As government leaders, policymakers, and technology companies continue to navigate the global coronavirus pandemic, CDT is actively monitoring the latest responses and working to ensure they are grounded in civil rights and liberties. Our policy teams aim to help leaders craft solutions that balance the unique needs of the moment, while still respecting and upholding individual human rights. Find more of our work at cdt.org/coronavirus.
As schools reopen in-person classes, some institutions have declined to release the number of students that have tested positive for COVID-19. Often, schools have justified their withholding of information with “privacy laws,” leaving journalists and community members to object to the schools’ interpretation of the law.
To clarify how schools may disclose COVID-related data, the U.S. Department of Education released a blog post detailing the requirements of the Family Educational Rights and Privacy Act (FERPA). Drawing from the Department’s earlier guidance on FERPA and COVID-19, the blog post covered three essential points:
- A school may generally disclose the number of students who have COVID-19 to parents, students, and the public so long as the information “does not allow for any individual student to be identified”;
- A school may identify a student in the case of a specific health and safety emergency, but only “if the disclosure is necessary to allow parents and students to take appropriate precautions”;
- FERPA does not protect the privacy of teachers or school officials, but “there may be state laws or other considerations that apply in these situations.”
Below, we further explore some of these points and address a few additional questions that have arisen as schools have balanced transparency and privacy: which laws actually apply, the scope of FERPA’s restrictions, and when FERPA might apply to aggregate data such as the number of students who have COVID-19.
Which Law Applies?
In declining to share detailed statistics, educational institutions have relied on both FERPA and the Health Insurance Portability and Accountability Act (HIPAA). Although HIPAA and FERPA embody some of the same principles, their requirements and protections differ. FERPA applies to “personally identifiable information from education records.” An education record is any record “directly related to a student” and maintained by (or on behalf of) an educational agency, which includes a student’s health records held by a school or university. In turn, HIPAA covers “protected health information” only when it is handled by specific healthcare-related businesses, and HIPAA expressly exempts health information maintained in a student’s education record. Consequently, FERPA, not HIPAA, usually controls health information held by schools, such as which students have been diagnosed with COVID-19.
The details of the relationship between FERPA and HIPAA can be found in joint guidance issued by the U.S. Departments of Education and Health and Human Services.
Are Schools Only Prohibited From Releasing Students’ Names?
However, FERPA applies to more than students’ names. FERPA’s protections apply to “personally identifiable information” (PII) from “education records.” PII not only includes direct identifiers such as a name or Social Security number, but also indirect identifiers such as date of birth, place of birth, or any “information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community . . . to identify the student with reasonable certainty.”
Consequently, when releasing information, it is not sufficient to remove only student names. Instead, officials must remove any information that could reasonably be linked back to specific students—a process known as de-identification. The U.S. Department of Education has released guidance to aid schools in ensuring that data are truly deidentified.
When is the Release of Aggregate Data Allowed?
Schools and universities have argued that, under FERPA, they cannot release aggregate COVID statistics for broad groups of students such as for schools, athletic departments, or dormitories. However, under FERPA, a school may share the number of confirmed cases so long as “a reasonable person in the school community” cannot “identify [a] student with reasonable certainty” from the data.
Although aggregate data may not identify individuals, it is possible that aggregate data might inadvertently allow individual students to be identified in two primary scenarios: (1) when a statement applies to all (or nearly all) students in a group or (2) when the group is small enough to allow community members to infer a student’s identity, alone or in combination with other information that is available.
For example, in its blog post, the Department stated a school may announce “that five students are absent due to COVID-19” if “there are a sufficient number of other students who attend the school and other students at the school are absent for other reasons.” However, if all absent students had COVID-19 or if the school were rather small, the release of information would allow community members to infer who has been diagnosed with the disease. To dig deeper on these topics, review the Department’s prior guidance from March.
Encouraging transparency and accurate information during the fight against COVID-19 is important for ensuring that leaders and families can make the best decisions for students. FERPA does not preclude a school from releasing aggregate data about outbreaks of COVID-19 on campus, as long as that aggregate information cannot be tied to individual students. Therefore, schools should be cognizant of when aggregate data may allow the community to infer information about individual students, but should seek to balance these privacy concerns with the benefits of sharing information about how this global crisis is affecting schools.