The Ultimate Education Compliance Checklist for Data Archiving in 2023
For compliance officers and teaching staff in K12 and higher education institutions in the US
Chapter 1. FERPA
FERPA Regulations Summary
In this chapter, you will find a list of FERPA compliance requirements, followed by some commonly asked questions about this law and some real life examples that will help you determine how compliant you are with this Act and what areas of information governance you need to improve.
FERPA Compliance Checklist
Why is FERPA important?
FERPA is important because it protects the privacy of education information and records. In a nutshell, FERPA guards the safety of students’ personal information, and governs access to these information by third parties. FERPA gives the right to parents and students older than 18 to inspect and review their personal records, which helps maintain accuracy and protect the privacy and integrity of students.
Who does FERPA apply to?
FERPA applies to educational institutions and agencies that are funded under a program managed by the US Department of Education. In most cases, this includes public K12 and higher education institutions.
This means that private schools and higher education institutions are generally not covered by FERPA, as they don’t receive funding from the Department of Education.
What information is protected by FERPA?
FERPA protects personal information of students, including their contact information, data on academic achievements, health information and more.
What is an education record under FERPA?Under FERPA, education records include information which public, private, and parochial schools have on their former and current students.
These records include data such as
When do FERPA rights begin?Students can exercise their FERPA rights once they turn 18 or enter a postsecondary institution (regardless of age). Once this happens, you can disclose a student’s records to their parents only with prior consent from the student.
Who is eligible to look at a student’s records?A student older than 18, as well as parents/foster parents/legal guardians of a student can look at the student’s records.
However, no student or parent can request to look at the records or parts of records that include personal information of another student.
What information can schools release without consent?As a school/higher education institution, you have the right to release information without a student’s consent, in case you receive a request from a State education office or when you need to follow a court order.
What happens if a school violates FERPA?In case you or your school/college violate FERPA requirements, by, for example, disclosing a student’s records without proper consent, you can lose funding and be fined. This depends on the extent of the violation.
Under a 2002 Supreme Court decision, parents or students can file a lawsuit against you only in line with a state law, not federal law.
Hence, it’s best you consider the consequences of FERPA violation by consulting the relevant laws of your state or with your solicitor.
Of course, acting as an institution, you have the right to ask for the employees who have violated FERPA requirements to be removed from their jobs.
FERPA Violation Examples
As a general rule, the key FERPA principle is protecting information that can help identify a person.Here are some instances could be technically understood to mean that you have violated FERPA rules:
Chapter 2. FOIA
FOIA Compliance Checklist
*This deadline can vary between school districts and states, so it’s best you always check with the relevant agency in your state first.
FOIA vs FERPA
Under FOIA, schools and colleges might be asked to provide information of public interest.
In most cases, these requests will cover information that is not personal information of a person, such as student records.
When deciding on whether a FOIA request you have received is a valid request, check for the following:
What this means in practice
In practice, student records are treated as personal information.
In cases where you receive a FOIA request to disclose a student’s personal information, FERPA would supersede FOIA, and hence you would not be required to publish this information.
Chapter 3. HIPAA
HIPAA in Schools
However, more and more school campuses offer healthcare services to both students and non-students.
This means that K12 and postsecondary institutions now need to take notice of HIPAA requirements as well.
So let’s untangle the intersections of HIPAA and FERPA and see which law you need to follow in which case.
HIPAA vs FERPA
Does HIPAA apply to schools?
Generally speaking, in most cases, HIPAA doesn’t apply to schools.
The reason is that information, including even students’ medical records are treated as education records, and thus subject to FERPA, not HIPAA.
The HIPAA Privacy Rule––which protects individuals’ health records and other identifiable health information and which regulates their disclosure––covers protected healthcare information (PHI).
However, in a school setting, most of the medical and treatment information that would be otherwise considered to fall under HIPAA, are in fact treated as part of FERPA’s education records.
Hence, the HIPAA Privacy Rule won’t apply.
Does HIPAA apply to colleges?
As a rule of thumb, in majority of cases, HIPAA doesn’t apply to colleges.
The reason is that under HIPAA, most colleges are not considered covered entities, even in cases when they employ medical staff.
The HIPAA Privacy Rule excludes from its coverage the records protected by FERPA.
As most records held by a postsecondary institution are covered by FERPA, it follows that in majority of cases FERPA compliance requirements supersede the HIPAA privacy rule.
Another thing is that even if an educational institution is covered by HIPAA, student health information is treated as education records, thus being subject to FERPA rules.
In these cases, you should refer to the FERPA compliance checklist above.
HIPAA vs FERPA Examples
So let’s look at an example to see how you can decide whether you should act in line covered by a HIPAA or FERPA.
- Let’s say you work at a college. One of the students has an STD and is treated on campus, at a clinic where you treat both students and the general public.
That student’s records will be covered by FERPA and in case that student requests the disclosure of the data, you are required to disclose the data.
In case student’s parents request the information, FERPA applies again, which means you first need to receive the student’s consent on the disclosure.
- On the other hand, another person might be treated at the clinic. In that case, you will be required to abide by the HIPAA Privacy Rule, as the records of that person wouldn’t be covered by FERPA education records.
- A nurse working on a campus, but not employed by the school, provides immunization to students on campus. In this case, the records created by the nurse won’t be protected as FERPA education records. Instead, it will be subject to HIPAA.
HIPAA Compliance Checklist
Chapter 4. GLBA Compliance Requirements
In the context of education, GLBA applies only to higher education institutions.
What it does is monitor and regulate how higher education institutions collect, store, and use student financial records.
These records include information such as tuition payments, financial aid, or any other financial records that contain personally identifiable information.
A key part for GLBA in higher education is the so-called Safeguards Rule, which aims to protect the privacy of students.
GLBA Compliance Checklist
To ensure full compliance with the GLBA Safeguards Rule, you need to:
Chapter 5. Education Compliance Software Requirements
All these information is produced in a variety of formats.
On average, you need to be able to capture, monitor and store email, images, voice messages, text messages and much more.
This can be a daunting task, especially if your organization has a large number of employees and students.
Before you start looking for education compliance software, however, you should understand the needs and obligations that your archiving system needs to support.
Without understanding what you need to archive and preserve, no software will be a good match, as you won’t know how to implement it to the full potential. And, you might miss some of the essential information that you’re required to retain.
So, here are the crucial functionalities your data management system should have, alongside the benefits each of these functionalities provides.