What Is FERPA?
FERPA is a federal law that protects the privacy of student education records.
The law applies to all educational agencies and institutions that receive funds
under any U.S. Department of Education program (termed “institutions”). FERPA
gives parents certain rights with respect to their children's education records.
These rights transfer to the student when he or she reaches the age of 18 or attends
a school beyond the high school level. Students to whom the rights have transferred
are “eligible students.” The Family Policy Compliance Office at the U. S. Department
of Education administers FERPA.
FERPA protects the rights of eligible students to:
- Inspect and review education records;
- Seek to amend education records; and
- Consent to the disclosure of personally identifiable information (PII)10
from education records, except as specified by law.
For a thorough review of FERPA please see the implementing regulations
for FERPA found in Title 34 of the Code of Federal Regulations (CFR), part
99 available at http://www.ecfr.gov
What are “Education Records?”
Different types of records and information may be protected by FERPA if
that information constitutes PII from “education records.” Education records are
protected by FERPA and are broadly defined as records that are directly
related to a student and maintained by an institution, or by a party acting for
The non-exhaustive chart shows several examples of what types of records generally
are and are not considered to be education records.
Not Education Records
Records that are kept in the sole possession of the maker and used only as personal
Law enforcement unit records
Immunization and other health records, unless the records meet the exclusion for
“treatment records” under FERPA
Records made or maintained by a physician or other medical professional used only
in connection with treatment of the student (“treatment records”)
Records on services and accommodations provided to students under Section 504 of
the Rehabilitation Act of 1973, and Title II and Title III
of the ADA
Records created or received by an institution after an individual is no longer in
attendance and that are not directly related to the individual’s attendance at the
Records on a student who is employed as a result of his or her status as a student
Grades on peer-graded papers before they are collected and recorded by an instructor
Information obtained through a school official’s personal knowledge or observation
and not from the student’s education records
Employment records (unless the individual is employed as a result of his or her
status as a student)
Additionally, records created and maintained by the institution’s law enforcement
unit are not likely to fall into the protected definition of “education records.”
See the discussion under “Balancing Safety and Privacy” for more detail on law enforcement
units under FERPA, what constitutes a law enforcement unit record, and
how these records may be used.
Treatment records are also not considered to be education records. The term “treatment
records” generally applies to records involving students who are at least 18 years
old or who are attending an institution of postsecondary education, and means records
- Made or maintained by a physician, psychiatrist, psychologist, or other recognized
professional or paraprofessional acting in his or her professional capacity or assisting
in a paraprofessional capacity;
- Made, maintained, or used only in connection with treatment of the student; and
- Disclosed only to individuals providing the treatment.
Treatment does not include remedial educational activities or activities that are
part of the program of instruction at the institution. In a college setting, treatment
records typically include those created and maintained at the campus health clinic.
Who May Access FERPA-Protected Education Records?
“School officials with a legitimate educational interest” may access FERPA-protected
education records. Institutions determine the criteria for who is considered
a school official with a legitimate educational interest under FERPA regulations.
In a postsecondary context, there is a wide variety of individuals in different
functions at the institution who could meet this definition. For example, faculty,
administrators, and support staff, including law enforcement unit personnel, health
center personnel, students serving on an official committee, the board of trustees,
and others could be considered school officials with a legitimate educational interest.
The term “school official with a legitimate educational interest” may also include
contractors, consultants, volunteers, and other parties if those individuals
- Perform an institutional service or function for which the institution would otherwise
- Are under the direct control of the agency or institution with respect to the use
and maintenance of education records; and
- Are subject to the requirements of 34 CFR § 99.33(a) which specifies that individuals
who receive information from education records may use the information only for
the purposes for which the disclosure was made and which generally prohibits the
redisclosure of PII from education records to any other party without the prior
consent of the parent or eligible student. There are, however, exceptions to this
In addition, institutions must notify eligible students of their rights under FERPA,
and must include in this notification the criteria for who constitutes an IHE official
and what constitutes a legitimate educational interest. The U.S. Department of Education
provides model notification statements on its website at
This means that if an institution wishes to consider non-employee members of its
threat assessment team, its contracted counseling, nursing, service, or security
staff, campus safety officials, and other non-employees as “school officials” who
may have access to education records, the institution must ensure that these individuals
meet the criteria in the bullets above and the criteria in the IHE’s annual notification
of FERPA rights.
Parents of an eligible student may, in some cases and at the discretion of the
institution, access FERPA-protected records. When a student
turns 18 years old or enters a postsecondary institution, all rights afforded to
parents under FERPA transfer to the student (the “eligible student”). However,
institutions may – but are not required to – share information from an eligible
student’s records with parents, without the eligible student’s consent, if an exception
to the general requirement of consent is applicable, such as
- If the student is claimed as a dependent for tax purposes;
- If the student is under 21 at the time of disclosure and if the student has violated
any law or institutional rule or policy concerning the use or possession of alcohol
or a controlled substance, and the postsecondary institutions determines that the
student has committed a disciplinary violation with respect to that use or possession;
- Information based on that official’s personal knowledge or observation of the student;
- During a health or safety emergency involving their child.
Balancing Safety and Privacy
Postsecondary institution officials must balance safety interests and student privacy
interests. FERPA contains exceptions to the general consent requirement,
including the “health or safety emergency exception,” and exceptions to the definition
of education records, including “law enforcement unit records,” which provide school
officials with tools to support this goal.
The Health or Safety Emergency Exception to the Consent Requirement
FERPA generally requires written consent before the IHE may disclose PII
from the student’s education records. However, the FERPA regulations permit
IHE officials to disclose PII from education records without consent to appropriate
parties only when there is an actual, impending, or imminent emergency, such as
an articulable and significant threat. Information may be disclosed only to protect
the health or safety of students or other individuals. In applying the health and
safety exception, note that:
- Institutions determine what constitutes a health or safety emergency.
- “Appropriate parties” typically include law enforcement officials, first responders,
public health officials, trained medical personnel, and parents, including parents
of an eligible student.
- This FERPA exception is temporally limited to the period of the emergency
and does not allow for a blanket release of PII. It does not allow disclosures to
address emergencies that might occur, such as would be the case in emergency preparedness
- The information that may be disclosed is limited to only PII from an education record
that is needed based on the type of emergency.
- Disclosures based on this exception must be documented in the student’s education
records to memorialize the
- Emergency that formed the basis for the disclosure; and
- Parties with whom the IHE shared the PII.
The U.S. Department of Education would not find an institution in violation of FERPA
for disclosing FERPA-protected information under the health or safety exception
as long as the institution had a rational basis, based on the information available
at the time, for making its determination that there was an articulable and significant
threat to the health or safety of the student or other individuals.
For more information on the health and safety exception, see Addressing Emergencies
on Campus, June 2011, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/emergency-guidance.pdf
and see 34 CFR §§ 99.31(a)(10) and 99.36 available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf
The Law Enforcement Unit Records Exemption to the Definition of Education Records
FERPA defines a “law enforcement unit” as any individual, office, department,
division, or other component of an educational agency or institution, such as a
unit of commissioned police officers or non-commissioned security guards, that is
officially authorized or designated by that agency or institution to
- Enforce any local, state, or federal law, or refer to appropriate authorities a
matter for enforcement any local, states, or federal law against any individual
or organization other than the agency or institution itself; or
- Maintain the physical security and safety of the institution.
Significantly, to be considered a “law enforcement unit” under this definition,
an individual or component must be officially authorized or designated to carry
out the functions listed above by the institution. IHEs may designate a traditional
law enforcement entity (such as a campus safety department, campus police officer,
or other IHE security personnel), or opt to designate another non-law-enforcement
school official to serve as their law enforcement unit, such as a provost or other
FERPA does not prevent institutions from disclosing information from records
maintained by the law enforcement unit were created for law enforcement purposes
by the law enforcement unit to anyone, subject to state law, including outside law
enforcement authorities, without the consent of the eligible student during an emergency
Law enforcement unit records, which are not subject to the FERPA consent
requirements, are defined as records that are
- Created by a law enforcement unit;
- Created for a law enforcement purpose; and
- Maintained by the law enforcement unit.
Law enforcement unit records do NOT include
- Records created by a law enforcement unit for a law enforcement purpose that are
maintained by a component of the institution other than the law enforcement unit,
such as a provost, dean, disability services coordinator, or health clinic;
- Records received from another component of the IHE, such as health records, PII
collected about or related to the disability of a student, and disciplinary records;
- Records created and maintained by a law enforcement unit exclusively for a non-law
enforcement purpose, such as an institutional disciplinary action or proceeding.
In designating a law enforcement unit and using law enforcement unit records, note
- To be given access to PII from a student’s education records, law enforcement unit
officials who are employed by the institution must meet the criteria set forth in
the institution’s FERPA notification for “school officials with a legitimate
educational interest.” While law enforcement unit officials are not required to
be an institution’s officials under FERPA, many institutions have found
that it is useful for them to be their officials so that they may access education
records that may be necessary to ensure IHE safety. For instance, if a student has
been barred from campus for a period of time (a fact that would be recorded in the
student’s education records), the law enforcement unit might need to know this in
case the student attempts to enter a campus building when not permitted to do so.
- An institution’s law enforcement unit officials must protect the privacy of education
records they receive and may disclose them only in compliance with FERPA.
For that reason, we recommend that law enforcement unit records be maintained separately
from education records.
For more information on law enforcement unit records and FERPA, refer to
the following sources:
“Addressing Emergencies on Campus,” June 2011, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/emergency-guidance.pdf
The discussion in the preamble to the final rule in the Federal Register published
Dec. 9, 2008, starting on page 74,815 addresses law enforcement unit records and
starting on page 74,834, discusses FERPA (available at http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf)
The Family Policy Compliance Office website at http://www.ed.gov/policy/gen/guid/fpco/index.html
The regulatory definition of “Law Enforcement Unit” under FERPA in 34 CFR
§ 99.8(a) available at "http://www.ecfr.gov.
Common FERPA Misunderstandings
Institutional administrators and their partner organizations must understand FERPA
and its implications because misinterpretations of the law and subsequent delays
in information sharing can hinder first responders’ efforts to provide necessary
assistance in a health or safety emergency.
Sharing Personal Observation or Knowledge
Misinterpreting FERPA can lead institutional administrators to miss opportunities
to share crucial information that could prevent an emergency situation. For instance,
some institutions incorrectly believe that information obtained from a school official’s
personal observations or knowledge is protected by FERPA. In fact, personal
observation or knowledge is generally not considered to be part of the student’s
education records (see “What Are Education Records”
) and therefore may be disclosed. For example, if a faculty member overhears a student
making threatening remarks to other students or is concerned after having a discussion
with a student that the student may be violent, the faculty member is not prohibited
from sharing that information with appropriate authorities, including the parents
of the students who were threatened and the student’s parents. While FERPA
would not prohibit the sharing of such information with others, there may be state
laws or institutional policies and procedures that would preclude the faculty member
from sharing the information.
However, if a school official learns of information about a student through his
or her official role in creating or maintaining an education record, then that information
would be covered by FERPA. For instance, if an institutional disciplinary
panel takes action against a student, then an individual serving on the panel would
not be permitted to non-consensually disclose that information because he or she
gained personal knowledge of that information in making the disciplinary determination
and the determination is maintained in an education record.
The Clery Act’s Timely Warning Requirement and FERPA
The Clery Act requires institutions to, among other things, give timely
warnings of crimes that represent a threat to the safety of students or employees
. These warnings are intended to enable members of the campus community to protect
themselves. While the Clery Act does not specify what information should
be included in a timely warning,12 it should include all information
that would promote safety and that would aid in the prevention of similar crimes.
Institutions often incorrectly believe that FERPA conflicts with this timely
warning requirement. It does not. FERPA allows the release of PII from
education records in the case of an emergency without consent when needed to protect
the health and safety of others. In addition, if institutions utilize the law enforcement
unit records of a campus law enforcement unit to issue a timely warning, FERPA
is irrelevant as those records are not protected by FERPA. (See Clery Act,
20 U.S.C. §1092(f)13, with implementing regulations at 34 CFR § 668.4614.)
Releasing Directory Information
In some circumstances, institutions may be able to disclose “directory information”
to prevent an emergency situation. Directory information means information contained
in a student’s education record that would not generally be considered harmful or
an invasion of privacy if disclosed. Some examples of directory information include
a student’s name, address, telephone number, or e-mail address. Institutions must
follow certain requirements in publicly designating “directory information,” and
they may not disclose directory information from a student’s education record if
the eligible student has opted out of allowing that disclosure. (See 34 CFR §99.37.)
For example, an institution could disclose properly designated directory information
to first responders for emergency-preparedness exercises if the eligible students
have not opted out of the disclosure.
Additional Situations with FERPA Considerations
FERPA has implications in a variety of different situations, and new questions
arise as institutions become more creative and innovative in developing their campus
safety plans. In many cases, however, it is helpful to review the FERPA
basics to help you clearly think through each scenario. Following are some scenarios
that may arise.
- Infectious Disease
Under the health or safety emergency exception, school officials may, without consent,
disclose PII from education records to appropriate parties in connection with an
emergency. In the case of an influenza outbreak, for instance, if an institution’s
officials determine that an emergency exists, they may share immunization records
with parties, such as state and local public health officials, whose knowledge of
the information is necessary to protect the health or safety of students or others
in the campus community. Under this exception, institutions may share information
only during the limited period of time connected with the emergency. A blanket release
of information is not allowed. You must instead determine what information to disclose
on a case-by-case basis depending on the particular threat.
- Threat Assessment Teams (TAT)
Some institutions may need assistance in determining whether a health or safety
emergency exists for purposes of complying with FERPA. Federal agencies
encourage institutions to implement a threat assessment program, including the establishment
of a multi-disciplinary threat assessment team (TAT) that utilizes the expertise
of representatives from mental health service providers, persons familiar with emergency
procedures, and law enforcement agencies in the community, as well as from the major
areas of the institutions, such as student affairs, academic affairs, the campus
security department, and other appropriate professionals.
The TAT must comply with applicable civil rights and other federal and state laws.
Under a properly implemented threat assessment program, IHEs can respond to student
behavior that raises safety concerns that is not based on assumptions, stereotypes,
or myths about people with disabilities (including mental health-related disabilities)
and people of a particular race, color, ethnicity, national origin, religion, or
If a TAT member meets the definition of an official of the institution (as a party
to whom the IHE has outsourced administrative functions or services) with a legitimate
educational interest under FERPA, (see “Who May Access
FERPA-Protected Education Records” above), then he or she would
be able to access students’ education records in which he or she has legitimate
educational interests. A TAT member, however, may not disclose PII from education
records to anyone without consent or unless one of the exceptions to consent under
FERPA, such as the health or safety emergency exception, applies.
- Security Videos
Institutions are increasingly using security cameras as a tool to monitor and improve
student safety. Images of students captured on security videotapes that are created
and maintained by the IHE’s law enforcement unit for a law enforcement purpose,
are not considered education records under FERPA. Accordingly, these videotapes
may be shared with outside authorities, such as local law enforcement authorities,
- Transfer of Education Records
FERPA permits school officials to disclose any and all education records,
including disciplinary records, to another institution at which the student seeks
or intends to enroll.15 While student consent is not required for transferring
education records in this scenario, the institution’s annual FERPA notification
should indicate that such disclosures are made. In the absence of information about
disclosures in the annual FERPA notification, school officials must make
a reasonable attempt to notify the student about the disclosure, unless the student
initiates the disclosure. Additionally, upon request, the institution must provide
a copy of the information disclosed and an opportunity for a hearing to address
information the student believes to be inaccurate, misleading, or in violation of
the student’s rights of privacy.
- FERPA and Student Health Information
Postsecondary institutions that provide health or medical services to students may
disclose an eligible student’s treatment records to health care professionals who
are providing treatment to the student, including health care professionals who
are not part of or not acting on behalf of the institution (i.e., third-party providers),
as long as the information is being disclosed only for the purpose of providing
treatment to the student. In addition, an eligible student’s treatment records may
be disclosed to a third-party provider when the student has requested that his or
her records be reviewed by a physician or other appropriate professional of the
While, by definition, treatment records are not available to anyone other than professionals
providing treatment to the student, this does not prevent an institution from disclosing
these records for other purposes. However, once such a disclosure is made, the treatment
records are no longer excluded from the definition of “education records” and are
subject to all of the FERPA requirements as “education records” under FERPA.
For example, if the institution chooses to do so, it may make a disclosure to the
eligible student’s parents, under one of the exceptions to the general consent requirement.
The records may also be disclosed to appropriate parties in connection with a health
or safety emergency.
- FERPA and Student and Exchange Visitor Information System (SEVIS)
FERPA permits institutions to comply with information requests from the
U.S. Department of Homeland Security (DHS), U.S. Immigration and Customs Enforcement
(ICE) in order to comply with the requirements of SEVIS. Officials who have specific
questions about this and other matters involving international students should contact
the U.S. Department of Education’s Family Policy Compliance Office at 400 Maryland
Avenue SW, Washington, DC 20202-8520 or by calling 1-800-872-5327 (1-800-USA-LEARN).
- Disciplinary Records
While student disciplinary records are protected as education records under FERPA,
there are certain circumstances in which specified information contained in disciplinary
records may be disclosed without the student’s consent. Under the Clery Act,
an IHE must disclose to the accuser and the accused the outcome of an institutional
disciplinary proceeding alleging a sex offense. For this purpose, the outcome of
a disciplinary hearing means the institution’s final determination with respect
to the alleged sex offense and any sanction imposed against the accused. The final
results must include the name of the alleged perpetrator, the violation committed,
and any sanction imposed by the institution against the alleged perpetrator. An
institution may disclose to anyone—not just the victim—the final results of a disciplinary
proceeding, if it determines that the student is an alleged perpetrator of a crime
of violence or non-forcible sex offense, and with respect to the allegation made
against him or her, the student has committed a violation of the institution's rules
- Missing Students
The Clery Act, as amended, requires postsecondary institutions that maintain
on-campus student housing facilities to establish, for students who reside in on-campus
student housing, a missing student notification policy that includes notifying students
that they may register “confidential” contact information for an individual to be
contacted if the student is determined to be missing. Although missing student contact
information would be considered PII from a student’s education records under FERPA,
under the Higher Education Act, only authorized campus officials and law
enforcement officers in furtherance of a missing person investigation may have access
to this confidential contact information. This means that an institution may not
disclose a student’s confidential contact information to a student’s parent or guardian
or any other person other than authorized campus officials and law enforcement officers.
A student’s identification of a confidential contact is accepted as permission for
law enforcement personnel to contact the identified individual if the student is
determined to be missing.
Incorporating FERPA into Your Emergency Planning Process
There are critical questions and concepts that institutions should discuss with
their community partners (e.g., first responders, emergency managers, public and
mental health officials) while in the process of developing or revising an emergency
management plan. While building partnerships is critical, in gathering information
to support these partnerships, institutions must also take steps to balance student
privacy with their mission of safety.
What Information is FERPA-Protected, and When May the Institution Share
Education records are protected by FERPA, and institutions may generally
disclose PII from those records only with written consent from an eligible student,
unless a FERPA exception to consent applies. (See “What
Are ‘Education Records’”.) The following are examples of how FERPA
would apply in a variety of situations.
- Example: At the start of flu season, your local public health agency requests the
names of those students showing influenza-like symptoms, as well as the name and
location of their dorm rooms. You know that you may not disclose PII from a student’s
education records without consent if there is not a health or safety emergency or
another exception to consent under FERPA that applies. So, to facilitate
this disclosure of information, you opt to develop a consent form that identifies
students’ names and the name or location of their dorm rooms as specific PII from
student education records that you would like to share with the local public health
agency, as well as the purpose of the disclosure. The form gives eligible students
the option to allow or to not allow this sharing of information. After collecting
the signed and dated consent forms, for the students for whom you received consent,
you begin to share with the local health agency the names of those students who
are showing influenza-like symptoms and the name and location of their dorm rooms.
Your purpose in sharing this information is to help the health agency be able to
conduct real-time surveillance to prevent the spread of the illness. (See “What
- Example: Your institution’s TAT includes representatives from your community partners
(e.g., law enforcement, public health officials), and you have properly designated
them as “school officials with a legitimate educational interest.” (See “Who
May Access FERPA-Protected Records?”) The local law enforcement
agency representative on your team does not share with his police chief or other
local law enforcement officials the PII that he obtains from a student’s education
records as a TAT member while working to identify possible threats because he knows
that this is not permitted. Several months after the TAT initially convened to review
a collection of behaviors and communications concerning a particular student and
determined that there was not sufficient information demonstrating that the student
posed a threat, the team learns that the student has now communicated his intent
to harm one of his professors. At this juncture, the local law enforcement representative
(and other members of the TAT) shares pertinent PII from education records with
appropriate parties so they can take steps, such as consulting with the municipal
police agency, to protect the health or safety of the professor. (See also the discussion
of TATs under “Additional Situations with FERPA Considerations”.)
- Example: At the beginning of the fall term, your institution notified eligible students
that you had designated students’ names, phone numbers, and e-mail addresses as
“directory information,” explaining to them that you would disclose this information
upon request to anyone contacting the IHE. In your notice, you provided an option
to opt out of this disclosure, and you explained how and by when they could opt
out. When a reporter contacts your institution requesting the directory information
about a student, you check to see whether the student opted out of the disclosure
of directory information. Because the eligible student did not opt out of the IHE’s
directory information policy, you decide to provide that directory information to
the reporter. (See “Common FERPA Misunderstandings” .)
- Example: Two students have an altercation in their residence hall, and one student
is stabbed in the abdomen and falls unconscious. A bystander calls 911 for an ambulance
and contacts the resident-life director. When the ambulance arrives, the resident-life
director discloses to the EMS practitioner the PII from the student’s education
record related to the stabbed student with hemophilia without obtaining the wounded
student’s consent under the health or safety emergency exception. (See “The
Health or Safety Emergency Exception”.)
- Example: A parent of a student at your institution calls requesting PII from their
child’s education records after learning that the student has been disciplined by
the institution for underage drinking. Because you know that you may share information
without the student’s consent because the student is under 21 and has violated a
law concerning the use or possession of alcohol, and there has been a disciplinary
finding, you comply with the parent’s request. (See “Who May
Access FERPA -Protected Records”.)
What Information Is Not FERPA-Protected, and When May the IHE Share It?
Records that are created and maintained by an IHE’s law enforcement unit for law
enforcement purposes are not protected by FERPA, and there are no FERPA
restrictions on the sharing of information in law enforcement unit records. (See
“What Are ‘Education Records’?” and “Balancing Safety and Privacy”.)
- Example: Your institution contracts with a security company to provide campus security
and you properly designate the security officer as your institution’s law enforcement
unit. You also properly designate the officer as a “school official with a legitimate
educational interest.” (See “Who May Access FERPA-Protected
Records”.) The officer knows that he may not redisclose PII from education
records to anyone unless there is a health or safety emergency or another FERPA
exception to consent applies. However, he shares his law enforcement unit records
about a student who was arrested for smoking marijuana on campus with the other
law enforcement officials because he knows that law enforcement unit records are
not protected by FERPA.
Are Processes and Protocols, Including Memoranda of Understanding (MOUs), in Place
for Information Sharing and Record Keeping That Comply With FERPA?
It is important for institutions to consider entering into MOUs with law enforcement
officials and their other community partners to formalize roles, responsibilities,
and protocols. MOUs can be tailored to the needs of the individual campuses in the
jurisdiction. Any policies regarding information sharing between the institution
and the law enforcement agency, however, must comply with applicable federal, state,
and local laws, including FERPA. While information-sharing MOUs should
be developed regarding what information can be shared between departments and what
information is protected, no provision in an MOU can override an IHE’s obligations
Frequently Asked Questions Pertaining to FERPA
Q: To what entities does FERPA apply?
A: FERPA applies to educational agencies and institutions that receive
funds under any program administered by the U.S. Department of Education. This includes
virtually all public schools and school districts, and most private and public postsecondary
institutions, including medical and other professional institutions.
Q: Does an interagency agreement with partners such as the state or local health
department enable an institution to non-consensually disclose education records?
A: No. Interagency agreements do not supersede the consent requirements under FERPA.
Although an interagency agreement would be a helpful tool for planning purposes,
institutions must comply with FERPA’s requirements regarding the disclosure
of PII from students’ education records.
Q: Under the health and safety emergency exception, may an IHE non-consensually
disclose PII from education records to the media?
A: No. You generally may not disclose FERPA-protected information to the
media, unless the PII disclosed is directory information on eligible students who
have not opted out. While the media play a role in alerting the community of a health
epidemic or violent incident, they do not generally have a role in protecting the
health or safety of individual students or others at the institution.
Q: When would the health or safety exception apply?
A: Under FERPA, an emergency means a situation in which there is an articulable
and significant threat to the health or safety of students or other individuals.
This determination must be made by the institution.
Q: Do I need to tell eligible students or otherwise document when I have disclosed
information from their education records without consent under a health or safety
emergency or other exception?
A: When an educational agency or institution makes a disclosure under this exception,
an institution must record in the student’s education records the articulable and
significant threat that formed the basis for the disclosure, and the parties to
whom the information was disclosed. Eligible students have a right to inspect and
review the record of disclosure but do not need to be proactively informed that
records have been disclosed.
Q: Can members of our TAT have access to student education records?
A: School officials with legitimate educational interests may have access to a student’s
education records. Members of a TAT who are not an institution’s employees may be
designated as such if they are under the direct control of the institution with
respect to the maintenance and use of PII from education records; are subject to
the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of PII
from education records; and otherwise meet the IHE’s criteria for being school officials
with legitimate educational interests.
Members of a TAT who are considered school officials with a legitimate educational
interest generally cannot non-consensually redisclose PII from a student’s education
records to which he or she was privy as part of the team. However, if a TAT determines
that a health or safety emergency exists, as defined under FERPA, members
may non-consensually redisclose PII from a student’s education records on behalf
of the institution to appropriate officials under the health or safety emergency
For example, a representative from the city police force who serves on an IHE’s
TAT generally could not redisclose, without consent, PII from the student’s education
records to the city police during the initial discussions about a particular student.
However, once the TAT determines that a health or safety emergency exists, as defined
under FERPA, the representative may redisclose, without consent, PII from
a student’s education records on behalf of the institution to appropriate officials.
(See the discussion under “Additional Situations with
Q: How does FERPA interact with the Health Insurance Portability and Accountability
Act of 1996 (HIPAA)?
A: The U.S. Department of Education and the U.S. Department of Health and Human
Services (HHS) jointly developed guidance on the application of FERPA and
HIPAA. This guidance explains that records that are protected by FERPA
are exempt from the HIPAA Privacy Rule. Accordingly, school officials must
follow the requirements of FERPA with regard to the disclosure of records
protected by FERPA. For more information, please see the guidance at
Q: What are some of the other federal and states laws that are relevant to the access
and sharing of information about students that relate to emergency management planning?
A: IHEs may also be subject to federal and state civil rights laws that protect
the disclosure of information about students. IHEs and their community partners
should review guidance from the U.S. Departments of Education and Justice on any
applicable civil rights or other statutes governing privacy and information sharing,
and discuss their implications for emergency management and related planning processes.
At a minimum, in determining what constitutes an “emergency,” IHEs and their community
partners must base their decisions on actual risks and not on assumptions, stereotypes,
fears, or myths about people with disabilities (including mental health-related
disabilities) or people of a particular race, color, ethnicity, national origin,
religion, sex, sexual identity, or gender identification.16,17
Q: Whom should I contact for more information related to FERPA?
A: The U.S. Department of Education’s Family Policy Compliance Office is available
to respond to any questions about FERPA. For quick responses to routine
questions, please e-mail the U.S. Department of Education at FERPA@ed.gov. For more in-depth technical assistance or
a more formal response, you may call the Family Policy Compliance Office at 202-260-3887
or write to them at
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue SW
Washington, DC 20202-8520
In addition, please see the U.S. Department of Education’s website at http://www2.ed.gov/policy/gen/guid/fpco/index.html for the
most recent guidance.
FERPA Guidance and Resources
The Family Policy Compliance Office (FPCO) at the U. S. Department of Education
administers FERPA. FPCO has developed, and continues to develop, extensive guidance
pertaining to the implementation of FERPA and emergency situations. For
more detailed information or additional guidance, please see the FPCO website at
www.ed.gov/fpco. In addition, please see the Navigating Information Sharing Toolkit,
developed by the National Center for Mental Health Promotion and Youth Violence
Prevention, at http://sshs.promoteprevent.org/nis