We use cookies to give you the most personalized experience possible on our website, and to collect information about how visitors use our site. If you continue without changing your settings, we’ll assume that you’re ok with receiving cookies from the XMedius website. You can disable cookies in your browser settings at any time, but please note that parts of the site will not work properly if you disable cookies.

For more information on how we use cookies, read our privacy policy.


FERPA Regulation Knowledge Hub

Compliance, Disclosure, and Security Information

XMedius provides the education market with powerful communications solutions designed to streamline workflows, minimize breach risks, and simplify regulatory compliance.

Our solutions have enabled FERPA-compliant document & file communications for:


School Districts


Colleges & Universities


Government Agencies

Whether this is your first time investigating FERPA, or you have some experience but are looking to expand your knowledge, this guide is designed to help you understand the complexities of the law so you’re better equipped for compliance.

Please note that this guide is not provided as legal advice. While XMedius has helped institutions across the US protect their communications and achieve compliance, our products do not guarantee FERPA compliance. Your organization will need to ensure it has implemented any policies and procedures necessary to achieve and maintain compliance.

FERPA Introduction

FERPA is the key regulation regarding managing student records in the United States. It not only helps protect students’ education records from prying eyes, but also ensures that parents or eligible students have access to records. As part of this mandate, it requires certain recordkeeping procedures to ensure rules are followed and actions tracked. Our secure document exchange solutions facilitate easy communication between schools and other educational entities while preventing breaches and automatically keeping records of disclosures.

The Basics of FERPA

What does FERPA stand for?

FERPA stands for the “Family Educational Rights and Privacy Act” (aka “The Buckley Amendment”).

When was FERPA enacted?

FERPA was signed into law by President Gerald Ford in August of 1974. Amendments have been made since then by the Department of Education to incorporate changes in the law and to reflect changing technology.

What is the purpose of FERPA?

FERPA is a federal law that covers the following three issues with regards to parents’ and students’ rights:

  1. Ensuring the right to access students’ education records
  2. Ensuring the right to seek amendments to those records
  3. Ensuring the right to control (to some extent) disclosures of students’ personally identifiable information (PII)
What information does FERPA protect?

FERPA protects “education records,” which are defined as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the educational entity. Examples include, but are not limited to:

  • Discipline Files
  • Grades
  • Transcripts
  • Class Lists
  • Schedules
  • Financial Information (post K-12)
  • Health Information (K-12)

FERPA covers this information regardless of how it is stored, from physical documents to digital video.

It’s important to note that staff members’ impressions and observations are not covered by FERPA and can be freely shared, so long as they have not been included in a student’s education records.

What is “Directory Information” under FERPA?

FERPA describes some student details as “Directory information”. Items classified as Directory Information can be contained within protected education records but do not require prior authorization to distribute separately from them.

Examples of directory information include:

  • Names
  • Addresses
  • Phone Numbers
  • Birth Information (Date & Place)
  • Names of Honors & Awards
  • Dates of student attendance at institutions – i.e. “was a student from ____ to ____”
    (not granular attendance history or disciplinary records)

It’s important to note that while this information can be shared without authorization, schools must notify parents or eligible students that they will be making directory information available (in general). The FERPA rights holders can request that their directory information not be disclosed.

Who holds FERPA rights to a student’s information, a parent or the student?

Up until the point when a student becomes 18 years old or attends a postsecondary educational institution (whichever comes first), FERPA rights to that student’s information are held by their parents or legal guardians. Once a student crosses either threshold, they are referred to as an “eligible student” under the law and FERPA rights then transfer to the student.

How often is FERPA training required?

FERPA does not dictate requirements for compliance training content, length, or frequency. However, the burden for FERPA compliance rests solely with the educational entity.  As a result, FERPA training guidelines can vary among entities.

What is a FERPA waiver?

The FERPA waiver people are most likely to encounter is tied in with college & university applications (either organization-specific or on the Common Application). The purpose of this waiver has more to do with the records-access portion of the law than the privacy portion.

When teachers and other school officials (employees, volunteers, etc.) create letters of recommendation for the student (as is commonly required as part of the application process), these become education records at the school the student attends.

As is often the case with evaluations, knowing that the person being evaluated will read them (and know who wrote them) can influence what people include in their letters. As a result, many schools require that students waive their right to review these letters to encourage a greater degree of honesty.

Organizations Covered by FERPA

What organizations are covered by FERPA?

Any educational entity that receives funds from the US Department of Education is subject to FERPA, regardless of what level of education they offer, or whether they’re a private or public institution. Examples include school districts, public schools, local educational agencies (LEAs), colleges, and universities.

Within covered educational entities, who may access student information?

Only employees that have been determined to have “legitimate educational interests” involving a given student are authorized to access that student’s education records without permission from the parents or eligible student. Note that contractors, consultants, or volunteers fulfilling duties that would otherwise be covered by an employee (i.e. coaches, teachers, teachers’ assistants, etc.) may also be given access to information if they meet this standard.

Are private secondary schools covered by FERPA?

Protecting students’ information under FERPA is a requirement for accepting any funding from the US Department of Education. While taking great care in protecting students’ information is generally always a best practice, schools not receiving public funds, and whose students are not recipients of Department funds, are not bound by the law.

Are daycares covered by FERPA?

Daycares do not typically educate or instruct students. As a result, they would not be covered by FERPA rules.

FERPA vs HIPAA vs PPRA vs State Laws

Does FERPA preempt state law?

State laws cannot require disclosures based on less stringent requirements than FERPA requires. However, there are a wide variety of state student privacy & records laws across the US that offer additional protections or requirements beyond (in addition to) what FERPA mandates. For example, states may allow students and their families to sue for privacy violations, place stricter controls on directory information, shorten the time schools can take to provide records access, prohibit information sharing for commercial/targeted advertising purposes, etc.

Are school medical records covered under HIPAA or FERPA?

K-12 school medical records are covered by FERPA, assuming FERPA applies to the school. If the school meets the definition of a “Covered Entity” under HIPAA, however, those medical records would be also covered under HIPAA.

In this instance the records are subject to HIPAA guidelines in terms of administrative rules, but not the HIPAA privacy rule. This is because there is an exception written into HIPAA that “education records” and “treatment records” covered by FERPA are only subject to FERPA privacy protections.

Many postsecondary institutions are also healthcare providers. They may either have their own hospital(s) or might provide care on a much smaller scale via an on-campus clinic and/or counseling center. While some aspects of HIPAA may apply to electronic billing or non-student health records, for example, HIPAA’s privacy rule does not apply and any disclosures are done in compliance with FERPA, not HIPAA.

HIPAA Knowledge Hub

What’s the difference between FERPA and PPRA?

While both FERPA and the Protection of Pupil Rights Amendment (PPRA) were constructed to protect students’ privacy, they do so in very different ways. A simple way to think of the difference is that FERPA controls what information schools hand out, while PPRA controls what information they bring in.

In other words, PPRA isn’t about the storage of sensitive data, it’s about mandating what specific data schools can collect from their students. Situations where PPRA becomes involved include surveys, evaluations, and some physical examinations. PPRA covers a range of details about a student (and/or their parents’) personal life, and prevents these details being gathered by schools without parents’ (or the student when over 18) explicit consent.

Obligations to Protect Student Information

Are all school employees allowed to access students’ educational records?

No. FERPA requires access to students’ private details be limited to those with a “legitimate educational interests.” The interpretation of this phrase can be fairly broad (and may include coaches, school security, councilors, etc.), but it does limit access to a pool of staff (administrators, teachers working with the student, etc.) rather than the entire staff body.

At what point does a student become covered under FERPA?

A student’s records are covered by FERPA once those records are held by a FERPA-covered institution. While the law is concerned with protecting a student’s private information and ensuring access to that information by students and parents, it is actually the status of the institution that dictates whether FERPA is in effect.

Are classroom assignments protected under FERPA?

Assignments may not be protected under FERPA, but student grades are. The Supreme Court has decided that those grades do not become FERPA-protected until entered into a teacher’s grading system (and thus peer-grading is not a FERPA violation).

Are school applications protected under FERPA?

Yes, but only after the applicant attends a FERPA-covered institution. However, it is important to remember that exchanging FERPA-protected information between institutions for the purposes of student applications or enrollment is a Permissible Disclosure under FERPA and does not require the rights-holder’s consent.

Are emails considered education records under FERPA?

FERPA does not consider the form of the information when assessing coverage, only the content. Therefore, emails are education records if they are directly related to a student.

Are voicemails or phone call recordings covered by FERPA?

Potentially, depending on the content of the call. As mentioned above with email, FERPA is concerned with education records, not the medium in which those records are stored. Thus, if a voicemail contains a specific student’s class schedule, or the call recording is of a discussion of a disciplinary matter, they would absolutely be covered by FERPA.

Are school grades covered under FERPA?

Absolutely. However, school transcripts can be freely shared with other schools in which the student seeks or intends to enroll, along with certain other outside institutions (see Permissible Disclosures).

Are attendance records covered under FERPA?

Yes, day-to-day attendance records as well as the overall period of attendance (such as what years a student attended a school) are education records.  “Years attended,” however, can be a “directory information” item and can be shared without consent, unless the parent or eligible student has submitted a prior request that such information not be shared.

Does FERPA protect disciplinary records?

Yes. However, schools do not require authorization to share those records with organizations such as the police, juvenile centers, and threat assessment teams when there is a health or safety emergency. Schools are also required to comply with court subpoenas and do not require prior authorization to do so, but must generally notify the parent or eligible student in advance of compliance.

Schools can also inform parents, even if the student is now an “eligible student,” if the student is found in violation of the campus conduct code relating to alcohol or substance abuse, so long as the student is under age 21, or is considered in imminent medical danger.

Does FERPA protect law enforcement unit records?

Law enforcement units are defined as bodies authorized to either enforce laws, refer violations to appropriate authorities, and/or maintain physical security for an educational institution. Depending on the organization, they may be made up of fully commissioned police officers or school-sanctioned security guards.

Records created by a law enforcement unit for the purposes of enforcing the law are not subject to FERPA protections, even if that organization operates as part of an educational institution or agency (for example, a campus safety/police organization).

FERPA cannot be used to force access to these records by students or parents, nor can it block their disclosure. These situations are instead managed through other laws & regulations.

Does FERPA apply after death?

No, not if the deceased was an eligible student. FERPA no longer applies to that student’s education records. However, education records at the elementary/secondary level are still subject to FERPA because those rights resided with the parents.  State law or institution policies may provide replacement/additional protections once FERPA is no longer in effect.

Does FERPA apply after a student leaves a school?

Yes. FERPA continues to apply to all education records relating to a student’s time enrolled in a given institution, even if those records are created after the student leaves, but relate to the student’s time at the institution.

Does FERPA apply to international students?

Yes. FERPA applies to all students attending institutions that are subject to FERPA, regardless of their immigration status.

Does FERPA protect immigration status?

Schools and other educational institutions are required under another Federal law (SEVIS) to provide certain requested information to the Immigration and Customs Enforcement Bureau (ICE), as well as the greater Department of Homeland Security (DHS), about students enrolled in DHS’s Student and Exchange Visitor Program. In order to disclose additional student information, apart from FERPA’s emergency exception, DHS & ICE must typically provide a court order like any other law enforcement agency.

Schools can ask students (and/or their parents) to provide proof of residency, but that need not include social security numbers or other proof of immigration status. In fact, the DoE cautions schools at the K-12 level to avoid collecting such information as it may discourage school enrollment.

As a result, a school may not have immigration information on its students. This means that if a student is not in the country on a student visa (reported as part of an international application or exchange program), the school may not have cause to know whether they’re in the country legally or not.

In other words, FERPA does not prevent schools from sharing protected information in response to court orders, but it also does not require schools to verify students’ immigration statuses and thus they may not have that information to provide.

Obligations to Provide Student Information

When parent (or eligible student) requests to view education records, how long do schools have to respond?

While state laws may require a faster response time, FERPA allows schools to take up to 45 calendar days to provide records in response to such a request.

Do noncustodial parents have the same rights under FERPA as normal parents?

Generally, yes, unless there is a court order or law in place that specifically blocks those rights.

Do step-parents, grandparents, and caregivers have parental rights under FERPA?

A step-parent in a relationship with one of a child’s natural parents, who is present in the home on a day to day basis may be considered a parent under FERPA. The same is true of grandparents or caregivers who are acting as a child’s primary guardian in the absence of their natural parents.

Can schools provide FERPA-protected information over the phone?

Yes, assuming they have verified the identity of the caller and they are someone with legal rights to the information. As with all communication methods, disclosure without verifying the recipient’s identity and right to access the information could result in a FERPA violation.

Are schools required to provide copies of student records?

If the current FERPA right holders to a student’s information request access to records, schools are required to provide that access (once they have verified the requester’s identity). However, they are only required to provide copies if circumstances (such as distance) prevent the rights holders from accessing the originals.

Are schools allowed to charge for copies of student records?

Yes, schools are allowed to charge fees for producing & distributing copies of student records (such as providing official transcripts to universities for application purposes).

Can a student use FERPA to shield their records from their parents?

Possibly. It depends on the age/level of schooling of the student and their legal relationship to their parents. A legally independent student who is over eighteen or attending classes at a postsecondary institution (whichever happens first) legally becomes the custodian of their FERPA rights (referred to as “an Eligible Student” in the law). Prior to that point, their parents (or legal guardians) are considered the custodians and may access their records at any time.

However, even after the conditions for being an Eligible Student are met, there are still a few situations where parents can receive FERPA-protected information from the school without student authorization:

  • The student is a dependent. If the parents are still claiming the student as a dependent on their taxes, they can request access to the student’s records. However, they will be required to prove that tax status.
  • The FERPA health and safety emergency exemption. If the school judges the student to be in imminent medical danger (for example, due to a serious injury, illness, or other situation), their records can be shared with their parents in order to get them necessary help.
  • The student is found in violation of certain school policies.

Permissible Disclosures

Are there situations where protected information can be disclosed without authorization from students or their parents?

Yes. In addition to being freely available to school employees who have an educational interest, and Directory Information, there are provisions in the law for releasing protected information without prior consent. Referred to as “Permissible Disclosures,” these situations include:

  • Complying with court subpoenas
  • Sharing information with a designated “threat assessment team”
  • Sharing information with other schools a student is seeking or intending to attend
  • Sharing information for purposes of securing or administering financial aid
  • Sharing information with “appropriate parties” in response to an imminent health or safety emergency
  • Releasing “de-identified” information that cannot be traced back to the student
Can school volunteers access records under FERPA?

School may permit volunteers performing duties that would otherwise be handled by a school employee to access student records if they have an educational interest.

Can outside organizations/consultants working for an educational institution be given access to information under FERPA?

Yes, assuming that a) the person/organization is performing duties that would otherwise be performed by school staff b) is under the educational institution’s “direct control” when it comes to anything involving protected student information, c) only uses these details for the purpose the institution provided them for d) has been notified of their obligations under FERPA.

What is “de-identified” information?

De-identified information is information with all student-identifying characteristics removed. FERPA states that such information can be released freely if a school is careful to remove any details that could allow “a reasonable person in the school community, who does not have personal knowledge of the circumstances, to identify the student with reasonable certainty.”

What is a “Threat Assessment Team” under FERPA?

Schools may need assistance determining whether an imminent emergency or threat to student safety exists. To get help, they may establish a “threat assessment team” that includes both school and outside officials (doctors, police, etc.) and brings expertise to bear when making these decisions. Per FERPA, members of a threat assessment team, even if they aren’t direct school employees, can be permitted access to education records of students involved in situations that must be assessed.

Can students under 18 waive their FERPA rights?

Students who are under 18 and not attending a postsecondary institution are not the legal custodian of their FERPA rights. Those are instead held by (and can be waived by) their parents.

Can schools give other schools a student’s education records without consent, as part of the enrollment process?

Yes. If a student is applying to enroll in a school, their previous schools can respond to records requests and disclose records without the student’s consent. The same is true if the student is being placed in a juvenile justice facility that is also considered a school.

If a student is attending two schools simultaneously (as in the case of a high school student also taking advanced classes at a local college), the two educational entities can exchange information freely.

Can schools provide records as part of the financial aid process?

Yes. Postsecondary institutions can disclose information, without student consent, to outside bodies when a request is made as part of a student receiving or applying for financial aid.

Are school officials’ “Personal Observations” protected under FERPA?

When it comes to teachers’ and officials’ personal observations, knowledge, and impressions of students and student behavior, they are legally allowed to share them without obtaining prior authorization. However, any information that is entered into a student’s file (for example, event observations that become part of a student’s disciplinary records) becomes covered by FERPA.

Do schools have to keep records of permissible disclosures?

Yes. Whenever a school gives out FERPA-protected information to an organization or person outside the school under permissible disclosure rules, they are required to keep records of what was given to whom, along with the why and when.

Can schools give information to the police under FERPA?

Yes, but unless prior authorization was received, there are only two ways non-directory-information can be shared with the police without violating FERPA: 1) under court order 2) under FERPA’s “health & safety emergency exception” (see below).

What is the “health & safety emergency exception”?

FERPA allows schools to disclose relevant information to “appropriate parties” in the event they determine it is necessary to respond to a significant threat to the student or other individuals. The situations in which this exception comes into play are emergencies (not simply training/drills for emergencies) like school shootings, disease outbreaks, etc.

FERPA Violations

Who enforces FERPA?

FERPA is administered and enforced by the US Department of Education’s Student Privacy Policy Office (SPPO).

What is a FERPA violation?

A FERPA violation occurs when an institution fails to live up to their obligations concerning student education records under the law. Examples include:

  1. Disclosing protected information, either intentionally or unintentionally, to unauthorized parties such as:
    1. Failing to verify the identity/authorization of a person before providing protected information
    2. Failing to get prior rights holder consent for disclosures not considered “permissible” exemptions under FERPA
    3. Allowing a security breach to occur (such as a hack)
    4. Accidentally sending protected information to the wrong recipient or publishing it online
    5. Including protected information on otherwise ok documents
  2. Withholding access to student information from the FERPA rights holders (parents or eligible students)
  3. Preventing FERPA rights holders from submitting corrections to student information for consideration
What happens to a school that violates FERPA?

If an educational institution is found to have violated FERPA, the SPPO will send them notice of the violation and give them a deadline to come in line with proper compliance. If the institution fails to become compliant within this period, the office has three enforcement options with which to compel compliance.

  • Withholding funds from any Department of Education programs
  • Terminating the institutions eligibility for Department of Education funding programs
  • Issuing a complaint leading to a legal cease and desist order

Of course, beyond the SPPO’s administrative actions, there is also a risk that the institution may be sued under applicable state laws for the violation, or that other laws may have been broken in the process (leading to additional penalties).

What happens to a teacher who violates FERPA?

FERPA is only concerned with compliance at the institutional level. As a result, specific penalties to staff who violate the regulation are not provided in the law. However, it is likely that they may incur consequences under a given school or school district’s policies and/or other laws.

How Can XMedius Solutions Help with FERPA Compliance?


XM Fax is an industry-leading Fax over IP (FoIP) solution relied upon by organizations around the world, including many prominent colleges, universities, and public school districts. It allows organizations to maintain the powerful utility of fax document exchange, while jettisoning unreliable machines and expensive copper phone lines.

Its various security features are of particular importance to institutions covered by FERPA, including:

  • An automatically generated audit trail covering which documents were sent where and when, including delivery confirmation.
  • Incoming faxes can be directed to controlled email addresses or server folders, minimizing the risk of staff members without legitimate educational interests seeing a given student’s records.
  • Incoming and outgoing faxes can be produced and stored electronically. This reduces, or possibly even eliminates, the need for physical copies that must be protected.
  • A zero retention option can be turned on to prevent copies of sent or received faxes being stored on the fax server, preventing them from being discovered in a possible hacker breach.

XM SendSecure is a cutting edge secure file exchange solution that combines security, ease of use, and automatically generated audit trails into a package that simplifies FERPA-compliant communications.

XM SendSecure:

  • Supports transferring files in any format and up to 5TB in size, making it perfect for everything from spreadsheets to security videos.
  • Includes two-factor authentication to increase security and help prevent breaches caused by misaddressed messages.
  • Stores sensitive documents in ephemeral storage that will delete itself after a set duration, preventing extra copies of students’ private information from being left in circulation longer than is necessary.
  • Automatically generates an extensive audit trail covering all interactions within the encrypted storage space, including downloads (tracked to the byte), uploads, deletions, messages, etc.
  • Is fast and as easy to use as email, even for outside organizations.
  • Features additional security features, such as automatic virus scanning, that further protect organizations from attack.

CX-E delivers a suite of Unified Communications applications that interoperate with school, university, college, and agency telephony and email infrastructure to empower staff and streamline workflows. In addition to powerful features like automated attendants in multiple languages, customizable IVR, and unified messaging, CX-E offers secure messaging functionality, which can prevent voicemails from being forwarded outside the system.

Simplify FERPA-Compliant Communications

Educational institutions can find maintaining security and documenting disclosures can take up a great deal of staff time. XMedius provides faster, more secure, and automatically tracked solutions that can dramatically simplify FERPA compliance.

Contact XMedius

Would you like to learn more about how XMedius solutions can help you meet your obligations and improve protections for your students? Reach out to our team.