Seeking Your Input on Protecting Student Medical Records

Protecting students’ privacy and ensuring colleges and universities promote a safe and healthy campus for their students has never been more important. As Chief Privacy Officer at ED, I help to lead the Department of Education in overseeing the administration of FERPA (the Family Educational Rights and Privacy Act). My office strives to provide helpful and meaningful guidance on student privacy issues and challenges that the field faces, and we’re asking the higher education community for input on protecting student medical records.

Under FERPA there are certain instances when schools can release a student’s information without their consent (known as exceptions). Recently, the Department has been asked if it is possible and/or appropriate for campus officials to share confidential medical records from on-campus services with university attorneys in the context of litigation between a university and a student. This type of sharing is potentially allowable under the “school official” exception to consent if the university attorneys have a “legitimate educational interest” in the records.

Institutions of higher education have a strong interest in ensuring that students have uncompromised access to the support they need, without fear that the information they share will be disclosed inappropriately. Providing on-campus access to medical services, including mental health services, can help promote a safe and healthy campus. The practice of sharing a student’s sensitive medical records with others not involved in their treatment may discourage the use of medical services provided on campus.

While state law plays a key role in setting the rules about disclosing medical information, we believe that HIPAA, the Health Insurance Portability and Accountability Act, provides a helpful guide for those situations where federal law is controlling.

Under the HIPAA Privacy Rule, a covered health care provider, such as a hospital, may use or disclose the minimum necessary protected health information (PHI) for its own legal purposes related to its treatment or payment functions (for example, by providing the information to its own counsel to seek legal advice, or submitting briefs in a court action to which it is a party) without an individual’s authorization or a court order or other lawful process.

We think this standard makes sense, and that FERPA’s school official exception should be construed to offer protections that are similar to HIPAA’s. We want to set the expectation that, with respect to litigation between institutions of higher education and students, institutions generally should not share student medical records with school attorneys or courts, without a court order or written consent.

The only exception is if the litigation in question relates directly to the medical treatment itself or the payment for that treatment, and even then institutions should only disclose those records that are relevant and necessary to the litigation. To provide a clarifying example, if an institution provided counseling services to a student and the student subsequently sued the institution claiming that the services were inadequate, the school’s attorneys should be able to access the student’s treatment records to defend the school without obtaining a court order or consent.

However, if instead the litigation between the institution and the student concerned the student’s eligibility to graduate, the school should not access the student’s treatment records without first obtaining a court order or consent. Thus, I am issuing a draft Dear Colleague letter that provides guidance on this and related issues.

Considering the complex nature of this issue however, we are seeking public input on our draft guidance, as we believe that this input will result in a better product. To the extent practicable, we commit to making all comments public as they are submitted; though depending on the volume of comments, we may wait and publish all comments at the conclusion of the comment period. While we welcome input on all aspects of this letter, we are particularly interested in your views on the following matters:

  1. Whether this guidance would create any unintended consequences. For example, would this guidance in any way restrict the work of threat assessment teams, as we believe these teams are often the best method for schools and colleges to assess whether a given student constitutes a threat to him/herself or others?
  2. Recognizing that getting a court order or consent will create additional burden on institutions, is there a way to mitigate that burden without lessening the protections given to students?
  3. If this guidance is extended outside the postsecondary context to include K-12 and early childhood, what other factors need to be considered? For example, how would this guidance fit within the context of elementary and secondary school counselors, or disputes regarding special education services?

We welcome your input for 45 days, until October 2nd. Please fill out the form below or send your comments via email to

Submit Comments

Your Name (required)

Your Email (required)

Your City and State

Your comments on protecting student medical records

Kathleen Styles is the Chief Privacy Officer at the U.S. Department of Education.

Ask Arne: Procuring Privacy

When I think of privacy a few images pop into my head:  a “do not disturb” sign, the settings on my social media accounts, or me locking the bathroom door so that my kids can’t come barging in after me.

But the term “privacy” has taken on new meaning in the digital age, and is now accompanied by terms like big data, devices, and the cloud.

As I lead from the classroom, I struggle with one question, “How do I create and innovate while protecting my students’ privacy?”

And I am not the only one asking this question.

Throughout the past few months, I have had the privilege of attending several educational technology events in my capacity as a Teaching Ambassador Fellow with the U.S. Department of Education and I have heard this question on repeat, along with a few others. What data is collected from students? Who has access to it? How is it used? I recently sat down with Secretary of Education Arne Duncan to ask him about student data privacy. Watch the video below:

Personally, I love technology and I love data. I use data every day in my classroom as a method of measuring my effectiveness and my students’ progress. On a typical day, within the first seven minutes of my class, students will enter my room, grab their iPads, sign into our class website, and take a diagnostic survey or poll that builds upon prior knowledge, as well as introduces new concepts for that day’s lesson. These types of formative checks occur roughly five times within one block period and provide real-time data, real-time feedback, and allow me to personalize lessons based on students’ individual needs.  Consequently, the data collected from one class period serves as the foundation for the next class period.

According to the Fordham Institute, 95 percent of districts rely on cloud services for several purposes, such as monitoring student performance, supporting instruction, student guidance, as well as special services such as cafeteria payments and transportation.  While cloud storage is a common practice of school districts, the present concern is that districts are taking appropriate measures for safeguarding this data.

Currently, three keystone federal laws protect student privacy: The Family Educational Rights and Privacy Act, The Protection of Pupil Rights Amendment, and the Children’s Online Privacy Protection Act.  More recently, the Department of Education announced the Privacy Technical Assistance Center (PTAC) to help educators interpret laws and gain access to best practices around student data and privacy. Furthermore, groups like Common Sense Media launched the School Privacy Zone Campaign in an attempt to support connected classrooms that protect and safeguard student privacy.

Today, I feel an even greater pressure to utilize data in rigorous ways that ensure my students are college-and-career-ready. The one way that I know how to meet the diverse needs of every student is to use technology. While I believe in the power of technology and its ability to transform learning, I also know that my students’ safety comes first. My hope is that schools, districts, states, and the federal government will continue working to create the right policies to support the needs of educators so that they may create and innovate in their classrooms, and protect their students.

Emily Davis is a Teaching Ambassador Fellow at the U.S. Department of Education.

New Guidance: Tech and Protecting Student Data

Today, more than ever, schools and districts are managing a lot of digital data. Some of that has to do with teaching and learning, but there’s plenty more: from bus routes, to food service records, to enrollment and attendance information. Districts and schools are working to be more efficient and smarter about storing and using data. Many have chosen to move data “in the cloud,” meaning off-site data centers that securely store information.

PTAC VideoThis advancement in data storage has created some important and reasonable questions about what steps are being taken to insure that student data is kept secure and private. In a speech yesterday at the Common Sense Media Privacy Zone Conference, in Washington, D.C., Secretary of Education Arne Duncan reaffirmed that school systems “owe families the highest standard of security and privacy.”

What I want to say to you today is that the benefits for students of technological advancement can’t be a trade-off with the security and privacy of our children.

We must provide our schools, teachers and students cutting-edge learning tools. And we must protect our children’s privacy. We can and must accomplish both goals – but we will have to get smarter to do it.

Duncan noted that many school systems are showing leadership on the privacy front, such as the Kansas State Department of Education, which has developed an innovative data quality certification program to train staff on data quality practices and techniques, including privacy and security.

Read Secretary Duncan’s speech – Technology in Education: Privacy and Progress

In a panel following the speech, Acting Deputy Education Sec. Jim Shelton talked with Julie Brill of the Federal Trade Commission about further actions the federal government can take to protect student privacy in education, floating the possibility of joint efforts between the two agencies.

Earlier today, the U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) released new guidance to help school systems and educators interpret and understand the major laws and best practices protecting student privacy while using online educational services. The guidance addresses a range of concerns regarding the security and privacy of student data.

Click here to read the new guidance.

Cameron Brenchley is director of digital strategy at the U.S. Department of Education