On December 19, 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education (ED) issued an updated version of its “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records” (the Joint Guidance, available here). Educational institutions at both the K-12 and postsecondary level can be subject to FERPA or HIPAA, and in certain circumstances, both. The Joint Guidance, which was first issued in November 2008 and has not been previously updated, seeks to assist educational institution administrators, health care professionals, and others in navigating what can be a complex intersection between FERPA and HIPAA as applied to health-related records maintained on students. It also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially when those disclosures are related to emergency health or safety situations.
As discussed in a previous DBR on Data post, the U.S. Department of Education (“ED”) in recent years has repeatedly emphasized the importance of higher education institutions taking all appropriate measures to secure and protect their data systems and data from breaches and inadvertent disclosures. The threats to educational institutions’ data are real, recurring and well-documented. The University of Maryland reported in 2014 that a computer system breach compromised more than 300,000 personal records for faculty, staff and students. A private cybersecurity firm reported that Chinese hackers targeted research databases at more than two dozen universities in the 2017-18 timeframe. In 2019, applicants to Grinnell College, Hamilton College and Oberlin College discovered their admissions files were subject to a ransomware attack. These instances are just a few recent examples of significant data breaches in the education sector.
On February 5, 2019, the U.S. Department of Education (ED) released new and important regulatory guidance entitled “School Resource Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act.” This guidance document was prepared and issued in response to the December 2018 final report of the Federal Commission on School Safety (the Commission), which was established following the February 2018 shooting at Marjory Stoneman Douglas High School in Parkland, Florida. Among the findings of that final report was the following, which concerns threat assessment efforts in the nation’s schools:
On Friday, December 1, the Federal Trade Commission and the Department of Education hosted a workshop examining student privacy in the burgeoning field of “EdTech.” Both agencies regulate certain educational technology aimed at K-12 students. However, FTC rules implementing the Children’s Online Privacy Protection Act (“COPPA”) are not identical to ED regulations implementing the Family Educational Rights and Privacy Act (“FERPA”). To better understand how both rules interact in practice, the agencies solicited public comment and convened panels of experts and stakeholders – including vendors, schools, parents, and regulators.
The workshop explored several key issues, including when a school may provide consent on behalf of participating students; how record retention (and deletion) should be noticed and executed; and what limits to impose on vendors collecting personal student information. In closing, both agencies expressed a desire to provide clear, workable regulatory oversight while meaningfully protecting student privacy.
Acknowledging that schools have “long been targets for cyber thieves,” the Federal Student Aid Office (FSA) of the U.S. Department of Education (ED) posted an alert on October 16, warning school districts and other educational institutions of criminal extortion schemes threatening to release sensitive student data. Recent, similar cyberattacks in Montana and Iowa are being investigated by the FBI.
The Federal Trade Commission (FTC) and the U.S. Department of Education (ED) will co-host a live workshop on December 1, 2017 highlighting two intersecting regulatory regimes: the FTC’s rules implementing the Children’s Online Privacy Protection Act (COPPA), which applies to K-12 schools and to children under the age of 13, and the simultaneous application of the Family Education Rights and Privacy Act (FERPA), which also applies to schools and is administered by ED.