FERPA & HIPAA Compliance
FERPA — Family Educational Rights and Privacy Act: The primary purpose of FERPA is generally directed at protecting identifiable student information as it pertains to a child’s education. However, the language is such that it encompasses all school records including records in the clinic.
Data: The technology-based Conexus Visiocheck program involves the uploading of a PDF report of a student’s vision screening result which includes the student’s first and last names and date of birth. The upload occurs through either:
- the use of Microsoft Office 365, a professional file exchange and data storage entity which certifies that data is sent securely and in compliance with legal regulations regarding the privacy and security of confidential information. Office 365 provides highly secure password protection, granular folder-level permissions, and file transmission with SSL encryption.
- the use of ShareFile, an alternative but equally secure file exchange. ShareFile certifies site and file security as noted here.
Information regarding the storage and sharing of results electronically is provided in the results shipment, and access is limited only to those granted access through tiered security.
Is the shared data from the screening FERPA compliant? The following language demonstrates that the “sharing” of the screening record would be an exception under FERPA. Conexus through a signed MOU and/or any oth-er partner consent documents required by the participating Department of Health or Education would be considered a Contractor, Volunteer, or Other Party Outsourced.
“Under FERPA, a school may not generally disclose personally identifiable information from an eligible student’s education records to a third party unless the eligible student has provided written consent. However, there are a number of exceptions to FERPA’s prohibition against non-consensual disclosure of personally identifiable infor-mation from education records . Under these exceptions, schools are permitted to disclose personally identifiable information from education records without consent, though they are not required to do so. Following is general infor-mation regarding some of these exceptions.
One of the exceptions to the prior written consent requirement in FERPA allows “school officials,” including teachers, within a school to obtain access to personally identifiable information contained in education records provided the school has determined that they have “legitimate educational interest” in the information. Although the term “school official” is not defined in the statute or regulations, this office generally interprets the term to include parties such as: professors; instructors; administrators; health staff; counselors; attorneys; clerical staff; trustees; members of committees and disciplinary boards; and a contractor, volunteer or other party to whom the school has outsourced institutional services or functions. “(1)
In addition to the exception as noted above the identifiable information shared in the upload is defined by FERPA to be “directory” information, in this case the student’s name and birthdate, which is permissible shared information through FERPA.(2)
Is the Screening HIPAA Compliant? Although Conexus is a provider of “health care”, within the meaning of HIPAA, because it provides vision screenings, Conexus does not engage in transactions subject to the TCS Rule. There-fore, Conexus is not a covered entity subject to HIPAA.
* The ShareFile security statement was copied from: https://www.sharefile.com/resources/citrix-sharefile-security-and-compliance
(1)US Department of Education’s website http://www2.ed.gov/policy/gen/guid/fpco/ferpa/students.html
(2)US Department of Education Safeguarding Student Privacy: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/safeguarding-student-privacy.pdf
§ 99.31 for the full list of exceptions to the consent requirement in FERPA : http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf