How do schools draw the line between protecting student privacy and informing the community about the spread of COVID-19? When it comes to transparency, many believe schools are not doing enough to prevent spread in the classroom by informing students and parents when a classmate, teacher or other employee tests positive for COVID-19. In response, schools are suggesting that their hands are tied by restrictive federal privacy laws that prevent the disclosure of student information.

In a way, both sides are correct. While it is true that federal privacy statutes, namely the Federal Educational Rights and Privacy Act (FERPA), protect student records and health information, the Department of Education (DOE) has eased FERPA’s mandate to allow the dissemination of vital COVID-19 information. However, beyond a policy statement released in March (see below), DOE has provided meager guidance for the application of FERPA during the pandemic, generating valid concern among school administrators over the protection of student medical data.

Amidst all the confusion, it is paramount that parents, faculty and the community at large understand that circulating COVID-19 information and safeguarding student privacy are in fact compatible.

I. The federal laws in play

Student health information is protected by either or both of two federal laws: the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Educational Rights and Privacy Act (FERPA). The federal government has provided scant guidance as to the application of these statutes amidst the pandemic, leaving states and their academic institutions to determine their own health privacy policies. Throughout the nation, school districts and universities have been widely inconsistent in their approach to notifying the public of COVID-19 cases in the classroom and managing student health information. Before examining some of these approaches, it is important to understand what exactly is protected under HIPAA and FERPA. For more general information on FERPA, see our Frequently Asked Questions.

As a starting point, it is important to keep in mind that FERPA only applies to student records and should not be invoked to withhold access to COVID-19 information about faculty or other non-students. As DOE wrote in March, “Nothing in FERPA prevents schools from telling parents and students that a specific teacher or other school official has COVID-19,” although “there may be State laws that apply in these situations.”

HIPAA, enacted in 1996, created national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the standards of the Act. The Privacy Rule applies to all healthcare plans and providers who conduct certain financial and administrative transactions electronically.

FERPA protects the privacy of student education records and applies to all educational agencies and institutions that receive funds under any program administered by the Secretary of Education. Notably, private schools at the elementary and secondary level do not generally receive federal funding and are, therefore, not subject to FERPA. Under FERPA, an institution must secure the written consent of a parent or an “eligible student” before disclosing a student’s personally identifiable information (PII). PII is any information that may reasonably reveal the identity of the individual, such as name, age, home address, race, or other such descriptors. An “eligible student” is age 18 or above or enrolled at an institution at a level beyond high school.

Within the context of medical information, the operative term is “education records.” Although HIPAA protects patient privacy, the majority of academic institutions maintain student medical information only within records that are by definition “education records” under FERPA. HHS has explicitly stated that these records are not subject to the HIPAA Privacy Rule.

With FERPA as the guiding regulation, schools have more freedom to share student medical information, particularly with regard to confirmed COVID-19 cases. The March DOE guidance clearly allows, in certain circumstances, the disclosure of information about COVID-19 cases to other students and parents without consent as long as the disclosure does not include PII. FERPA also carves out an exception to the consent requirement in the event of a health or safety emergency, although schools have the discretion to determine on a case-by-case basis whether an emergency indeed exists. Considering that HSS declared COVID-19 a national emergency as early as March, a school’s refusal to consider a positive test result an emergency has understandably caused tension between parents and administrators.

Regardless of DOE’s COVID-19 guidance and the several FERPA exceptions, school districts and universities continue to cite FERPA, and in some cases HIPAA, to withhold vital information concerning the spread of the disease. For example, some universities have questionably relied on HIPAA and FERPA to prohibit faculty from sharing any news of COVID-19 cases to students, fellow faculty or the community.

However, these decisions may be more nuanced than they appear. The lack of a clear federal mandate concerning COVID-19 protocol has left administrators questioning the legality of sharing certain health information. As privacy law experts suggest, overcompliance with FERPA is often a legally safer alternative to sharing private information.

With this legal framework in mind, let’s examine how schools across the country are balancing the need to disclose health information to slow community spread with protecting the privacy interests of their students and faculty.

II. Over-enforcement is the name of the game

Over-enforcing student privacy appears to be the trend among many of the nation’s school districts and universities. It may be the case that only those institutions with the least transparent policies have warranted national news coverage, but it is unfortunately true that many schools dealing with COVID-19 outbreaks simply are not conveying necessary information to the community.

Whether the decisions to withhold vital data are motivated by fear of legal repercussions, a sincere desire to protect student privacy or other concerns such as reputational damage is unclear, but what is clear is that administrators have cited a litany of different, and often misinterpreted, rationales to support an embargo on COVID-19 information.

In late August, the University of Alabama made headlines when reporters uncovered that the administration did not inform students or professors about students who tested positive and that the faculty had been instructed to remain quiet about students known to test positive. At first, the university cited HIPAA for its policy, but later changed to FERPA once news had spread. As mentioned above, HIPAA would not apply to student medical information, and DOE’s FERPA guidance eased the privacy restrictions during the pandemic. The University of Alabama has since responded to these claims, stating that the reports are “misinformed.” Issues concerning a lack of transparency have cropped up in universities across the country at schools such as Boston University and the University of Georgia.

Similarly, parents are concerned about a lack of transparency at K-12 schools. Due to the lack of federal and, in many cases state-level, guidance on implementing privacy law, school districts vary widely in COVID-19 transparency. In Idaho, for example, “[s]ome notify the public of each case in each school, while others only provide that information at the district level. Others don't track COVID-19 cases at all, instead relying on the local health department to do it.” Such inconsistency can be seen nationwide and has caused much uncertainty for parents and educators.

While some of these policies come at the district level, others are coming from the state. Tennessee, for example, will not report the number of school-linked COVID-19 cases, according to state officials. The state, like school administrators, cites privacy concerns and suggests that federal privacy law is preventing more robust communication.

III. Recommendations

School administrators and state policymakers are rightfully concerned about violating federal privacy statutes and very well may not understand the rules at play. Those concerned about the lack of transparency, especially parents and educators, should inform themselves about these privacy laws and should advocate for an increase in the availability of information about COVID-19 spread in schools.

One approach worth pursuing is to verify that the school’s privacy policies and related public statements are fully consistent with federal privacy statutes. Administrators should not be allowed to rely on HIPAA in situations where FERPA should guide privacy policy. Further, school policies need to consider the FERPA exceptions set forth in DOE’s March guidance.

Even if you are satisfied with the school’s rationale for withholding certain private information, ensure that the school is releasing all possible pandemic-related information that does not personally identify students. Statistical reports on testing, infections and quarantine will often fall under this category. If a school is withholding all COVID-19-related information, it is likely over-enforcing privacy law.

As mentioned above, FERPA restrictions do not apply to faculty and other non-students. Parents should be wary of schools relying on FERPA to withhold COVID-19 information concerning teachers, staff and other employees. When in doubt, ask the school whether any employees have tested positive and monitor the response. Finally, at a bare minimum, parents of “eligible students” should seek access to their own child’s personal medical information. FERPA requires that students over the age of 18 or who attend a university sign a waiver allowing the university to release medical information to parents. Without this waiver, a university is under no obligation to inform parents if their child tests positive for COVID-19.