F.E.R.P.A.Family Educational Rights and Privacy Act

Security and Confidentiality of

Information

H.I.P.A.A.Health Insurance Portability and Accountability Act

Certified Employees

F.E.R.P.A. is

• A Federal Law that protects the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Deypartment of Education. (School Lunch/Breakfast Program, I.D.E.A., Title Programs, etc.) Board Policy JRA Student Records, Administrative Rule JRA-R

FERPA Gives Parents:

• Certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18, or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students.“

• Parents or eligible students have the right to inspect and review the student's education records maintained by the school.

• Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.

Generally:

• schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):– School officials with legitimate educational interest;– Other schools to which a student is transferring;– Specified officials for audit or evaluation purposes;– Appropriate parties in connection with financial aid to a student;– Organizations conducting certain studies for or on behalf of the school;– Accrediting organizations;– To comply with a judicial order or lawfully issued subpoena; – Appropriate officials in cases of health and safety emergencies; and– State and local authorities, within a juvenile justice system, pursuant to

specific State law.

Schools:

• May disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.

• Schools must notify parents and eligible students annually of their rights under FERPA.

Dillon School District Two FERPA Statement

• The Family Educational Rights and Privacy Act (FERPA) is a federal law that requires the school district, with certain exceptions, to obtain your written consent prior to the disclosure of personally identifiable information from a child’s educational records. However, the school may disclose some student information without written consent when the information is designated “Directory Information” unless the parent/guardian has advised the district to the contrary in accordance with district procedures.

• The primary use for Directory Information by the District is to include this type of information in certain school publications. It is generally not considered harmful or an invasion of privacy if released. Examples of school publications are:

• a playbill or program, showing a child’s role in a drama or music production• the annual yearbook• honor roll or other recognition lists published at school or in newspapers• graduation programs• sports statistics listed in programs, such as football which may include height and

weight of team members.

FERPA Statement (Continued)

• Directory Information can also be disclosed to outside organizations without a parent’s prior written consent. Outside organizations include, but are not limited to:

• other schools the student is seeking to attend (transcripts, etc.)• class ring manufacturers• state or federal authorities auditing, evaluating programs or enforcing state or federal laws• a court by order of a subpoena

• Schools will treat each student’s education records as confidential and primarily for local school use. The exception to this rule is for directory information, which includes; the student’s name, address, telephone number, date and place of birth, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, diploma or certificate and awards received, electronic email address, photograph, grade level, the most recent previous educational agency or institution attended by the student, and other similar information.

• The district takes special care not to identify students by name or the school they attend in most cases. However, published names in yearbooks, student/school newspapers, are considered domain and can be reproduced by the media.

• Two federal laws require school districts that receive assistance under the No Child Left Behind Act of 2001 to provide military recruiters, upon request, with three Directory Information categories-names, addresses, and telephone listings-unless parents have notified the district that they do not want their child’s information disclosed without their prior written consent.

H.I.P.A.A. is

• *The strongest federal confidentiality protection ever enacted. • *Requires privacy safeguards for any PHI (Protected Health

Information), whether oral or recorded in any form or medium that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.– *Applies to both written and electronic health records.– * Immunizations are NOT considered to be PHI.

• CIVIL PENALTIES: $100 PER VIOLATION TO A MAXIMUM OF $25,000 PER PERSON FOR VIOLATONS IN A CALENDAR YEAR

• CRIMINAL PENALTIES: $50,000 AND/OR IMPRISONMENT UP TO ONE YEAR.

• SCHOOL HEALTH RECORDS ARE ALSO CONSIDERED PART OF THE STUDENT RECORD AND ARE THEREFORE PROTECTED UNDER FERPA.– PHI can only be disclosed for:

– Treatment, payment, or health care operations.

– With signed parental authorization.

– For permitted public health or other legal purposes.

– When PHI is de-identified.

• HEALTH INFORMATION IN SCHOOLS MAY BE SHARED WITH OTHER INDIVIDUALS ON A NEED-TO-KNOW BASIS.

• Examples:– First responders who may need to provide emergency treatment

– Classroom teachers who must report symptoms

– Bus drivers who must respond in emergencies

– Principals’ designees

– Nurses who must take call for emergencies or absences.

• EMPLOYEES MAY NOT:– Discuss the health concerns of students with friends, family, or uninvolved

school personnel.

– Discuss the payment source (e.g. Healthy Learners, Dillon Smiles, Medicaid) of a student’s health care with friends, family, or uninvolved school personnel.

– Discuss health emergencies, medications, or other treatments of students with friends, family, or uninvolved school personnel.

How Does This Have Anything To Do With Me?• As a school employee you must

be careful not to discuss any educational program information relating to your students with anyone who does not have a need to know.

Do Not Discuss:

Educational Records of Students which are defined by F.E.R.P.A. as the following:

Any information directly related to a student, specifically any information recorded in any way, including, but not limited to:

• verbal conversation • handwriting• print• computer media• video or audio tape• film • microfilm• microfiche

• Any information maintained by educational agencies or institutions, or by parties acting for the agency or institutions (e.g., special education schools, and health or social services institutions)

Information should not be disclosed (verbal or written) which could identify a student as one who receives special services outside the scope of those who need to know in order to provide such services. This includes but is not limited to such examples as:

1. Conversations with family and friends2. Conversations with staff members without “need to know”3. Newsletters4. Memos to staff5. Faculty bulletin boards6. Newspaper articles and/or photos

Examples:

• Mrs. Johnson, in attempt to publish student work, posted on the wall the top 3 projects in her class including their grades.

• Is this a violation of F.E.R.P.A.?

POSTING GRADES

• The public posting of grades by the student's name, student identification number, or social security number is a violation of FERPA.  Even without the name, using a student I.D. number or any part of a social security number violates FERPA, as the information may be personally identifiable to the student.

• Mr. Smith passed out his student’s tests with grades on them, row by row.

• Miss Jones asked the student helper of the day to pass out students graded homework.

• Is this a violation of F.E.R.P.A.?

RETURNING ASSIGNMENTS

• Assignments and papers that contain "personally identifiable" information should not be distributed to the student in a way that would allow other students to view the information.  Graded papers should not be left unattended in an office or classroom for students to sort through or returned to students via another student.  Both of these examples are a violation of FERPA. 

• A female student reported that her teacher held her picture up in front of the class as an example of information available in a new class list system. The student was upset about the public display of her picture, and also was concerned about other possible inappropriate uses of her picture.

• The student ID picture is defined as confidential and should not be used or displayed in any public setting without the student's permission.

• Mr. Jones has just had a horrible day with his students, John Brown was absolutely horrible. Mr. Jones was so frustrated that he went to the teacher’s lounge and discussed this student with other teachers in the lounge.

• Is this a violation of F.E.R.P.A.?

• At a church gathering, Jane Doe who teaches at the local school is sitting next to a long-time friend, Sally Smith. Sally asks Jane if she knows the new family in town, the Brown’s. Jane said she does and that the children go to her school and that one of them is in her class. Sally asks Jane if there is anything strange about the family – the children are up at all hours and causing trouble in the neighborhood. Jane tells Sally that one of the children has some serious problems and is receiving special classes and counseling.

• Is this a violation of F.E.R.P.A.?

• A bomb threat is called in to one of the schools. Susan, the school secretary calls one of her friends, Carol, in another school to tell her about the incident. Carol asks Susan what happened and did she need to come and get her child. Susan tells Carol, no John Brown’s son Jimmy, called in the bomb threat.

• Is this a violation of F.E.R.P.A.?

• A student complained that I left my grade book open on my desk and he could see not only his own grades, but grades for the whole class. Isn't that getting a little picky?

A: No, actually, it's not. Everyone who deals with protected student information needs to be cautious about "passive" and unintended releases of information. This includes leaving information visible on your desk or walking away from a computer screen that displays student information. We even need to be alert to where monitors are placed, so that they are not visible through a window or doorway.

• A bus driver had to break up a fight on the school bus. The driver is very frustrated and tells the other bus drivers that Suzy Smith is a terror and that she started a fight on the school bus today.

• Is this a violation of F.E.R.P.A.?

• YES!!!• The other drivers do not have a need to know this information.

• A housekeeping or maintenance staff member has to go to a school and clean up a break-in. As they talk to other housekeeping or maintenance staff, they tell them that those Jones boys are trouble – they had to clean up from a break-in that those boys did at the school over the weekend.

• Is this a violation of F.E.R.P.A.?

• YES!!!• There was not a need to know this information about these

children.

• A cell phone has been confiscated and handed to you. You scroll through the contacts and then read the text messages logged into the phone. You decide to call someone from this phone to identify the owner of the cell phone.

• Is this a violation of F.E.R.P.A.?

• YES!!!• You do not have a need to know the private contents of the

cell phone.

• John Brown is creating a disturbance in a classroom. You use the walkie talkie and tell the School Resource Officer or an administrator that John Brown is in Mrs. Johnson’s classroom creating chaos.

• Suzy Smith is disrupting the cafeteria. You call on the intercom for the School Resource Office to get Suzy Smith from the cafeteria.

• Is this a violation of F.E.R.P.A.?

• You should ask the School Resource Officer to call you on a secure land line or to come to the office and discuss in private.

• Mrs. Jones will be the interim teacher for Mrs. Smith who will soon be away on maternity leave. Mrs. Smith asked the school nurse if she might share with Mrs. Jones the emergency plans and Individualized Health Plans of her students with chronic health conditions. What should the nurse’s response be?

• As interim teacher, Mrs. Jones has a need to know the health conditions of the children for whom she will be responsible. However, the importance of confidentiality and privacy laws should be explained to Mrs. Jones prior to disclosing the information.

• The principal of a middle school has asked the school nurse to present an in-service training program about asthma. He has asked the nurse to provide in the training a list of names of all students in the building who have asthma. How should the nurse reply?

• Although the asthma training session will be beneficial to all staff, names of affected students can only be shared on a need to know basis. The nurse should notify each teacher privately of only the students in his/her class who have asthma or any other chronic health condition.

• Susie Q is transferring from a school district in a neighboring state. The school nurse is attempting to secure the appropriate immunization records and called the previous school. She was told by a secretary that due to privacy laws, written consent for release of information must be signed by the parent before this information can be released. The nurse responded by stating that immunization records are not considered PHI (Protected Health Information) and can be shared without consent for the purpose of enrolling the student. Who is correct?

• The school nurse is correct. Immunizations are not considered PHI.

• You have a jump/flash drive saving information to transport to another computer or home. Are you liable for all of this information?

• The person and the District are liable. If you are using a jump/flash drive and you lose it or it is stolen, you must report it immediately to the Director of Technology.

Technology Information and F.E.R.P.A.

• When you use a district purchased/owned computer, you are responsible for all activities that occur with that computer at any time of the day.

• Your login and password are confidential. If you login into the computer, you are responsible for all activity on that computer. This is why you should never leave your computer unattended or let anyone use your computer while it is logged in under your name.

• If you take a district computer home, you are responsible for all activity that occurs on that machine. It is monitored and retrieved.

Who Has A Need To Know Student Information?• The teacher or teachers that work with the

particular students.

• The principal or other administrative personnel. (This does not include secretaries, custodians, or other support staff that does not directly work with the individual student.)

What Can Happen To Me If I Don’t Pay Attention to F.E.R.P.A. or H.I.P.A.A.?

• Criminal charges may be filed against:– You

– The Superintendent

– The Board of Education

General Security and Privacy Issues Reminders

• Personnel Information (Board Policy GBJ Personnel Records and Files)

• An employee’s personnel file includes records and documents concerning the employee.

• Access to the file is limited to: Employee’s school principal/immediate supervisor Superintendent School officials involved in the evaluation process School Board if involved in promotion, demotion, suspension or dismissal

• Payroll information is placed in a separate file and this information is limited to persons involved in payroll.– (Employees may not discuss specific personnel and payroll information with

any other school or district personnel as well as with anyone outside of the school district. Any questions concerning these matters should be directed to the immediate supervisor.)

• Staff Conduct (Board Policy GBE Staff Rights and Responsibilities) (Board Policy GBEA Staff Ethics/Conflict of Interest)

• May not use or disclose confidential information in the course of employment

• All staff members have a responsibility to make themselves familiar with, and abide by, federal and state laws as they affect their work.

• Use of Computers (Board Policy IJNDB Use of Technology Resources in Instruction) (Faculty and Staff Acceptable Use Policy)

• Only expect limited privacy of contents of any personal files

• Do not provide your password to another person

• Do not provide access to district computer systems to anyone, especially non-employees

• Email should be primarily used for school-related business

• Do not send spam, chain letters, jokes, etc.

• District does not monitor email, but monitors the system. However, email may be requested in eDiscovery or FOIA requests.

• Electronic Mail Retention Procedures (Article 9 General Retention Schedules for School Districts)

• Email may be accessible to the public and some should not depending on the content of the record as determined by FOIA, FERPA, and HIPAA.

• Email is archived and retained for 7 years

• Email signatures should contain:– User name

– Title

– School/Office name

– School/Office address

– School/Office phone number

– School/Office fax number

• No other messages may be added to the signature

Policy GBEBD

• Employee Use of Electronic Communication

• An employee will not use an electronic communication device, including a cellular phone or other mobile communications device, while on duty. This includes, but is not limited to, receiving or placing calls, text messages, surfing the Internet, checking phone messages or receiving or responding to email. Cell phones should be turned off at all times.

• An employee will not allow a student to use the employee’s cell phone for any purpose.

Policy GBEBDA

• Employee Use of Electronic Communication with Students

• Dillon School District Two prohibits any type of personal relationship between a school employee and a student that may be reasonably perceived as unprofessional.

• Students will not be contacted using personal employee cell phones through calls, photos or texting.

• Employees will use land line phones to contact students, if approved by the building administrator.

• Employees will not use social networking sites to communicate with students.

Policy GBEBDA (Continued)

• Employees may post information for students such as homework, practice schedules, etc. on district sponsored websites.

• Employees will not post any student or group photographs on any website that is not the official school district website(s).

• Employees may not contact students using a student’s personal email accounts (such as yahoo.com, etc.).

• Employees may not use their personal email accounts to contact students (such as bellsouth.net, etc.).

• All email between employee and student must be through the district email system.

Policy GBEBDA (Continued)

• Employees are encouraged to block students from viewing personal websites or online networking profiles.

• If an employee creates and/or posts inappropriate content on a website or profile and it has a negative impact on the employee’s ability to perform his/her job as it relates to working with students, the employee will be subject to discipline up to and including dismissal.

• Employees will not use text messaging to contact students. This includes, but is not limited to: coaches, club sponsors, band and cheerleaders. Formal district communication systems will be used.

Policy GBEBDA (Continued)

• Employees may use the school district calling system to contact parents/legal guardians and provide information regarding practice schedules, club activities, etc.

• (Cf. IJNDB, GBEB, GBEBB)

What Do I Do If I Slip?

• Inform your Superintendent or Principal

• Inform your school Attorney

• Inform your insurance company if a formal complaint is made

What should I do to protect myself?• When in doubt – don’t give it out.• Refer requests for student academic information to the school office.• Information on a computer should be treated with the same

confidentiality as a paper copy.• Do not leave confidential information displayed on an unattended

computer.• Cover or put away papers that contain confidential information if you are

going to step away from your desk.• Do not provide anyone with student schedules or assist anyone in trying to

locate a student on campus that is not part of the school staff. Refer them to the school office.

• Do not discuss any student information with anyone that does not have a “need to know”

• Never discuss student information with anyone outside of the school.

Thank You And Remember:

• Never say anything bad about a child with whom you are working!

• If it isn’t positive, don’t say it!

• Treat all students as you would like to be treated!