The Family Rights and Privacy Act: 7 Myths — and the Truth

An extraordinary amount of the national discussion since the shootings at Virginia Tech a year ago has focused on the role that the Family Educational Rights and Privacy Act, or Ferpa, the federal statute governing the privacy of student records, played in that tragedy. What that discussion has revealed most notably is that, although colleges have been subject to Ferpa for more than 30 years, and although few if any statutes have such wide-reaching, everyday application on our campuses, most of us still don’t know much about it. In a way, Ferpa is the Rodney Dangerfield of statutes: While there is a great deal to it, it just doesn’t get much respect.

In an effort to bring about greater clarity, the Family Policy Compliance Office, the office within the Education Department that oversees and enforces Ferpa, recently proposed the first major amendments to the regulations since 2000. For the most part, those amendments would simply codify and reinforce existing guidance. In a few circumstances, they would actually expand our already considerable discretion to disclose student records and information. But even those amendments will do no good unless we begin to pay attention to Ferpa and dispel a number of all-too-common myths about it that continue to get in the way of our doing the right thing for our students. Those myths include:

1. Ferpa applies to all information about our students. In fact, Ferpa governs the disclosure only of “records” and information from “records,” not information generally. Personal knowledge is not subject to Ferpa, and its disclosure is therefore not prohibited by Ferpa — even if it also happens to be recorded.

Thus, for example, a professor who observes a student behaving oddly in a classroom, a resident assistant who notices a disturbing change in a student’s temperament, or an adviser who sees a student become increasingly withdrawn and uncommunicative is free, as far as Ferpa is concerned, to raise the concern with others — and should do so. We do neither the student nor ourselves a favor if we don’t try to reach out and deal with such situations when we still have the opportunity.

Ordinarily, if circumstances allow, it is preferable to raise such concerns first with those trained to evaluate and deal with them, such as campus mental-health professionals, campus police, or appropriate student-affairs officials. When the situation appears to be urgent, however, it is both appropriate and permissible to disclose the concern as broadly as seems necessary.

2. Ferpa makes it virtually impossible to disclose anything to anyone. The statute does apply broadly to almost all recorded student information in our possession, but, even so, it still offers us considerable leeway.

First, it exempts entirely from its coverage several categories of records, including, most significantly, “law-enforcement records.” Records that are created by a campus’s law-enforcement unit — be it commissioned police or noncommissioned security — at least in part for law-enforcement purposes and that are maintained by that unit may, under Ferpa, be freely shared with anyone for any reason. It makes no difference whether the creation of those records was also motivated by internal disciplinary or other reasons or whether they are shared with others on the campus for their own use. The copies of any such records that are shared with other offices do become subject to Ferpa, but the originals in the law-enforcement unit’s possession remain entirely free of Ferpa’s restrictions.

In addition, Ferpa offers no fewer than 15 exceptions to its general prohibition on the disclosure of student records and the information they contain (see list on following page), and a 16th exception has been proposed.

Finally, Ferpa also allows us to disclose records that have been thoroughly “anonymized,” or scrubbed of personally identifiable information, and we are always free to disclose any student record with the student’s consent.

At the same time, Ferpa also never compels us to use any of that leeway. Rather, it gives us discretion to do so under the specified circumstances if we deem it appropriate — and therefore requires us to make a decision, a situation that can lead to paralysis. But if we choose not to disclose student information when we would be permitted to do so, whether for legitimate policy reasons or by default, we should not use Ferpa as an excuse and thereby perpetuate this unfortunate and potentially harmful myth.

3. Ferpa prohibits us from sharing any student information with parents unless students specifically consent. As useful as such a “rule” might be in this age of attack-helicopter parents, and while we are free to adopt it as a policy matter if we so wish, we are not compelled to do so by the statute. Primary control over a student’s records does shift from the parents to the student when the student enrolls in college, even if the student is still a minor, but primary control is not the same as total control. Institutions can disclose student information to parents under any number of circumstances.

Among the circumstances:

• If either parent claims the student as a federal tax dependent, the institution may, with confirmation of that status, disclose any and all information it has about the student to both parents, regardless of the student’s age or whether there is an emergency.

• If the student is under 21, the institution may inform the student’s parents of any violations of its alcohol or drug policies, regardless of whether the student is a tax dependent or whether there is an emergency.

• If the institution reasonably believes that there is a health or safety emergency involving the student, the institution may alert the student’s parents and seek their assistance, regardless of the student’s age or whether the student is a tax dependent.

Moreover, we can make such disclosures even if the student has asked us not to. Ferpa doesn’t give students a veto over any of the permitted disclosures except the one for “directory information.”

4. We can’t rely on the “health or safety emergency” exception if there’s any uncertainty at all about whether we’re facing imminent catastrophe. The many reviews and reports after Virginia Tech found the greatest confusion about, and resulting fear of, the Ferpa exception for disclosures to “appropriate persons” in connection with an “emergency” involving the “health or safety of the student or other persons.” Much of that confusion and fear, it seems, can be traced to the regulation’s statement that each of those terms must be “strictly construed.” Additional guidance, intended to head off backlash against foreign students after September 11, 2001, indicates that the “danger” used to justify invocation of the exception must be both “serious” and “imminent.”

To be sure, Ferpa is a privacy statute, and we certainly must acknowledge our students’ legitimate interest in maintaining their privacy, but Ferpa does not make that interest an absolute, unassailable priority. Nor does Ferpa require that the situation at hand be a “red level” crisis, that only the intended disclosure will avert it, and that we be absolutely sure of both those conditions before proceeding.

Rather, Ferpa recognizes that decisions about when emergency disclosure is needed and what disclosure is appropriate must often be made in the heat of the moment, before all of the facts are, or could possibly be, known. In other guidance, the Family Policy Compliance Office has expressly stated that it will not fault good-faith decisions in that regard even if they turn out, in hindsight, to have been wrong: “This office will not substitute its judgment for what constitutes a true threat or emergency unless the determination appears manifestly unreasonable or irrational.”

The reality, then, is that there is little to worry about when relying on the health-or-safety-emergency exception. But to make that point even clearer, the compliance office has just proposed to amend the regulation by eliminating the “strictly construed” provision and replacing it with a codification of its previous guidance. Those changes, the compliance office states, are intended to underscore that colleges have far “greater flexibility and deference” than we may have realized to “bring appropriate resources to bear on a circumstance that threatens the health or safety of individuals.” We should not hesitate to take advantage of that flexibility and deference when it reasonably appears to be in the best interest of our students and institution that we do so.

5. Both Ferpa and Hipaa, the Health Insurance Portability and Accountability Act, prohibit the disclosure of student medical records to anyone. Ferpa’s handling of student medical records and its “Alphonse and Gaston” interplay with Hipaa are, without question, counterintuitive and difficult to understand at first look. To begin, Hipaa expressly excludes from the coverage of its privacy provisions any records that are subject to Ferpa. Ferpa in turn provides that “treatment records” — records created by medical professionals in the course of treating a student — are not subject to Ferpa. Back to Hipaa, which nevertheless excludes “treatment records” as well.

But there’s a hitch: Such records are exempt from Ferpa’s restrictions only as long as they are not shared with anyone other than those involved in providing the treatment. To the extent they are shared with anyone else, they are subject to the same disclosure restrictions under Ferpa as any other student records. (Other medically related student records that do not involve “treatment,” such as disability-accommodation records or immunization verifications, are always subject to Ferpa and its general restrictions, and not to Hipaa.)

The reason for that convoluted, backhanded definition is not that Congress wanted student medical records to go wholly unprotected, but, rather, that it didn’t want them to be subject to students’ near-absolute right under Ferpa to “inspect and review” their own records. As long as such records remain in this Ferpa-Hipaa limbo, they are subject instead only to the typically more-limited state rules concerning when patients may access their own medical records.

The net result is that medically related student records — whether “treatment” records or not — are never subject to Hipaa’s privacy provisions, are always (really) subject to Ferpa, and are, for all practical purposes, treated no differently under Ferpa than any other student records.

Campus medical professionals continue to be bound as well by whatever limits are imposed upon them by applicable state medical-confidentiality laws, but even those laws generally allow consultation with other medical professionals involved in treating the student, whether on or off the campus, and appropriate disclosures when deemed necessary to avert a serious threat to the health or safety of the student or others. Moreover, others on the campus who may have access to medically related student records generally are not subject to such state laws. They remain free to disclose those records to other college officials with a job-related need to know, in response to a health or safety emergency, to parents of a dependent student, in compliance with a subpoena, or in any of the other ways that Ferpa allows student records to be disclosed.

6. The consequences of violating Ferpa are devastating, so the safest course is to disclose nothing. It is true that withholding student information is, almost always, “safe,” at least as far as Ferpa is concerned. At the college level, the only person who ever has a legally enforceable right under Ferpa to know what is in a student’s records is the student. All of the exceptions that permit broader disclosure are entirely discretionary, so there is no legal consequence under Ferpa in choosing not to disclose.

Disclosing student-record information is, however, almost equally safe as far as Ferpa is concerned. In the 2002 case Gonzaga University v. Doe, the U.S. Supreme Court held that there is no private right of action under Ferpa. As a result, we cannot be sued by aggrieved students or others even if we stray over the line of permissible disclosure. Their only recourse is to file a complaint with the Family Policy Compliance Office.

Moreover, while the enforcement tools in that office’s arsenal are theoretically severe — potentially including the termination of federal support — Ferpa imposes no penalty whatever for making a single, honest mistake. Rather, it reserves its consequences only for institutions that have a “policy or practice” of violating its provisions. Even then sanctions may be imposed “only if … compliance cannot be secured by voluntary means” — in other words, only if an institution engages in repeated, intentional violations. In the 34 years since Ferpa’s enactment, the compliance office has reviewed hundreds of complaints, and has found numerous violations, but has never once terminated even a single penny of federal money.

Nevertheless, Ferpa’s “nuclear option” is frequently cited to limit or deny disclosure of student information, usually out of unwarranted fear of liability — and occasionally in an effort to cut off an opponent’s policy argument in favor of disclosure. Instead of fretting about that extraordinarily remote threat, we should focus our discussions and decisions about disclosure on what is best for our students, secure in the knowledge that Ferpa gives us considerable room to do so.

7. Ferpa is seriously broken and needs to be fixed. That is perhaps the biggest myth of all. There is no question that Ferpa can be frustrating and even paralyzing. Its numerous provisions can be confusing, simply by virtue of their sheer quantity. They occasionally seem to point to conflicting conclusions. All too often they appear to be nothing more than micromanaging.

And yet Ferpa is actually quite flexible and forgiving. Only rarely does it restrict us from communicating about our students when we need to do so, and hardly ever does it compel communication about our students. It gives us considerable discretion to do what we, in our best judgment, think should be done. The consequences Ferpa imposes for good-faith mistakes are, in reality, little more than a gentle admonishment to learn from those mistakes and do better next time.

The real problem with Ferpa is that its flexibility is not well or widely understood. But if that is the problem, making Ferpa even more complex, by grafting ever-more-detailed exceptions — and exceptions to exceptions — onto it, is unlikely to help. While no doubt well intentioned, the many calls and proposals for major substantive revisions to Ferpa in the aftermath of Virginia Tech would, if adopted, probably yield only more confusion — and more paralysis — rather than clarity and better decision making.

Instead of trying to “fix” Ferpa, we should give it the respect it is due by learning what it actually provides, rather than relying on the myths we’ve heard about it. There is nothing to fear in Ferpa itself.

Steven J. McDonald is general counsel at the Rhode Island School of Design.

http://chronicle.com Section: Commentary Volume 54, Issue 32, Page A53