Information Sharing: Family Educational Rights and Privacy Act (FERPA)

What Is FERPA?

FERPA is a federal law that protects the privacy of student education records. The law applies to all educational agencies and institutions that receive funds under any U.S. Department of Education program (termed “institutions”). FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” The Student Privacy Policy Office at the U. S. Department of Education administers FERPA.

FERPA protects the rights of eligible students to:

• Inspect and review education records;
• Seek to amend education records; and
• Consent to the disclosure of personally identifiable information (PII)¹⁰ from education records, except as specified by law.

For a thorough review of FERPA please see the implementing regulations for FERPA found in Title 34 of the Code of Federal Regulations (CFR), part 99 available at https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&tpl=/ecfrbrowse/Title34/34cfr99_main_02.tpl

What are “Education Records?”

Different types of records and information may be protected by FERPA if that information constitutes PII from “education records.” Education records are protected by FERPA and are broadly defined as records that are directly related to a student and maintained by an institution, or by a party acting for the institution.

The non-exhaustive chart shows several examples of what types of records generally are and are not considered to be education records.

Additionally, records created and maintained by the institution’s law enforcement unit are not likely to fall into the protected definition of “education records.” See the discussion under “Balancing Safety and Privacy” for more detail on law enforcement units under FERPA, what constitutes a law enforcement unit record, and how these records may be used.

Treatment records are also not considered to be education records. The term “treatment records” generally applies to records involving students who are at least 18 years old or who are attending an institution of postsecondary education, and means records that are

• Made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his or her professional capacity or assisting in a paraprofessional capacity;
• Made, maintained, or used only in connection with treatment of the student; and
• Disclosed only to individuals providing the treatment.

Treatment does not include remedial educational activities or activities that are part of the program of instruction at the institution. In a college setting, treatment records typically include those created and maintained at the campus health clinic.

Who May Access FERPA-Protected Education Records?

“School officials with a legitimate educational interest” may access FERPA-protected education records. Institutions determine the criteria for who is considered a school official with a legitimate educational interest under FERPA regulations. In a postsecondary context, there is a wide variety of individuals in different functions at the institution who could meet this definition. For example, faculty, administrators, and support staff, including law enforcement unit personnel, health center personnel, students serving on an official committee, the board of trustees, and others could be considered school officials with a legitimate educational interest.

The term “school official with a legitimate educational interest” may also include contractors, consultants, volunteers, and other parties if those individuals

• Perform an institutional service or function for which the institution would otherwise use employees;
• Are under the direct control of the agency or institution with respect to the use and maintenance of education records; and
• Are subject to the requirements of 34 CFR § 99.33(a) which specifies that individuals who receive information from education records may use the information only for the purposes for which the disclosure was made and which generally prohibits the redisclosure of PII from education records to any other party without the prior consent of the parent or eligible student. There are, however, exceptions to this prohibition.

In addition, institutions must notify eligible students of their rights under FERPA, and must include in this notification the criteria for who constitutes an IHE official and what constitutes a legitimate educational interest. The U.S. Department of Education provides model notification statements on its website at https://studentprivacy.ed.gov/resources/ferpa-model-notification-postsecondary-officials

This means that if an institution wishes to consider non-employee members of its threat assessment team, its contracted counseling, nursing, service, or security staff, campus safety officials, and other non-employees as “school officials” who may have access to education records, the institution must ensure that these individuals meet the criteria in the bullets above and the criteria in the IHE’s annual notification of FERPA rights.

Parents of an eligible student may, in some cases and at the discretion of the institution, access FERPA-protected records. When a student turns 18 years old or enters a postsecondary institution, all rights afforded to parents under FERPA transfer to the student (the “eligible student”). However, institutions may – but are not required to – share information from an eligible student’s records with parents, without the eligible student’s consent, if an exception to the general requirement of consent is applicable, such as

• If the student is claimed as a dependent for tax purposes;
• If the student is under 21 at the time of disclosure and if the student has violated any law or institutional rule or policy concerning the use or possession of alcohol or a controlled substance, and the postsecondary institutions determines that the student has committed a disciplinary violation with respect to that use or possession;
• Information based on that official’s personal knowledge or observation of the student; or
• During a health or safety emergency involving their child.

Balancing Safety and Privacy

Postsecondary institution officials must balance safety interests and student privacy interests. FERPA contains exceptions to the general consent requirement, including the “health or safety emergency exception,” and exceptions to the definition of education records, including “law enforcement unit records,” which provide school officials with tools to support this goal.

The Health or Safety Emergency Exception to the Consent Requirement

FERPA generally requires written consent before the IHE may disclose PII from the student’s education records. However, the FERPA regulations permit IHE officials to disclose PII from education records without consent to appropriate parties only when there is an actual, impending, or imminent emergency, such as an articulable and significant threat. Information may be disclosed only to protect the health or safety of students or other individuals. In applying the health and safety exception, note that:

• Institutions determine what constitutes a health or safety emergency.
• “Appropriate parties” typically include law enforcement officials, first responders, public health officials, trained medical personnel, and parents, including parents of an eligible student.
• This FERPA exception is temporally limited to the period of the emergency and does not allow for a blanket release of PII. It does not allow disclosures to address emergencies that might occur, such as would be the case in emergency preparedness activities.
• The information that may be disclosed is limited to only PII from an education record that is needed based on the type of emergency.
• Disclosures based on this exception must be documented in the student’s education records to memorialize the
  • Emergency that formed the basis for the disclosure; and
  • Parties with whom the IHE shared the PII.

The U.S. Department of Education would not find an institution in violation of FERPA for disclosing FERPA-protected information under the health or safety exception as long as the institution had a rational basis, based on the information available at the time, for making its determination that there was an articulable and significant threat to the health or safety of the student or other individuals.

For more information on the health and safety exception, see Addressing Emergencies on Campus, June 2011, available at https://rems.ed.gov/docs/ED_AddressingEmergenciesOnCampus.pdf and see 34 CFR §§ 99.31(a)(10) and 99.36 available at https://www.ecfr.gov/current/title-34/subtitle-A/part-99/subpart-D/section-99.31#p-99.31(a) and https://www.ecfr.gov/current/title-34/subtitle-A/part-99/subpart-D/section-99.36.

The Law Enforcement Unit Records Exemption to the Definition of Education Records

FERPA defines a “law enforcement unit” as any individual, office, department, division, or other component of an educational agency or institution, such as a unit of commissioned police officers or non-commissioned security guards, that is officially authorized or designated by that agency or institution to

1. Enforce any local, state, or federal law, or refer to appropriate authorities a matter for enforcement any local, states, or federal law against any individual or organization other than the agency or institution itself; or
2. Maintain the physical security and safety of the institution.

Significantly, to be considered a “law enforcement unit” under this definition, an individual or component must be officially authorized or designated to carry out the functions listed above by the institution. IHEs may designate a traditional law enforcement entity (such as a campus safety department, campus police officer, or other IHE security personnel), or opt to designate another non-law-enforcement school official to serve as their law enforcement unit, such as a provost or other school official.

FERPA does not prevent institutions from disclosing information from records maintained by the law enforcement unit were created for law enforcement purposes by the law enforcement unit to anyone, subject to state law, including outside law enforcement authorities, without the consent of the eligible student during an emergency or otherwise.

Law enforcement unit records, which are not subject to the FERPA consent requirements, are defined as records that are

• Created by a law enforcement unit;
• Created for a law enforcement purpose; and
• Maintained by the law enforcement unit.

Law enforcement unit records do NOT include

• Records created by a law enforcement unit for a law enforcement purpose that are maintained by a component of the institution other than the law enforcement unit, such as a provost, dean, disability services coordinator, or health clinic;
• Records received from another component of the IHE, such as health records, PII collected about or related to the disability of a student, and disciplinary records; and
• Records created and maintained by a law enforcement unit exclusively for a non-law enforcement purpose, such as an institutional disciplinary action or proceeding.

In designating a law enforcement unit and using law enforcement unit records, note that

• To be given access to PII from a student’s education records, law enforcement unit officials who are employed by the institution must meet the criteria set forth in the institution’s FERPA notification for “school officials with a legitimate educational interest.” While law enforcement unit officials are not required to be an institution’s officials under FERPA, many institutions have found that it is useful for them to be their officials so that they may access education records that may be necessary to ensure IHE safety. For instance, if a student has been barred from campus for a period of time (a fact that would be recorded in the student’s education records), the law enforcement unit might need to know this in case the student attempts to enter a campus building when not permitted to do so.
• An institution’s law enforcement unit officials must protect the privacy of education records they receive and may disclose them only in compliance with FERPA. For that reason, we recommend that law enforcement unit records be maintained separately from education records.

For more information on law enforcement unit records and FERPA, refer to the following sources:

“Addressing Emergencies on Campus,” June 2011, available at https://rems.ed.gov/docs/ED_AddressingEmergenciesOnCampus.pdf

Student Privacy Policy Office website https://studentprivacy.ed.gov/

The regulatory definition of “Law Enforcement Unit” under FERPA in 34 CFR § 99.8(a) available at "https://www.ecfr.gov/current/title-34/subtitle-A/part-99/subpart-A/section-99.8.

Common FERPA Misunderstandings

Institutional administrators and their partner organizations must understand FERPA and its implications because misinterpretations of the law and subsequent delays in information sharing can hinder first responders’ efforts to provide necessary assistance in a health or safety emergency.

Sharing Personal Observation or Knowledge

Misinterpreting FERPA can lead institutional administrators to miss opportunities to share crucial information that could prevent an emergency situation. For instance, some institutions incorrectly believe that information obtained from a school official’s personal observations or knowledge is protected by FERPA. In fact, personal observation or knowledge is generally not considered to be part of the student’s education records (see “What Are Education Records” ) and therefore may be disclosed. For example, if a faculty member overhears a student making threatening remarks to other students or is concerned after having a discussion with a student that the student may be violent, the faculty member is not prohibited from sharing that information with appropriate authorities, including the parents of the students who were threatened and the student’s parents. While FERPA would not prohibit the sharing of such information with others, there may be state laws or institutional policies and procedures that would preclude the faculty member from sharing the information.

However, if a school official learns of information about a student through his or her official role in creating or maintaining an education record, then that information would be covered by FERPA. For instance, if an institutional disciplinary panel takes action against a student, then an individual serving on the panel would not be permitted to non-consensually disclose that information because he or she gained personal knowledge of that information in making the disciplinary determination and the determination is maintained in an education record.

The Clery Act’s Timely Warning Requirement and FERPA

The Clery Act requires institutions to, among other things, give timely warnings of crimes that represent a threat to the safety of students or employees . These warnings are intended to enable members of the campus community to protect themselves. While the Clery Act does not specify what information should be included in a timely warning,¹² it should include all information that would promote safety and that would aid in the prevention of similar crimes. Institutions often incorrectly believe that FERPA conflicts with this timely warning requirement. It does not. FERPA allows the release of PII from education records in the case of an emergency without consent when needed to protect the health and safety of others. In addition, if institutions utilize the law enforcement unit records of a campus law enforcement unit to issue a timely warning, FERPA is irrelevant as those records are not protected by FERPA. (See Clery Act, 20 U.S.C. §1092(f)¹³, with implementing regulations at 34 CFR § 668.46¹⁴.)

Releasing Directory Information

In some circumstances, institutions may be able to disclose “directory information” to prevent an emergency situation. Directory information means information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. Some examples of directory information include a student’s name, address, telephone number, or e-mail address. Institutions must follow certain requirements in publicly designating “directory information,” and they may not disclose directory information from a student’s education record if the eligible student has opted out of allowing that disclosure. (See 34 CFR §99.37.) For example, an institution could disclose properly designated directory information to first responders for emergency-preparedness exercises if the eligible students have not opted out of the disclosure.

Additional Situations with FERPA Considerations

FERPA has implications in a variety of different situations, and new questions arise as institutions become more creative and innovative in developing their campus safety plans. In many cases, however, it is helpful to review the FERPA basics to help you clearly think through each scenario. Following are some scenarios that may arise.

• Infectious Disease

  Under the health or safety emergency exception, school officials may, without consent, disclose PII from education records to appropriate parties in connection with an emergency. In the case of an influenza outbreak, for instance, if an institution’s officials determine that an emergency exists, they may share immunization records with parties, such as state and local public health officials, whose knowledge of the information is necessary to protect the health or safety of students or others in the campus community. Under this exception, institutions may share information only during the limited period of time connected with the emergency. A blanket release of information is not allowed. You must instead determine what information to disclose on a case-by-case basis depending on the particular threat.

• Threat Assessment Teams (TAT)

  Some institutions may need assistance in determining whether a health or safety emergency exists for purposes of complying with FERPA. Federal agencies encourage institutions to implement a threat assessment program, including the establishment of a multi-disciplinary threat assessment team (TAT) that utilizes the expertise of representatives from mental health service providers, persons familiar with emergency procedures, and law enforcement agencies in the community, as well as from the major areas of the institutions, such as student affairs, academic affairs, the campus security department, and other appropriate professionals.

  The TAT must comply with applicable civil rights and other federal and state laws. Under a properly implemented threat assessment program, IHEs can respond to student behavior that raises safety concerns that is not based on assumptions, stereotypes, or myths about people with disabilities (including mental health-related disabilities) and people of a particular race, color, ethnicity, national origin, religion, or sex.

  If a TAT member meets the definition of an official of the institution (as a party to whom the IHE has outsourced administrative functions or services) with a legitimate educational interest under FERPA, (see “Who May Access FERPA-Protected Education Records” above), then he or she would be able to access students’ education records in which he or she has legitimate educational interests. A TAT member, however, may not disclose PII from education records to anyone without consent or unless one of the exceptions to consent under FERPA, such as the health or safety emergency exception, applies.

• Security Videos

  Institutions are increasingly using security cameras as a tool to monitor and improve student safety. Images of students captured on security videotapes that are created and maintained by the IHE’s law enforcement unit for a law enforcement purpose, are not considered education records under FERPA. Accordingly, these videotapes may be shared with outside authorities, such as local law enforcement authorities, as appropriate.

• Transfer of Education Records

  FERPA permits school officials to disclose any and all education records, including disciplinary records, to another institution at which the student seeks or intends to enroll.¹⁵ While student consent is not required for transferring education records in this scenario, the institution’s annual FERPA notification should indicate that such disclosures are made. In the absence of information about disclosures in the annual FERPA notification, school officials must make a reasonable attempt to notify the student about the disclosure, unless the student initiates the disclosure. Additionally, upon request, the institution must provide a copy of the information disclosed and an opportunity for a hearing to address information the student believes to be inaccurate, misleading, or in violation of the student’s rights of privacy.

• FERPA and Student Health Information

  Postsecondary institutions that provide health or medical services to students may disclose an eligible student’s treatment records to health care professionals who are providing treatment to the student, including health care professionals who are not part of or not acting on behalf of the institution (i.e., third-party providers), as long as the information is being disclosed only for the purpose of providing treatment to the student. In addition, an eligible student’s treatment records may be disclosed to a third-party provider when the student has requested that his or her records be reviewed by a physician or other appropriate professional of the student’s choice.

  While, by definition, treatment records are not available to anyone other than professionals providing treatment to the student, this does not prevent an institution from disclosing these records for other purposes. However, once such a disclosure is made, the treatment records are no longer excluded from the definition of “education records” and are subject to all of the FERPA requirements as “education records” under FERPA. For example, if the institution chooses to do so, it may make a disclosure to the eligible student’s parents, under one of the exceptions to the general consent requirement. The records may also be disclosed to appropriate parties in connection with a health or safety emergency.

• FERPA and Student and Exchange Visitor Information System (SEVIS)

  FERPA permits institutions to comply with information requests from the U.S. Department of Homeland Security (DHS), U.S. Immigration and Customs Enforcement (ICE) in order to comply with the requirements of SEVIS. Officials who have specific questions about this and other matters involving international students should contact the U.S. Department of Education’s Student Privacy Policy Office at 400 Maryland Avenue SW, Washington, DC 20202-8520 or by calling 1-800-872-5327 (1-800-USA-LEARN).

• Disciplinary Records

  While student disciplinary records are protected as education records under FERPA, there are certain circumstances in which specified information contained in disciplinary records may be disclosed without the student’s consent. Under the Clery Act, an IHE must disclose to the accuser and the accused the outcome of an institutional disciplinary proceeding alleging a sex offense. For this purpose, the outcome of a disciplinary hearing means the institution’s final determination with respect to the alleged sex offense and any sanction imposed against the accused. The final results must include the name of the alleged perpetrator, the violation committed, and any sanction imposed by the institution against the alleged perpetrator. An institution may disclose to anyone—not just the victim—the final results of a disciplinary proceeding, if it determines that the student is an alleged perpetrator of a crime of violence or non-forcible sex offense, and with respect to the allegation made against him or her, the student has committed a violation of the institution's rules or policies.

• Missing Students

  The Clery Act, as amended, requires postsecondary institutions that maintain on-campus student housing facilities to establish, for students who reside in on-campus student housing, a missing student notification policy that includes notifying students that they may register “confidential” contact information for an individual to be contacted if the student is determined to be missing. Although missing student contact information would be considered PII from a student’s education records under FERPA, under the Higher Education Act, only authorized campus officials and law enforcement officers in furtherance of a missing person investigation may have access to this confidential contact information. This means that an institution may not disclose a student’s confidential contact information to a student’s parent or guardian or any other person other than authorized campus officials and law enforcement officers. A student’s identification of a confidential contact is accepted as permission for law enforcement personnel to contact the identified individual if the student is determined to be missing.

Incorporating FERPA into Your Emergency Planning Process

There are critical questions and concepts that institutions should discuss with their community partners (e.g., first responders, emergency managers, public and mental health officials) while in the process of developing or revising an emergency management plan. While building partnerships is critical, in gathering information to support these partnerships, institutions must also take steps to balance student privacy with their mission of safety.

What Information is FERPA-Protected, and When May the Institution Share It?

Education records are protected by FERPA, and institutions may generally disclose PII from those records only with written consent from an eligible student, unless a FERPA exception to consent applies. (See “What Are ‘Education Records’”.) The following are examples of how FERPA would apply in a variety of situations.

• Example: At the start of flu season, your local public health agency requests the names of those students showing influenza-like symptoms, as well as the name and location of their dorm rooms. You know that you may not disclose PII from a student’s education records without consent if there is not a health or safety emergency or another exception to consent under FERPA that applies. So, to facilitate this disclosure of information, you opt to develop a consent form that identifies students’ names and the name or location of their dorm rooms as specific PII from student education records that you would like to share with the local public health agency, as well as the purpose of the disclosure. The form gives eligible students the option to allow or to not allow this sharing of information. After collecting the signed and dated consent forms, for the students for whom you received consent, you begin to share with the local health agency the names of those students who are showing influenza-like symptoms and the name and location of their dorm rooms. Your purpose in sharing this information is to help the health agency be able to conduct real-time surveillance to prevent the spread of the illness. (See “What Is FERPA?”.)
• Example: Your institution’s TAT includes representatives from your community partners (e.g., law enforcement, public health officials), and you have properly designated them as “school officials with a legitimate educational interest.” (See “Who May Access FERPA-Protected Records?”) The local law enforcement agency representative on your team does not share with his police chief or other local law enforcement officials the PII that he obtains from a student’s education records as a TAT member while working to identify possible threats because he knows that this is not permitted. Several months after the TAT initially convened to review a collection of behaviors and communications concerning a particular student and determined that there was not sufficient information demonstrating that the student posed a threat, the team learns that the student has now communicated his intent to harm one of his professors. At this juncture, the local law enforcement representative (and other members of the TAT) shares pertinent PII from education records with appropriate parties so they can take steps, such as consulting with the municipal police agency, to protect the health or safety of the professor. (See also the discussion of TATs under “Additional Situations with FERPA Considerations”.)
• Example: At the beginning of the fall term, your institution notified eligible students that you had designated students’ names, phone numbers, and e-mail addresses as “directory information,” explaining to them that you would disclose this information upon request to anyone contacting the IHE. In your notice, you provided an option to opt out of this disclosure, and you explained how and by when they could opt out. When a reporter contacts your institution requesting the directory information about a student, you check to see whether the student opted out of the disclosure of directory information. Because the eligible student did not opt out of the IHE’s directory information policy, you decide to provide that directory information to the reporter. (See “Common FERPA Misunderstandings” .)
• Example: Two students have an altercation in their residence hall, and one student is stabbed in the abdomen and falls unconscious. A bystander calls 911 for an ambulance and contacts the resident-life director. When the ambulance arrives, the resident-life director discloses to the EMS practitioner the PII from the student’s education record related to the stabbed student with hemophilia without obtaining the wounded student’s consent under the health or safety emergency exception. (See “The Health or Safety Emergency Exception”.)
• Example: A parent of a student at your institution calls requesting PII from their child’s education records after learning that the student has been disciplined by the institution for underage drinking. Because you know that you may share information without the student’s consent because the student is under 21 and has violated a law concerning the use or possession of alcohol, and there has been a disciplinary finding, you comply with the parent’s request. (See “Who May Access FERPA -Protected Records”.)

What Information Is Not FERPA-Protected, and When May the IHE Share It?

Records that are created and maintained by an IHE’s law enforcement unit for law enforcement purposes are not protected by FERPA, and there are no FERPA restrictions on the sharing of information in law enforcement unit records. (See “What Are ‘Education Records’?” and “Balancing Safety and Privacy”.)

• Example: Your institution contracts with a security company to provide campus security and you properly designate the security officer as your institution’s law enforcement unit. You also properly designate the officer as a “school official with a legitimate educational interest.” (See “Who May Access FERPA-Protected Records”.) The officer knows that he may not redisclose PII from education records to anyone unless there is a health or safety emergency or another FERPA exception to consent applies. However, he shares his law enforcement unit records about a student who was arrested for smoking marijuana on campus with the other law enforcement officials because he knows that law enforcement unit records are not protected by FERPA.

Are Processes and Protocols, Including Memoranda of Understanding (MOUs), in Place for Information Sharing and Record Keeping That Comply With FERPA?

It is important for institutions to consider entering into MOUs with law enforcement officials and their other community partners to formalize roles, responsibilities, and protocols. MOUs can be tailored to the needs of the individual campuses in the jurisdiction. Any policies regarding information sharing between the institution and the law enforcement agency, however, must comply with applicable federal, state, and local laws, including FERPA. While information-sharing MOUs should be developed regarding what information can be shared between departments and what information is protected, no provision in an MOU can override an IHE’s obligations under FERPA.

Frequently Asked Questions Pertaining to FERPA

Q: To what entities does FERPA apply?

A: FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes virtually all public schools and school districts, and most private and public postsecondary institutions, including medical and other professional institutions.

Q: Does an interagency agreement with partners such as the state or local health department enable an institution to non-consensually disclose education records?

A: No. Interagency agreements do not supersede the consent requirements under FERPA. Although an interagency agreement would be a helpful tool for planning purposes, institutions must comply with FERPA’s requirements regarding the disclosure of PII from students’ education records.

Q: Under the health and safety emergency exception, may an IHE non-consensually disclose PII from education records to the media?

A: No. You generally may not disclose FERPA-protected information to the media, unless the PII disclosed is directory information on eligible students who have not opted out. While the media play a role in alerting the community of a health epidemic or violent incident, they do not generally have a role in protecting the health or safety of individual students or others at the institution.

Q: When would the health or safety exception apply?

A: Under FERPA, an emergency means a situation in which there is an articulable and significant threat to the health or safety of students or other individuals. This determination must be made by the institution.

Q: Do I need to tell eligible students or otherwise document when I have disclosed information from their education records without consent under a health or safety emergency or other exception?

A: When an educational agency or institution makes a disclosure under this exception, an institution must record in the student’s education records the articulable and significant threat that formed the basis for the disclosure, and the parties to whom the information was disclosed. Eligible students have a right to inspect and review the record of disclosure but do not need to be proactively informed that records have been disclosed.

Q: Can members of our TAT have access to student education records?

A: School officials with legitimate educational interests may have access to a student’s education records. Members of a TAT who are not an institution’s employees may be designated as such if they are under the direct control of the institution with respect to the maintenance and use of PII from education records; are subject to the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of PII from education records; and otherwise meet the IHE’s criteria for being school officials with legitimate educational interests.

Members of a TAT who are considered school officials with a legitimate educational interest generally cannot non-consensually redisclose PII from a student’s education records to which he or she was privy as part of the team. However, if a TAT determines that a health or safety emergency exists, as defined under FERPA, members may non-consensually redisclose PII from a student’s education records on behalf of the institution to appropriate officials under the health or safety emergency exception.

For example, a representative from the city police force who serves on an IHE’s TAT generally could not redisclose, without consent, PII from the student’s education records to the city police during the initial discussions about a particular student. However, once the TAT determines that a health or safety emergency exists, as defined under FERPA, the representative may redisclose, without consent, PII from a student’s education records on behalf of the institution to appropriate officials. (See the discussion under “Additional Situations with FERPA Considerations”.)

Q: How does FERPA interact with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

A: The U.S. Department of Education and the U.S. Department of Health and Human Services (HHS) jointly developed guidance on the application of FERPA and HIPAA. This guidance explains that records that are protected by FERPA are exempt from the HIPAA Privacy Rule. Accordingly, school officials must follow the requirements of FERPA with regard to the disclosure of records protected by FERPA. For more information, please see the guidance at https://studentprivacy.ed.gov/sites/default/files/resource_document/file/2019 HIPAA FERPA Joint Guidance 508.pdf.

Q: What are some of the other federal and states laws that are relevant to the access and sharing of information about students that relate to emergency management planning?

A: IHEs may also be subject to federal and state civil rights laws that protect the disclosure of information about students. IHEs and their community partners should review guidance from the U.S. Departments of Education and Justice on any applicable civil rights or other statutes governing privacy and information sharing, and discuss their implications for emergency management and related planning processes. At a minimum, in determining what constitutes an “emergency,” IHEs and their community partners must base their decisions on actual risks and not on assumptions, stereotypes, fears, or myths about people with disabilities (including mental health-related disabilities) or people of a particular race, color, ethnicity, national origin, religion, sex, sexual identity, or gender identification.^16,17

Q: Whom should I contact for more information related to FERPA?

A: The U.S. Department of Education’s Student Privacy Policy Office is available to respond to any questions about FERPA. For quick responses to routine questions, please submit a question using the following form https://studentprivacy.ed.gov/contact. For more in-depth technical assistance or a more formal response, you may call the Student Privacy Policy Office at 1-855-249-3072 or write to them at

Student Privacy Policy Office
U.S. Department of Education
400 Maryland Avenue SW
Washington, DC 20202-8520

In addition, please see the U.S. Department of Education’s website at https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html for the most recent guidance.

FERPA Guidance and Resources

The Student Privacy Policy Office (SPPO) at the U. S. Department of Education administers FERPA. SPPO has developed, and continues to develop, extensive guidance pertaining to the implementation of FERPA and emergency situations. For more detailed information or additional guidance, please see the SPPO website at https://studentprivacy.ed.gov/. In addition, please see the Navigating Information Sharing Toolkit, developed by the National Center for Mental Health Promotion and Youth Violence Prevention, at http://sshs.promoteprevent.org/nis