Page 10
9
U.S. Department of Education, FERPA Frequently Asked Questions, https://www2.ed.gov/policy/gen/guid/fpco/faq.html#q4.
10
The Individuals with Disabilities Education Act (IDEA), a federal special education law, requires educational entities to develop an individualized
education program (IEP) for each student with a disability to ensure that the students unique needs are met in an academic setting. Individuals with
Disabilities Education Act, 20 U.S.C. § 1414d (2004). A Section 504 Plan is developed pursuant to Section 504 of the Rehabilitation Act of 1973, a
federal civil rights law. Section 504 requires school district to provide a "free appropriate public education" (FAPE) to students with a disability. A Section
504 Plan ensures a FAPE for students with disabilities by providing accommodations, aids, and services that are designed to meet the student's
individual educational needs. 29 U.S.C. § 794 (Section 504).
11
See, e.g., National Forum on Education Statistics. (2010). Forum Guide to Data Ethics (NFES 2010–801). U.S. Department of Education. Washington,
DC: National Center for Education Statistics, noting that “[w]hile laws set the legal parameters that govern data use, ethics establish fundamental
principles of ‘right and wrong’ that are critical to the appropriate management and use of education data in the technology age.”
12
34 CFR §99.31
13
34 CFR §99.31(a)(1)(i)(B)
14
34 CFR §99.33(a)
15
Seattle Public Schools, Institutional Service Exemption to FERPA,
https://www.seattleschools.org/departments/communitypartnerships/data_access_for_c_b_os/institutional_service_exemption_to_f_e_r_p_a
.
16
Data Across Sectors for Health (DASH), A Legal Approach to Sharing Health and Education Data, May 2018. Online at: https://dashconnect.org/wp-
content/uploads/2018/05/DASH-Bright-Spot_Chicago.pdf.
17
See, DASH, Four Tips for Navigating Consent to Facilitate Data Sharing, October 6, 2016, online at: https://dashconnect.org/2016/10/06/four-tips-for-
navigating-consent-to-facilitate-data-sharing/.
18
See Privacy Technical Assistance Center (August 2015), U.S. Department of Education, Responsibilities of Third-Party Service Providers under
FERPA, online at https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Vendor%20FAQ.pdf
.
19
U.S. DEP’T OF HEALTH AND HUMAN SERVS. & U.S. DEP’T OF EDUC., JOINT GUIDANCE ON THE APPLICATION OF THE FAMILY
EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) AND THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996
(HIPAA) TO STUDENT RECORDS (Nov. 2008), https://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf
at 6.
20
The Checklist is available online at
https://www.networkforphl.org/resources_collection/2019/09/30/400/tool_checklist_of_information_needed_to_address_proposed_data_collection_ac
cess_and_sharing.
21
The U.S. Department of Education’s Privacy Technical Assistance Center has issued a Written Agreement Checklist that contains helpful information
on best practices and mandatory elements for drafting written agreements:
https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Written_Agreement_Checklist.pdf
22
See Elliott Attisha and Kerri Lowrey, “Data Privacy and Sharing in Schools and How It Can Support a Healthy Learning Environment,” Network for
Public Health Law Data Summit, Plymouth, Michigan, October 3, 2019.
23
See, e.g., USA Today, Measles outbreak: As students head back to school, US and world officials warn about risks, August 22, 2019. Online at
https://www.usatoday.com/story/news/nation/2019/08/14/measles-outbreak-could-worsen/1998544001/
.
24
Hedden EM, Jessop AB, Field RI. An education in contrast: state-by-state assessment of school immunization records requirements. Am J Public
Health. 2014;104(10):1993–2001. Online at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4167093/
.
25
States may pass laws that are more protective than FERPA or HIPAA, but laws that are less restrictive are preempted by federal law.
26
20 U.S.C. §1232g(a)(4)(a).
27
20 U.S.C. § 1232g(b)(1)(I). Regulations implementing this statute note that this section is to be “strictly construed.” 34 C.F.R §§ 99.31(a)(10) and
99.36. See also, LeRoy Rooker, Director, Family Policy Compliance Office, US Department of Education, Letter to Ms. Martha Holloway, State School
Nurse Consultant, Department of Education, Montgomery, Alabama, February 25, 2004.
28
Minnesota Department of Health’s sample school consent language for data sharing with state immunization registry can be found online at
https://www.health.state.mn.us/people/immunize/miic/privacy/ferpa.html
.
29
“FERPA No Consent” Checkbox in MCIR/SIRS and FORMS, Frequently Asked Questions, Information for Schools, https://www.mcir.org/wp-
content/uploads/2019/08/FAQ_for_FERPA_8-21-2019-pdf.pdf.
30
Hawes, Michael B. Letter to Michigan Senator Tom Barrett (March 27, 2019). The “FERPA No Consent” checkbox method of obtaining parental
consent for educational record disclosure does not satisfy consent requirements under FERPA, which requires that a consent for disclosure of
education records be signed and dated and specify the records that may be disclosed, state the purpose of the disclosure, and identify the party or
class of parties to whom the disclosure may be made. 34 CFR § 99.30. Available online at
https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Michigan%20immunization%20response_508-compliant.pdf
.
31
Healthy Schools Campaign, Washington, D.C., https://healthyschoolscampaign.org/policy/sharing-data-meet-student-health-needs-washington-d-c/.
32
45 CFR 164.512(b)(1)(i) (Covered entities may disclose PHI to public health authorities that are legally authorized to receive such reports for the
purpose of preventing or controlling disease, injury, or disability.) and 45 CFR 164.512(b)(2) (Public health authorities that are also covered entities
may use or disclose PHI for public health purposes.)
33
20 U.S.C. §1232g(a)(4)(a).
34
20 U.S.C. § 1232g(b)(1)(I). Regulations implementing this statute note that this section is to be “strictly construed.” 34 C.F.R §§ 99.31(a)(10) and
99.36. See also, LeRoy Rooker, Director, Family Policy Compliance Office, US Department of Education, Letter to Ms. Martha Holloway, State School
Nurse Consultant, Department of Education, Montgomery, Alabama, February 25, 2004.
35
The Memorandum of Agreement can be viewed online at https://www.ncemch.org/IAA/states/2015-IAAs/DC-IAA.pdf. See Section VIII Confidentiality
and Data Protection for the language of the “outsourced services” exception and how it was operationalized in this agreement.