Highlights from the Final Report of the Federal Commission on School Safety
Don’t have time to read the 180-page Federal Commission on School Safety final report? Here’s what’s important for school security professionals to know.
The Family Educational Rights and Privacy Act (FERPA) and Other Statutory and Regulatory Privacy Protections
Educators, parents, law enforcement officers, and others are often unclear about FERPA’s specific requirements and exceptions, and some take advantage of the confusion surrounding FERPA.
Following the Virginia Tech shooting, the George W. Bush Administration recommended that school policies articulate what types of student information can be shared, with whom it can be shared, and under what conditions it can be shared. Based on those recommendations, the Department of Education amended FERPA regulations to clarify permissible disclosures of student records and PII contained therein in health or safety emergency situations.
Prior to the amendments, schools and districts were more limited in what they could non-consensually disclose in the context of a health or safety emergency. In 2008, citing the need for “greater flexibility and deference” and “so they [schools administrators] can bring appropriate resources to bear on a circumstance that threatens the health or safety of individuals,” the Department removed the strict construction requirement. With the rule change, the Department affirmed that it would review determinations to disclose education records under FERPA’s health or safety exception by assessing whether:
- there was an “articulable and significant threat to the health or safety of the student or other individuals;”
- the disclosure was made to appropriate parties; and
- there was a rational basis for the determination. The Department also stated that, assuming the foregoing was satisfied, it would “not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.”
After these regulatory changes, the Departments of Education and Health and Human Services issued Joint Guidance on the Application of FERPA and the Health Insurance Portability and Accountability Act (HIPAA). This guidance sought to explain the relationship between the two laws and address apparent confusion on the part of school administrators, healthcare professionals, and others as to how they apply to student records and the ability to communicate information.
Though these recommendations and actions sought to clarify FERPA, substantial misunderstanding remains at the local level among officials and educators concerning the privacy law, and in particular its application to school-based threats.
A misconception in both the education and law enforcement communities is that FERPA poses an impediment to the sharing of student information that could help prevent school violence and other emergencies. Privacy advocates have correctly noted that FERPA already permits schools to disclose the information necessary to protect students and other individuals before and during emergencies, but that continued confusion over the scope of FERPA remains.
Contrary to common misconceptions, schools have a great deal of flexibility under FERPA to disclose students’ education records, or the PII contained therein, in the context of school safety. These five exceptions to FERPA’s general requirement for written consent are especially relevant:
- disclosures to other school officials
- disclosures pursuant to a court order or lawfully issued subpoena
- disclosures in connection with a health or safety emergency
- disclosures (pursuant to state law) relating to juvenile justice and
- disclosures to the parents of an eligible student that is claimed by the parents as a dependent for federal tax purposes.
Especially relevant to potential violence at school is FERPA’s health or safety emergency exception which permits the disclosure of students’ education records, or the PII contained therein, to appropriate parties if knowledge of such information is necessary to protect the health or safety of students or other persons in connection with an emergency.
FERPA’s health or safety emergency exception specifically permits schools or districts themselves to disclose PII from students’ education records in the context of emergencies. However, there are certain circumstances when it may not be practical or expedient for schools or districts themselves to make the determinations and disclosures necessary to address the emergency. These situations might include natural disasters that impact multiple districts across the state, emergencies that disrupt a district’s data systems, or emergencies that occur when district personnel are not available. In these limited situations, it is often advantageous for the state education agency to make the disclosure directly, on the school’s or district’s behalf.
Police departments often seek access to school surveillance footage to help ensure school safety—only to have schools claim it is an education record protected by FERPA and therefore deny the request. However, FERPA’s definition of “education records” excludes those created and maintained by a school’s law enforcement unit for a law enforcement purpose. If a school’s security department or campus police maintains the school’s surveillance video system and, as a result, creates surveillance footage for a law enforcement purpose, FERPA would not prevent sharing the surveillance footage with local law enforcement. Smaller schools without an existing law enforcement unit or security department can still utilize this exclusion by designating a school official, such as the vice-principal, as the school’s law enforcement unit for this purpose.
Another exception to FERPA’s written consent requirement allows disclosures to school officials who have been determined to have a legitimate educational interest in the education records, such as needing to review the education records in order to fulfill their professional responsibilities. Schools and districts specify the criteria for determining both who they consider school officials and what constitutes a legitimate educational interest. Under this exception, schools can disclose education records, or the PII contained therein, that are relevant to school safety to individuals designated as school officials and determined to have a legitimate educational interest, including teachers and school resource officers.
- The U.S. Department of Education (ED), should provide technical assistance to clarify that FERPA’s “school official” exception may permit disclosures of disciplinary information about students to the appropriate teachers and staff within the school.
- ED should work with Congress to modernize FERPA to account for changes in technology since its enactment.
- ED should clarify that limited disclosures of PII from students’ education records by state education agencies (SEA) under the health or safety emergency exception are permitted, when done on behalf of the school(s) or district(s), and in compliance with other FERPA requirements when the SEA is best positioned to respond to the emergency.
States and communities
- States should examine their state-level student privacy laws to identify protections that go beyond FERPA and may impede schools’ and districts’ efforts to promote school safety and student well-being. FERPA is not the only student privacy law that can hinder the appropriate sharing of student information in the context of emergency situations. Schools and districts may find that information that could be shared under FERPA may not be shareable under their state student privacy laws.
- Districts and schools should raise awareness of existing FERPA flexibilities and utilize existing (and forthcoming) trainings through the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC). District and school staff can also make recommendations on additional training needs that can support increased awareness and understanding of FERPA requirements by emailing [email protected] The following are some of the existing PTAC resources:
- In 2018, ED published a series of Frequently Asked Questions that clarified FERPA’s applicability to photos and video recordings of students, with specific applicability to surveillance videos.
- ED has responded to requests from states, school districts, postsecondary institutions, law enforcement agencies, and others for technical assistance on FERPA’s requirements and general privacy best practices in the context of school safety.
- ED’s June 2010 guidance “Family Educational Rights and Privacy Act (FERPA) and the Disclosure of Student Information Related to Emergencies and Disasters,” and June 2011 guidance “Addressing Emergencies on Campus,” provide detailed explanations of the various exceptions to consent under FERPA that may apply in different safety scenarios.
The Health Insurance Portability and Accountability Act (HIPAA) and Other Statutory and Regulatory Privacy Protections
The HIPAA Privacy Rule regulates the sharing of individually identifiable health information known as “protected health information” (PHI).
Mental health and substance use information is highly relevant in the school safety context. The HIPAA Privacy Rule applies to PHI, including mental health information such as substance use disorder (SUD) diagnosis and treatment information. In addition to HIPAA, much substance use disorder diagnosis and treatment information is protected by 42 CFR (Code of Federal Regulations) Part 2, which is regulated by the U.S. Department of Health and Human Services (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA). 42 CFR Part 2 is discussed later in this report.
The HIPAA Privacy Rule establishes a floor of federal privacy protection for PHI held by covered entities and their business associates. However, it does not preempt or replace other federal or state laws that may offer greater privacy protection. Many states or other jurisdictions impose stricter privacy protections than HIPAA, particularly for information considered especially sensitive, such as information related to mental disorder and SUDs. Privacy protections for individuals’ health information are not uniform across the nation, and this is a source of confusion for healthcare entities.
Congress recently considered whether HIPAA interferes with effective communication and treatment for people with serious mental illnesses. It concluded that there is confusion in the healthcare community regarding circumstances under which information can be released under HIPAA. This confusion often hinders communication of information with appropriate caregivers that would support safe and coordinated treatment.
The HIPAA Privacy Rule does not require a covered entity to disclose PHI in its possession. The Privacy Rule permits a covered entity to disclose an individual’s PHI pursuant to his or her authorization or under circumstances and for purposes expressly described in the Privacy Rule.
Covered entities are permitted to share PHI in several circumstances that are relevant to the school safety context. This includes sharing information with law enforcement, public health authorities, parents and other caregivers, and persons in a position to help prevent a serious and imminent harm to health or safety.
For example, providers are permitted to make such disclosures when required by state or federal law or in response to an administrative subpoena or other civil legal process. Providers may also disclose limited information to help identify or locate a suspect, witness, or missing person; and about individuals who are suspected to be or who are victims of crime. In general, school employees are not providers under HIPAA. However, there may be certain situations where a school employee (such as a nurse or counselor) is a health provider, and in that case HIPAA may apply.
Covered entities may disclose PHI to public health authorities for public health activities (45 CFR 164.512(b)), which could include violence prevention initiatives or state law requirements to report child abuse or neglect.
The Privacy Rule generally treats parents as “personal representatives” of their minor children. Personal representatives generally have the authority to act on behalf of the minor child when providing consent to share information under HIPAA. Providers can decide not to treat a parent as a personal representative if, for example, they have concerns that doing so might put the child’s safety at risk.
The HIPAA Privacy Rule also permits healthcare providers and other covered entities to share PHI with persons involved in the care or payment for care of individuals who are not able to agree or object to the disclosure (e.g., due to a mental health crisis). This is based on the entity’s judgment that sharing PHI is in the best interests of the patient. Under these circumstances, the recipients of the information may include family members, such as parents of children who are no longer minors.
Providers and other covered entities may disclose patient PHI to avert a serious and imminent threat to the health or safety of the patient or others when they have a good faith belief that such a disclosure is necessary to prevent or lessen the threat. Under these circumstances, providers may alert those persons they believe are reasonably able to prevent or lessen the threat. This includes law enforcement, school officials, teachers, parents, friends, school counselors, or anyone reasonably able to help avert the harm. The disclosure must be made in good faith and be consistent with applicable law and standards of ethical conduct.
With respect to records held by schools, HIPAA excludes individually identifiable information in “education records” covered by the Family Educational Rights and Privacy Act (FERPA) and certain “treatment records” of eligible students from the definition of PHI. In most cases, therefore, records created by a school nurse or other school health professional (including those that are HIPAA-covered entities) are not subject to the HIPAA Privacy Rule.
When HIPAA does apply in school settings and for PHI related to minor children, HHS Office for Civil Rights (OCR) guidance and resource materials help clarify the circumstances when providers may disclose information to parents.
Confidentiality of substance use disorder patient records
The Part 2 regulations apply to any federally assisted program that identifies itself as a substance use disorder (SUD) program providing treatment services. The regulations require that treatment records identifying a patient as having or having had a SUD be confidential and only disclosed under expressly authorized circumstances.16 In general, a SUD treatment program that is subject to Part 2 must obtain written patient consent before disclosing patient-identifying information. Once this information is disclosed, re-disclosure is not permitted unless expressly permitted by the written consent of the patient or unless otherwise permitted under Part 2. Certain exceptions to the written consent requirement are permitted under Part 2, such as disclosures for research, medical emergency, and audit and evaluation purposes.
- OCR should analyze current HIPAA guidance to: a) Determine whether simpler, more user-friendly information is needed; b) Identify additional scenarios based on current school settings to improve understanding of when HIPAA applies to such settings; and c) Determine how new or revised guidance may improve coordination between mental health providers, family members, other healthcare professionals, law enforcement, and school personnel.
- The U.S. Department of Health and Human Services (HHS) should analyze the need for joint OCR-SAMHSA guidance to clarify and explain how HIPAA and 42 CFR Part 2 apply and intersect across different settings to help further address the potential for violence related to comorbidity of SUDs and Serious Mental Illness.
- HHS should analyze the HIPAA Privacy Rule and existing guidance to determine how current provisions related to disclosures (such as those relating to serious and imminent harm) impact the ability or willingness of covered healthcare providers to report when an individual poses a risk of violence to a school or in another setting. Determine if changes to the Privacy Rule are warranted.
- HHS should amend the HIPAA Privacy Rule to create a stronger safe harbor for providers to disclose (to a state public health or law enforcement authority) information about patients who need to receive continuous, monitored care because they may be a threat to themselves or others.
- All appropriate federal agencies should support the development of applications (including for mobile platforms) and electronic health record systems that facilitate patient consent to information sharing among providers.
States and local communities
- State and local healthcare providers should ask patients to identify any family members or other helpers or caregivers involved in their care before an emergency occurs so the providers know not only who to notify in an emergency situation, but also who to call about their care.
- To prepare for potential emergency circumstances, schools, healthcare providers, and others affected by the HIPAA Privacy Rule should familiarize themselves with the OCR guidance described above (as well as other applicable law and professional ethical standards) before an emergency occurs.