School Behavioral Threat Assessment Toolkit

11.0 FERPA and HIPAA: What Threat Assessment Teams Need to Know

Questions and concerns about the Family Educational Rights and Privacy Act (FERPA) and/or the Health Insurance Portability and Accountability Act (HIPAA) protections often arise as part of the threat assessment planning process. It is critical that threat assessment teams understand how to balance the safety of the school with the privacy of individual students. These laws should not be an impediment to threat assessment and threat management. Threat assessment teams should consult school district legal counsel for guidance on information-sharing.

What is FERPA?

FERPA is a federal law that protects the privacy of student education records. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. FERPA protects the rights of parents or eligible students to:

  • Inspect and review education records.
  • Seek to amend education records.
  • Consent to the disclosure of personally identifiable information (PII) from education records, except as specified by law.
Education Records Not Education Records
Transcripts Records that are kept in the sole possession of the maker and used only as personal memory aids
Disciplinary records Law enforcement unit records
Standardized test results Grades on peer-graded papers before they are collected and recorded by a teacher
Health (including mental health) and family history records Records created or received by a school after an individual is no longer in attendance and that are not directly related to the individual's attendance at the school
Records on services provided to the students under the Individuals with Disabilities Education Act (IDEA) Employee records that relate exclusively to an individual in that individual's capacity as an employee
Records on services and accommodations provided to students udner Section 504 of the Rehabilitation Act of 1973 and Title II of the ADA Information obtained through a school official's personal knowledge or observation and not from the student's education records

Who may access FERPA-Protected Education Records?

School officials with a “legitimate educational interest” may access FERPA-protected education records. Such individuals typically include teachers, counselors, school administrators, and other school staff.

The Health or Safety Emergency Exception

FERPA does, however, authorize school officials to disclose information without consent in emergency situations where the health and/or safety of students is at risk. Relevant information can be released to law enforcement, public health, and medical officials.

The U.S. Department of Education (DOE) would not find a school in violation of FERPA for disclosing FERPA-protected information under the health or safety exception as long as the school had a rational basis, based on the information available at the time, for making its determination that there was an articulable and significant threat to the health or safety of the student or other individuals.

Common FERPA Misunderstandings

Information obtained through a school official’s personal knowledge or observation is not protected by FERPA and can be disclosed. Specifically, observations, notes, drawings, pictures, anonymous tips, security videos, and all investigating interviews are not protected under FERPA, so a threat assessment team is not violating anyone’s rights by collecting such data to drive their assessment and management of a reported threat or concern.

What is HIPAA?

HIPAA protects the privacy and security of individually identifiable health information held by health plans, health care clearinghouses, and most health care providers and their business associates. It is important to remember that confidentiality is held by the patient, not the mental health provider.

In cases where HIPAA applies, the following strategies may assist threat assessment teams in eliminating potential barriers to critical data collection:

  • Provide information to health and mental health professionals.
  • Ask about duty to warn or duty to protect.
  • Ask permission from student and parent to disclose medical records.

The Serious Danger to Self or Others Exception

Medical and mental health providers may disclose protected health information when disclosure:

  • Is necessary to prevent or lessen a serious and imminent threat to health or safety of patient or others and is to someone reasonably able to prevent or lessen the threat.
  • May include disclosure to law enforcement, or others who can mitigate the threat and disclosure must be consistent with applicable law and standards of ethical conduct.

Common HIPAA Misunderstandings

Generally, HIPAA does not apply to student health information maintained by a school. While schools and school districts may maintain student health records, these records are in most cases not protected by HIPAA. Rather, student health information maintained at a school would be considered education records which are protected by the Family Educational Rights and Privacy Act (FERPA).