The Family Policy Compliance Office is excited to announce the launch  of the new Student Privacy Website! This new website replaces both the Privacy Technical Assistance Center’s and the Family Policy Compliance Office’s sites.  The Student Privacy Website can be found at: Be sure to update your bookmarks accordingly!

Andrew Morse 10/02/15

Dear Ms. Styles: 

Thank you for soliciting public comment on the Department of Education’s August 18, 2015, draft Dear Colleague Letter regarding the handling of student educational and medical records.  On behalf of student affairs professionals who handle student records through their campus roles, I write to provide several comments for consideration.

We appreciate the interest in reminding colleges and universities of their responsibilities under FERPA to protect student privacy through the appropriate handling of student educational and medical records.  However, we are concerned about the recommendation that colleges and universities adopt privacy standards developed by the Department of Health and Human Services (HHS) for application under the provisions of the Health Insurance Portability and Accountability Act (HIPAA).  The Department of Education’s lack of legal authority to regulate and enforce the use of HIPAA privacy standards would create legal liabilities for institutions in cases where plaintiffs challenge the use of these standards in educational settings.  

The recommendation to use HIPAA privacy standards will only confuse professionals who handle student educational and medical records on campus.  Under FERPA, institutions already have a set of standards that govern third-party disclosures of student records.  Professionals who handle student educational and medical records thoughtfully employ these established standards to affirm our commitment to student privacy.  Finally, the draft guidance does not address the responsibilities of protecting licensed care providers who must also uphold the privacy of students who seek health services on campus.  

Given these concerns, we strongly encourage that HIPAA privacy standards not be included in formal guidance on the handling of student records.  Thank you for the opportunity to comment on the draft Dear Colleague Letter. 


Kevin Kruger, Ph.D.