Add ‘Knowing Your Rights Regarding Health and Education Records’ to Your College Prep Checklist

By Carolyn Wimbly Martin and Sara Etemad-Moghadam

As your child embarks on their college journey, it is essential to have conversations that go beyond choosing matching towels and bed sheets for their dorm room. Most students and their parents are unaware of the Family Educational Rights and Privacy Act (“FERPA”). This Act safeguards student education records and regulates the sharing of personal information. Often unknown to even the most involved parents, it also provides that once a student turns 18 or attends a postsecondary institution, all rights under FERPA transfer to the student, and parents can no longer access records without the student’s permission. This can mean the difference between parents being advised of developing problems before they become major issues, or worse, being helpless to act in their child’s best interest in an emergency.

With the exhilarating transition from high school to college, concerns about privacy and parental rights often take the backseat to other priorities. Moreover, many students may be hesitant to share certain aspects of their college life with their parents, whether they desire to be independent or have something to hide, like drug or alcohol violations or academic offenses like cheating or plagiarism. Focusing on the educational institution’s FERPA policy before a health, academic or financial issue arises is crucial, as each institution may have different guidelines for information disclosure.

Unfortunately, these FERPA notices are difficult to find and often go unread, leading to a lack of awareness by parents and students, hereinafter referred to as “responsible parties,” about their rights. To establish privacy expectations, parents should have open discussions with their children on health issues, grades, alcohol and drug use, financial and other personal matters. After these conversations, students may be more inclined to share with their parents relevant information already available to their educational institutions. If the responsible parties agree, the student can sign a written form consenting to share any or all education records with their parents. By understanding the scope of their rights granted by FERPA, students gain awareness of their privacy rights and control over disclosure of their education records. Parents are also more likely to have the relevant information to provide support regarding their child’s academic, physical and mental well-being when necessary. This is a process, and it does not happen overnight on the child’s 18th birthday.

Application of FERPA

FERPA protects education records at all levels, encompassing both K-12 and postsecondary education. These records include academic, disciplinary and financial records pertaining to the student. Certain records are excluded from the definition of “education records” under FERPA, such as campus police records, employment records, certain treatment or health records, applicant or alumni records and grades on peer-graded papers. There are situations, however, where health-related records are considered education records. If a person or entity is acting on behalf of an educational institution subject to FERPA, like a K-12 school nurse or a campus health clinic that provide services or maintain student health records, these are considered education and health records.

FERPA allows academic institutions to disclose information from a student’s educational record, without consent, to school officials with legitimate educational interests, other educational institutions to which a student is transferring, specified officials for audit or evaluation purposes, appropriate parties in connection with financial aid to a student, organizations conducting research on behalf of the educational institution, accrediting organizations, health and safety officials in cases of emergency, state and local authorities and in response to a judicial order or subpoena. The Department of Education (“Dept. of Ed.”) provides a non-exhaustive list of exceptions to FERPA’s general consent requirement, one of which is records connected with financial aid which the student has applied for or received. Records such as student aid eligibility records, federal work-study payroll records, Satisfactory Academic Progress documentation and financial records are education records under FERPA and may not be disclosed without the responsible party’s permission.

How Student Privacy Rights Change in College Under FERPA

An educational institution must annually notify the responsible party of their rights under FERPA, such as the right to review education records, correct inaccurate records, consent to disclosure of the student’s personally identifiable information (“PII”), and file a complaint regarding a school’s failure to comply with FERPA by any means that is reasonably likely to disseminate this information. However, an educational institution is not required to notify responsible parties individually, and instead can choose to publish the notice in an activities calendar, newsletter, student handbook or on their website. Meeting this minimum legal requirement is essentially inadequate notice resulting in otherwise avoidable negative consequences for the student and their families. Research conducted by the World Privacy Forum (“WPF”) found that most FERPA notices were difficult and time-consuming to find. The inadequacy of FERPA notices includes missing policies, terms in “legalese” that are difficult for responsible parties to follow and missing or broken links to FERPA forms. In their FERPA notifications, colleges and universities often don’t include information on parental rights, instead leaving it to the parents or the student to engage in the unnecessarily challenging process of finding the educational institution’s policy buried in their website. Thus, parents are often left out in the cold when that is not the intention of the families.

Unlike Parents, Third-Party Service Providers Have Considerable Access to Student Records

While parents may be uninformed regarding their rights and those of their child, ironically, educational institutions regularly share student information with third-party service providers, such as student information systems, instructional improvement systems, online education programs, web-based and mobile applications and assessment systems to track learning progress.

Under FERPA, an educational institution generally may not disclose PII from a student’s education records to a third party unless the responsible party has provided written consent. However, an exception is carved out for third-party service providers who are considered “school officials” if the service performs an institutional service or function for which the educational institution would otherwise use their own employees. For example, websites that enable students to complete homework and tests, like Canvas or Blackboard, or the websites of textbook publishers fall within the scope of FERPA.

The Dept. of Ed. has issued guidance on FERPA’s requirement as it relates to the terms of service of education technology service providers. The guidance resulted from a 2015 complaint filed with the Dept. of Ed. by a parent who was forced to agree to terms of use set by a third-party service provider called K12 Virtual Schools in order to enroll her daughter at a public charter school in Pennsylvania. These terms would have granted the company “and its affiliates and licensees” free reign to “use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote the content in any form, anywhere and for any purpose.” The Dept. of Ed. found that making consent a condition to enrollment in an educational institution was a violation of FERPA. However, they determined that the school did not violate FERPA’s “school official exception” referenced above, which enables schools to disclose personal information from student records to third parties without consent from parents as long as the school keeps “direct control” over the use and maintenance of the information and the outside entity only uses the data for the purposes for which the school disclosed it. The Dept. of Ed. determined only that the way the school handled student information “could have been more effective.” As a result their response was limited to recommending the school follow best practice guidelines going forward in its dealings with third parties. These guidelines cover what information is protected, requirements if PII from student education records is disclosed, limitations on what providers can do with student information collected or received and other best practices for online entities to comply with FERPA and protect student privacy.

What Constitutes Consent Under FERPA

FERPA requires that consent for disclosure of education records be signed and dated, specify the records that may be disclosed, state the purpose of the disclosure and identify the party or class of parties to whom the disclosure may be made. Oral consent for disclosure of information from education records would not meet FERPA’s consent requirements.

Protecting Student’s Information from Commercial Entities

Additionally, FERPA does not prohibit educational institutions from selling student directory information to commercial entities. “Directory information” is information contained in a student’s education records that usually includes the student’s name, address, telephone number, date and place of birth, participation in officially recognized activities and sports and date of attendance. An educational institution may disclose directory information to third parties without the responsible party’s consent if it has given notice about the designated information, the right to restrict its disclosure and a deadline for written notifications.

FERPA grants educational institutions the flexibility to adopt their own directory information policies, but they must specify the individual, group or entities who may receive the information and for what purposes. In the WPF study referenced above, which involved more than 5,000 educational institutions, only 39.7% of primary and secondary schools and 60% of postsecondary schools posted a FERPA opt out form online available to the public. Most primary and secondary schools typically offer one to two months for parents to opt out, while most postsecondary institutions offer FERPA opt outs all year. To opt out, the responsible party should request that the educational institution provide their directory information policy. If the educational institution does not have an opt out form, the Parent Coalition for Student Privacy provides a model directory information opt out form for K-12 parents.

Parents’ Power Of Attorney and HIPAA

An additional item on a To Do list for parents when their child turns 18 is to have the child execute a Power of Attorney (POA). (Note that the POA provides additional protection, but it is not a replacement for a signed FERPA release on file with the educational institution.) Without a signed POA, under privacy laws, parents will not have access to medical records or be able to make critical medical or financial decisions in the event of an emergency, even if their child is covered by the parents’ medical insurance. The POA specifically needs to include a Health Insurance Portability and Accountability Act (“HIPAA”) clause that covers protected health information.


Taking the time to become familiar with the FERPA release and the educational institution’s related policies, as well as having a POA in place, before the unthinkable emergency happens acknowledges the priorities of both parents and students. It can also foster open communication and set the tone for a supportive and successful parent-child relationship throughout a young adult’s college experience and beyond. Lutzker & Lutzker is available to parents and officials of educational institutions to provide guidance on compliance with youth privacy laws.