Question: "What federal, state, or district regulations have people obtained regarding the confidentiality and the use of email among public (k-12) educators to share info and coordinate interventions about a particular student. As our use of technology grows, it is becoming commonplace to use email as a way to share history, diagnoses, behavioral presentations, etc among service providers employed by the district. We generally make a good effort at not writing out a students name in the subject line or body of the email letter, but it is becoming harder to do so while continuing to use this as a form of communication and info sharing. Does FERPA (Famiy Education Rights and Privacy Act) address this issue at all? I can't seem to locate any specific documents, statutes, or laws pertaining to it."

Response:

To get the latest perspective on this, we forwarded the question to members of our consultation cadre and advisory board with special expertise in the area. Here are a few responses:

• The "question regarding secure e-mail communications is an extremely complex one because there are issues of whether the information communicated is an educational record under the Family Educational Rights and Privacy Act (FERPA), or a medical information under the Health Insurance Portability and Accountability Act (HIPAA) and that depends on what is communicated, to whom it is communicated, and under what conditions.

  Here are some articles that describe the interaction among FERPA, HIPAA, and IDEA describing their applicability to student information:

  http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/alhippaa.html
  http://www.healthinschools.org/ejournal/2003/privacy.htm

  Generally, student health records and other such information maintained by the educational institution are 'educational record' subject to FERPA and are usually exempt from HIPAA. Under FERPA, information may be exchanged within the educational institution without consent of the student/parent when there is a legitimate educational interest or for other specified reasons. Otherwise exempted, consent is needed to disclose information in educational records. FERPA is silent on electronic communications; however there are provisions that information not be disclosed without consent or not be redisclosed to outside parties, so some level of security is implied in the communication and the keeping of information that is being exchanged.

  In my research in this area, about the only things I have found for FERPA seem to fall into the category of 'best practices' for electronic storage and communication. These would be similar to your reference to keeping id numbers and names out of e-mail message subject headers. The U.S. ED Family Policy Compliance Office is developing regulations for FERPA, essentially bringing it into the electronic age, however, most of their work seems to be around educational records access by researchers. You may want to address your questions and concerns to the FPCO ( http://www.ed.gov/policy/gen/guid/fpco/index.html ).

  Because not much is being done regarding electronic security under FERPA, I would advise looking to HIPAA for best practices. Much more is being done in the area of secure electronic information and communications under HIPAA due to the HIPAA privacy rule and the HIPAA security rule. Regulations regarding the security rule can be accessed at: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

  Also, I expect that a lot of good guidance and standards will come out in about 18 months from some recent federal initiatives for secure electronic communications under HIPAA. You can review these at: http://www.govtech.net/news/news.php?id=96892 "

• "We advise out of our office that breech of confidentiality specifies that ACCESS to information deems it public. Truly confidential information can not be accessed by anyone other than the counselor and it is the responsibility of the counselor to maintain the security of the information. Because computer generated communication is never truly protected from access, we do not recommend sharing confidential information in this manor. In the event that a school was challenged in a legal setting and "educational records" were subpoenaed - a computer could be included in that subpoena, and email conversations could be accessed, even after they are deleted. We have had folks suggest for computer generated notes saving them to a zip drive (memory stick) that can be removed from school and not saving them to a hard drive. This is of course challenging due to the high and effective use of email as a communication tool in schools..."

• "I would say that a district should have a password-protected and secure firewall for all school health personnel transmitting sensitive information that is not accessible to the rest of the staff and follow the same recommendations now being required for medical records under HIPAA. FERPA does not address this issue because it was passed in 1974 and we didn't have electronic communications like we do now. No district can go wrong if they abide by the HIPAA security standards. Also, see the free Forum Guides:

  • National Forum on Education Statistics. (2004). Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies, NCES 2004––330. Washington, DC: National Center for Education Statistics http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2004330
  • U.S. Department of Education. (2003). Weaving a secure web around education: A guide to technology standards and security. U.S. Department of Education, National Center for Education Statistics, National Forum on Educational Statistics. (NCES 2003 –– 381), Washington, DC: Author. Retrieved April 24, 2004 from http://nces.ed.gov/pubs2003/2003381.pdf

  Districts that cannot ensure the security of the system should not be doing this online. We did it (last time I was in schools) without names. So a district can create policies that work with their levels of security."

This week we received the following additional responses :

1. "HIPAA does not specifically address the use of email or faxes since it does not consider them ‘electronic transmissions’. I spoke with our state office of Office of School Health and they assured me that they send PHI via email between the various Medicaid offices all the time. You must include a confidentiality statement on your email just like you do on your fax cover sheet. They feel this is enough to cover you. Just a few reminders for those who use email on a computer that others may have access to and PDA's and Blackberry's. It is important to build in passwords that only you would be able to access those email messages, especially for the mobile PDA's and Blackberry's in case they are lost. Encrypting is strongly encouraged."

2. "Sorry for the slight delay in responding but I wanted to research this issue a little. My initial reaction to your email was that there were no federal regulations specifically pertaining to internet use and FERPA. I searched FERPA at Ed.gov and didn't find any direct references addressing the scenario you presented. It is possible that a state has addressed this issue within state statutes--but I don't know of any off the top of my head and I didn't find any in the brief search I did. As for districts, I did find many districts and universities with policies addressing internet use and policies for posting confidential information. Most had some type of statement like ‘confidential info may only be posted online if it is protected by a password or other security measure....’ This would imply that if you were discussing information you would need to go to significant lengths to limit the ability of a student to be identified or linked to the data being reported--unless it was fully password protected. Your practice of disguising student identities is very appropriate--although I didn't see specific district policies or recommendations addressing this. Pretty much every educational institution simply said– ‘comply with FERPA’ without giving much additional guidance. That's my view. It would be great to address question to an attorney."

3. "I have been looking into this issue and I think it is a complicated one. I would recommend that the school district develop a very clear policy for this type of communication over email as HIPAA requires that all protected health information be "reasonably safeguarded". I don't know how you maintain that confidentiality within an intranet that includes lots of non- health professionals. The system administrator for example would have access to the emails and we have all made the mistake of hitting the reply all button when we didn't mean to."

"Regarding your question of whether electronic communications among a group of educators regarding a student is an educational record as defined under Family Education Rights and Privacy Act (FERPA) and thereby protected as confidential and subject to the access, review, amendment, and other accountability elements provided to parents under the FERPA: As I am sure you know, an educational record under FERPA is very broadly defined. It is any personally identifiable record, file, document or other material collected, maintained or used by a school or their agent that directly relates to the student. (34 CFR 99.3).

Personally identifiable is the key staring point. If it isn't personally identifiable, it isn't a student record. However, personally identifiable isn't limited to merely the student's name. It includes any information that would make a student's identity easily traceable such as a name, name of student's parent or other family member, the address of the student or student's family, student's social security number or student number. The FERPA does not differentiate between the medium of storage or the method of transmission. There is no legal difference between the level of protection afforded to physical files over those that are stored or transmitted electronically or any other form.

Therefore, as you can see, personally identifiable information transmitted or communicated electronically is a record under the FERPA. As a record, it is thereby protected under confidentially as defined by FERPA (able to be communicated to those with a legitimate educational interest without the consent of the parent and communicating only with consent of the parent to private organizations etc) and also subject to the parental access and review requirements provided under FERPA (and copies are to be provided if failure to provide copies prevents the parental access and review) and the hearing procedures as defined by FERPA available for when a parent wishes to challenge the record for purposes of veracity, privacy, or misleading information.

What I tell (perhaps it is more of a warn...) our district personnel (generally) is to not use personally identifiable information regarding students in email. If it is to be done, treat it as the educational record that it is."

Submit a request or comment now.

UCLA Center for Mental Health in Schools
Dept. of Psychology, P.O.Box 951563, Los Angeles, CA 90095.
tel: (310)825-3634
email: Linda Taylor ~ web: https://smhp.psych.ucla.edu