An overview of the Family Educational Rights and Privacy Act (FERPA) and how it compares to HIPAA
Outside of the Payment Card Industry Security Standard (PCI-DSS) another big regulatory requirement that is on many security, compliance, and privacy professional’s minds is the Health Insurance Portability and Accountability Act (HIPAA).
Even through HIPAA has been around since 1995 it really had not gained momentum in the community until the past few years when fines started being issued, better guidance started coming out from HHS, CMS, ORC, and NIST, and the ORC started performing more audits.
However, there has been a privacy law that has been on the books for much longer than HIPAA and it is the Family Educational Rights and Privacy Act or (FERPA).
What is FERPA?
FERPA is a Privacy law meant to protect student records from being disclosed to individuals or organizations without the proper consent from the eligible student or parent, and provides the right of an eligible student or parent to review records and formally amend any errors.
Eligible students are students who are at least 18 years of age or are attending postsecondary education. This law has been around since 1974, and governs elementary, secondary, and postsecondary schools i.e. colleges and universities who receive federal funding.
If a school has been found to have had student records breached or shared with individuals or organization without proper consent, then the Department of Education could potentially cut all federal funding such as federally funded education programs, grants, and the ability to accept student loans.
Who is in charge of FERPA?
Currently under the Department of Education, The Family Policy Compliance Office (FPCO) is responsible for investigating complaints and providing technical guidance. It is then the responsibility of the State Education Agencies and Local Education Agencies to enforce state and local laws for elementary, secondary and postsecondary schools.
How were HIPAA and FERPA similar and however are they now different?
HIPAA and FERPA were very similar at one time because both regulations only were enforced when a formal complaint was sent to respective offices. After a formal complaint was made, an investigation was performed however, in almost all cases it only resulted in a nasty-gram from the ORC or the FPCO and slap on the wrist.
It was not until recent years that HIPAA started requiring organizations to report known or suspected breach of electronic protected health information (ePHI), and finds have been issued for organizations that handle ePHI. As HIPAA matured over time, FERPA remained the same only requiring the investigation of formal complaints.
FERPA currently does not require a school to have a security or a risk management program to protect student records or report any breaches of student records. However, according to the Family “Educational Rights Privacy; Final Rule,” from 2008, it is “suggested” that they implement these protections however it is not required.
How can we make FERPA better?
I think there are a couple different paths that FERPA could take. The most obvious would be to make revisions to the current regulations to require schools to have an information security and risk management program in place and require schools to report any suspected or known breaches.
Another way is to control it from the states level. A good example of this is the Massachusetts Breach Notification Law that not only requires proper breach notification, but also ensuring that the organization have a proper security program in place. These state laws could give schools a little bit of a push to better protect student records and report suspected or known breaches.
Currently many of the states only have a breach notification law in place requiring organization such as schools to report the loss of PII to the people affected. This is however more than what FERPA requires.
What will the Future Bring?
I believe that one way or another, schools will need to have a functional, formal, and documented security program to protect student records. The program will required to have a proper risk management program, operating and effective security controls, and security policies and procedures.
Whether it comes from the Federal Department of Education and the FPCO or required through state laws it is coming. Is your school ready?