Education to incorporate changes in the law and to reflect changing technology.
FERPA is a federal law that covers the following three issues with regards to parents’ and students’ rights:
- Ensuring the right to access students’ education records
- Ensuring the right to seek amendments to those records
- Ensuring the right to control (to some extent) disclosures of students’ personally identifiable information (PII)
FERPA protects “education records,” which are defined as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the educational entity. Examples include, but are not limited to:
- Discipline Files
- Class Lists
- Financial Information (post K-12)
- Health Information (K-12)
FERPA covers this information regardless of how it is stored, from physical documents to digital video.
It’s important to note that staff members’ impressions and observations are not covered by FERPA and can be freely shared, so long as they have not been included in a student’s education records.
FERPA describes some student details as “Directory information”. Items classified as Directory Information can be contained within protected education records but do not require prior authorization to distribute separately from them.
Examples of directory information include:
- Phone Numbers
- Birth Information (Date & Place)
- Names of Honors & Awards
- Dates of student attendance at institutions – i.e. “was a student from ____ to ____”
(not granular attendance history or disciplinary records)
It’s important to note that while this information can be shared without authorization, schools must notify parents or eligible students that they will be making directory information available (in general). The FERPA rights holders can request that their directory information not be disclosed.
Up until the point when a student becomes 18 years old or attends a postsecondary educational institution (whichever comes first), FERPA rights to that student’s information are held by their parents or legal guardians. Once a student crosses either threshold, they are referred to as an “eligible student” under the law and FERPA rights then transfer to the student.
FERPA does not dictate requirements for compliance training content, length, or frequency. However, the burden for FERPA compliance rests solely with the educational entity. As a result, FERPA training guidelines can vary among entities.
The FERPA waiver people are most likely to encounter is tied in with college & university applications (either organization-specific or on the Common Application). The purpose of this waiver has more to do with the records-access portion of the law than the privacy portion.
When teachers and other school officials (employees, volunteers, etc.) create letters of recommendation for the student (as is commonly required as part of the application process), these become education records at the school the student attends.
As is often the case with evaluations, knowing that the person being evaluated will read them (and know who wrote them) can influence what people include in their letters. As a result, many schools require that students waive their right to review these letters to encourage a greater degree of honesty.
Organizations Covered by FERPA
Any educational entity that receives funds from the US Department of Education is subject to FERPA, regardless of what level of education they offer, or whether they’re a private or public institution. Examples include school districts, public schools, local educational agencies (LEAs), colleges, and universities.
Only employees that have been determined to have “legitimate educational interests” involving a given student are authorized to access that student’s education records without permission from the parents or eligible student. Note that contractors, consultants, or volunteers fulfilling duties that would otherwise be covered by an employee (i.e. coaches, teachers, teachers’ assistants, etc.) may also be given access to information if they meet this standard.
Protecting students’ information under FERPA is a requirement for accepting any funding from the US Department of Education. While taking great care in protecting students’ information is generally always a best practice, schools not receiving public funds, and whose students are not recipients of Department funds, are not bound by the law.
Daycares do not typically educate or instruct students. As a result, they would not be covered by FERPA rules.
FERPA vs HIPAA vs PPRA vs State Laws
State laws cannot require disclosures based on less stringent requirements than FERPA requires. However, there are a wide variety of state student privacy & records laws across the US that offer additional protections or requirements beyond (in addition to) what FERPA mandates. For example, states may allow students and their families to sue for privacy violations, place stricter controls on directory information, shorten the time schools can take to provide records access, prohibit information sharing for commercial/targeted advertising purposes, etc.
K-12 school medical records are covered by FERPA, assuming FERPA applies to the school. If the school meets the definition of a “Covered Entity” under HIPAA, however, those medical records would be also covered under HIPAA.
In this instance the records are subject to HIPAA guidelines in terms of administrative rules, but not the HIPAA privacy rule. This is because there is an exception written into HIPAA that “education records” and “treatment records” covered by FERPA are only subject to FERPA privacy protections.
Many postsecondary institutions are also healthcare providers. They may either have their own hospital(s) or might provide care on a much smaller scale via an on-campus clinic and/or counseling center. While some aspects of HIPAA may apply to electronic billing or non-student health records, for example, HIPAA’s privacy rule does not apply and any disclosures are done in compliance with FERPA, not HIPAA.
While both FERPA and the Protection of Pupil Rights Amendment (PPRA) were constructed to protect students’ privacy, they do so in very different ways. A simple way to think of the difference is that FERPA controls what information schools hand out, while PPRA controls what information they bring in.
In other words, PPRA isn’t about the storage of sensitive data, it’s about mandating what specific data schools can collect from their students. Situations where PPRA becomes involved include surveys, evaluations, and some physical examinations. PPRA covers a range of details about a student (and/or their parents’) personal life, and prevents these details being gathered by schools without parents’ (or the student when over 18) explicit consent.
Obligations to Protect Student Information
No. FERPA requires access to students’ private details be limited to those with a “legitimate educational interests.” The interpretation of this phrase can be fairly broad (and may include coaches, school security, councilors, etc.), but it does limit access to a pool of staff (administrators, teachers working with the student, etc.) rather than the entire staff body.
A student’s records are covered by FERPA once those records are held by a FERPA-covered institution. While the law is concerned with protecting a student’s private information and ensuring access to that information by students and parents, it is actually the status of the institution that dictates whether FERPA is in effect.
Assignments may not be protected under FERPA, but student grades are. The Supreme Court has decided that those grades do not become FERPA-protected until entered into a teacher’s grading system (and thus peer-grading is not a FERPA violation).
Yes, but only after the applicant attends a FERPA-covered institution. However, it is important to remember that exchanging FERPA-protected information between institutions for the purposes of student applications or enrollment is a Permissible Disclosure under FERPA and does not require the rights-holder’s consent.
FERPA does not consider the form of the information when assessing coverage, only the content. Therefore, emails are education records if they are directly related to a student.
Potentially, depending on the content of the call. As mentioned above with email, FERPA is concerned with education records, not the medium in which those records are stored. Thus, if a voicemail contains a specific student’s class schedule, or the call recording is of a discussion of a disciplinary matter, they would absolutely be covered by FERPA.
Absolutely. However, school transcripts can be freely shared with other schools in which the student seeks or intends to enroll, along with certain other outside institutions (see Permissible Disclosures).
Yes, day-to-day attendance records as well as the overall period of attendance (such as what years a student attended a school) are education records. “Years attended,” however, can be a “directory information” item and can be shared without consent, unless the parent or eligible student has submitted a prior request that such information not be shared.
Yes. However, schools do not require authorization to share those records with organizations such as the police, juvenile centers, and threat assessment teams when there is a health or safety emergency. Schools are also required to comply with court subpoenas and do not require prior authorization to do so, but must generally notify the parent or eligible student in advance of compliance.
Schools can also inform parents, even if the student is now an “eligible student,” if the student is found in violation of the campus conduct code relating to alcohol or substance abuse, so long as the student is under age 21, or is considered in imminent medical danger.
Law enforcement units are defined as bodies authorized to either enforce laws, refer violations to appropriate authorities, and/or maintain physical security for an educational institution. Depending on the organization, they may be made up of fully commissioned police officers or school-sanctioned security guards.
Records created by a law enforcement unit for the purposes of enforcing the law are not subject to FERPA protections, even if that organization operates as part of an educational institution or agency (for example, a campus safety/police organization).
FERPA cannot be used to force access to these records by students or parents, nor can it block their disclosure. These situations are instead managed through other laws & regulations.
No, not if the deceased was an eligible student. FERPA no longer applies to that student’s education records. However, education records at the elementary/secondary level are still subject to FERPA because those rights resided with the parents. State law or institution policies may provide replacement/additional protections once FERPA is no longer in effect.
Yes. FERPA continues to apply to all education records relating to a student’s time enrolled in a given institution, even if those records are created after the student leaves, but relate to the student’s time at the institution.
Yes. FERPA applies to all students attending institutions that are subject to FERPA, regardless of their immigration status.
Schools and other educational institutions are required under another Federal law (SEVIS) to provide certain requested information to the Immigration and Customs Enforcement Bureau (ICE), as well as the greater Department of Homeland Security (DHS), about students enrolled in DHS’s Student and Exchange Visitor Program. In order to disclose additional student information, apart from FERPA’s emergency exception, DHS & ICE must typically provide a court order like any other law enforcement agency.
Schools can ask students (and/or their parents) to provide proof of residency, but that need not include social security numbers or other proof of immigration status. In fact, the DoE cautions schools at the K-12 level to avoid collecting such information as it may discourage school enrollment.
As a result, a school may not have immigration information on its students. This means that if a student is not in the country on a student visa (reported as part of an international application or exchange program), the school may not have cause to know whether they’re in the country legally or not.
In other words, FERPA does not prevent schools from sharing protected information in response to court orders, but it also does not require schools to verify students’ immigration statuses and thus they may not have that information to provide.
Obligations to Provide Student Information
While state laws may require a faster response time, FERPA allows schools to take up to 45 calendar days to provide records in response to such a request.
Generally, yes, unless there is a court order or law in place that specifically blocks those rights.
A step-parent in a relationship with one of a child’s natural parents, who is present in the home on a day to day basis may be considered a parent under FERPA. The same is true of grandparents or caregivers who are acting as a child’s primary guardian in the absence of their natural parents.
Yes, assuming they have verified the identity of the caller and they are someone with legal rights to the information. As with all communication methods, disclosure without verifying the recipient’s identity and right to access the information could result in a FERPA violation.
If the current FERPA right holders to a student’s information request access to records, schools are required to provide that access (once they have verified the requester’s identity). However, they are only required to provide copies if circumstances (such as distance) prevent the rights holders from accessing the originals.
Yes, schools are allowed to charge fees for producing & distributing copies of student records (such as providing official transcripts to universities for application purposes).
Possibly. It depends on the age/level of schooling of the student and their legal relationship to their parents. A legally independent student who is over eighteen or attending classes at a postsecondary institution (whichever happens first) legally becomes the custodian of their FERPA rights (referred to as “an Eligible Student” in the law). Prior to that point, their parents (or legal guardians) are considered the custodians and may access their records at any time.
However, even after the conditions for being an Eligible Student are met, there are still a few situations where parents can receive FERPA-protected information from the school without student authorization:
- The student is a dependent. If the parents are still claiming the student as a dependent on their taxes, they can request access to the student’s records. However, they will be required to prove that tax status.
- The FERPA health and safety emergency exemption. If the school judges the student to be in imminent medical danger (for example, due to a serious injury, illness, or other situation), their records can be shared with their parents in order to get them necessary help.
- The student is found in violation of certain school policies.
Yes. In addition to being freely available to school employees who have an educational interest, and Directory Information, there are provisions in the law for releasing protected information without prior consent. Referred to as “Permissible Disclosures,” these situations include:
- Complying with court subpoenas
- Sharing information with a designated “threat assessment team”
- Sharing information with other schools a student is seeking or intending to attend
- Sharing information for purposes of securing or administering financial aid
- Sharing information with “appropriate parties” in response to an imminent health or safety emergency
- Releasing “de-identified” information that cannot be traced back to the student
School may permit volunteers performing duties that would otherwise be handled by a school employee to access student records if they have an educational interest.
Yes, assuming that a) the person/organization is performing duties that would otherwise be performed by school staff b) is under the educational institution’s “direct control” when it comes to anything involving protected student information, c) only uses these details for the purpose the institution provided them for d) has been notified of their obligations under FERPA.
De-identified information is information with all student-identifying characteristics removed. FERPA states that such information can be released freely if a school is careful to remove any details that could allow “a reasonable person in the school community, who does not have personal knowledge of the circumstances, to identify the student with reasonable certainty.”
Schools may need assistance determining whether an imminent emergency or threat to student safety exists. To get help, they may establish a “threat assessment team” that includes both school and outside officials (doctors, police, etc.) and brings expertise to bear when making these decisions. Per FERPA, members of a threat assessment team, even if they aren’t direct school employees, can be permitted access to education records of students involved in situations that must be assessed.
Students who are under 18 and not attending a postsecondary institution are not the legal custodian of their FERPA rights. Those are instead held by (and can be waived by) their parents.
Yes. If a student is applying to enroll in a school, their previous schools can respond to records requests and disclose records without the student’s consent. The same is true if the student is being placed in a juvenile justice facility that is also considered a school.
If a student is attending two schools simultaneously (as in the case of a high school student also taking advanced classes at a local college), the two educational entities can exchange information freely.
Yes. Postsecondary institutions can disclose information, without student consent, to outside bodies when a request is made as part of a student receiving or applying for financial aid.
When it comes to teachers’ and officials’ personal observations, knowledge, and impressions of students and student behavior, they are legally allowed to share them without obtaining prior authorization. However, any information that is entered into a student’s file (for example, event observations that become part of a student’s disciplinary records) becomes covered by FERPA.
Yes. Whenever a school gives out FERPA-protected information to an organization or person outside the school under permissible disclosure rules, they are required to keep records of what was given to whom, along with the why and when.
Yes, but unless prior authorization was received, there are only two ways non-directory-information can be shared with the police without violating FERPA: 1) under court order 2) under FERPA’s “health & safety emergency exception” (see below).
FERPA allows schools to disclose relevant information to “appropriate parties” in the event they determine it is necessary to respond to a significant threat to the student or other individuals. The situations in which this exception comes into play are emergencies (not simply training/drills for emergencies) like school shootings, disease outbreaks, etc.
A FERPA violation occurs when an institution fails to live up to their obligations concerning student education records under the law. Examples include:
- Disclosing protected information, either intentionally or unintentionally, to unauthorized parties such as:
- Failing to verify the identity/authorization of a person before providing protected information
- Failing to get prior rights holder consent for disclosures not considered “permissible” exemptions under FERPA
- Allowing a security breach to occur (such as a hack)
- Accidentally sending protected information to the wrong recipient or publishing it online
- Including protected information on otherwise ok documents
- Withholding access to student information from the FERPA rights holders (parents or eligible students)
- Preventing FERPA rights holders from submitting corrections to student information for consideration
If an educational institution is found to have violated FERPA, the SPPO will send them notice of the violation and give them a deadline to come in line with proper compliance. If the institution fails to become compliant within this period, the office has three enforcement options with which to compel compliance.
- Withholding funds from any Department of Education programs
- Terminating the institutions eligibility for Department of Education funding programs
- Issuing a complaint leading to a legal cease and desist order
Of course, beyond the SPPO’s administrative actions, there is also a risk that the institution may be sued under applicable state laws for the violation, or that other laws may have been broken in the process (leading to additional penalties).
FERPA is only concerned with compliance at the institutional level. As a result, specific penalties to staff who violate the regulation are not provided in the law. However, it is likely that they may incur consequences under a given school or school district’s policies and/or other laws.
How Can XMedius Solutions Help with FERPA Compliance?
XM Fax is an industry-leading Fax over IP (FoIP) solution relied upon by organizations around the world, including many prominent colleges, universities, and public school districts. It allows organizations to maintain the powerful utility of fax document exchange, while jettisoning unreliable machines and expensive copper phone lines.
Its various security features are of particular importance to institutions covered by FERPA, including:
- › An automatically generated audit trail covering which documents were sent where and when, including delivery confirmation.
- › Incoming faxes can be directed to controlled email addresses or server folders, minimizing the risk of staff members without legitimate educational interests seeing a given student’s records.
- › Incoming and outgoing faxes can be produced and stored electronically. This reduces, or possibly even eliminates, the need for physical copies that must be protected.
- › A zero retention option can be turned on to prevent copies of sent or received faxes being stored on the fax server, preventing them from being discovered in a possible hacker breach.
XM SendSecure is a cutting edge secure file exchange solution that combines security, ease of use, and automatically generated audit trails into a package that simplifies FERPA-compliant communications.
- › Supports transferring files in any format and up to 5TB in size, making it perfect for everything from spreadsheets to security videos.
- › Includes two-factor authentication to increase security and help prevent breaches caused by misaddressed messages.
- › Stores sensitive documents in ephemeral storage that will delete itself after a set duration, preventing extra copies of students’ private information from being left in circulation longer than is necessary.
- › Automatically generates an extensive audit trail covering all interactions within the encrypted storage space, including downloads (tracked to the byte), uploads, deletions, messages, etc.
- › Is fast and as easy to use as email, even for outside organizations.
- › Features additional security features, such as automatic virus scanning, that further protect organizations from attack.
CX-E delivers a suite of Unified Communications applications that interoperate with school, university, college, and agency telephony and email infrastructure to empower staff and streamline workflows. In addition to powerful features like automated attendants in multiple languages, customizable IVR, and unified messaging, CX-E offers secure messaging functionality, which can prevent voicemails from being forwarded outside the system.
Simplify FERPA-Compliant Communications
Educational institutions can find maintaining security and documenting disclosures can take up a great deal of staff time. XMedius provides faster, more secure, and automatically tracked solutions that can dramatically simplify FERPA compliance.
Would you like to learn more about how XMedius solutions can help you meet your obligations and improve protections for your students? Reach out to our team.