some private elementary and secondary schools, and public or private institutions of higher education. FERPA provisions apply to a wide variety of education records, including medical records maintained by school health professionals. Provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L. 104-191), as well as FERPA regulations, clarify that school medical records protected by FERPA are not governed by HIPAA.

FERPA defines “personally identifiable information” to include not only the student’s name and the name of the student’s parent or other family member and address of the student or student’s family, but also a personal identifier, such as a social security number or student number or a list of personal characteristics or other information that would make the student’s identity easily traceable. Although one of the primary rights of parents and students protected by FERPA is to consent to disclosure of personally identifiable information, such consent is not required under certain exceptions. Two of these exceptions are sometimes applied in decisions granting access to education records for research purposes:

  • Disclosure to federal, state, and local educational authorities conducting an audit, evaluation, or enforcement of education programs (U.S. Code, Title 20, Chapter 31, Section 1232g, Subsection b).

  • Disclosure to “organizations conducting studies for, or on behalf of, educational agencies or institutions for the purpose of developing, validating, or administering predictive tests, administering student aid programs, and improving instruction” (Ibid).

The law requires a school or higher education institution to maintain a record of each request for access to and each disclosure of an education record. In addition, when disclosing information from education records, the school should inform the receiving party that the information may not be further disclosed (with some exceptions).

Campbell said that the Department of Education expects that its proposed new FERPA regulations (U.S. Department of Education, 2008a) will improve access to education data for research and accountability purposes. The new rules would make it easier for state and local education agencies to redisclose information to each other, such as when a state department of education discloses student K-12 education records to a state higher education commission in order to track individual student achievement over time. The proposed rules would also update and clarify the definition of personally identifiable information and provide standards for removing all personally identifiable information from education data, as necessary or appropriate to release the information as deidentified data. A state education agency’s release of properly deidentified data



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement