The Family Policy Compliance Office is excited to announce the launch  of the new Student Privacy Website! This new website replaces both the Privacy Technical Assistance Center’s and the Family Policy Compliance Office’s sites.  The Student Privacy Website can be found at: Be sure to update your bookmarks accordingly!

Paul M Kaufmann 10/01/15

Dear Colleague,

This DCL would be more helpful if it also identified various ways that a student (potential plaintiff) provides University Counsel consent to access medical records when the student has already disclosed treatment records to private counsel in preparing a lawsuit against the University.  For example, do the following steps authorize University Counsel to access relevant records, if plaintiff counsel contacts University Counsel, names the student-client they represent, and

Hedya Aryani 10/01/15

To whom it may concern:

Below, we are submitting aggregated questions and requests for clarification regarding the draft “Dear Colleague Letter to School Officials at Institutions of Higher Education, Protecting Student Medical Records.” 

Thank you.

- - - - - - - - - - - - - - 

Comments on August 18, 2015, Dear Colleague Letter on FPCO Dear Colleague Letter: Access to Medical Records

• Can attorneys access the records if the campus client needs advice about the records themselves, not any claim by a student?

Carrie Hemphill Rieth 09/15/15

Thank you for the opportunity to review and comment on the Department of Education’s August 18, 2015 Dear Colleague Letter to School Officials at Institutions of Higher Education.  The following response is provided on behalf of California State University.  

Must a school or LEA record the non-consensual disclosure of PII from education records to a community-based organization?

Yes.  Generally when a school or LEA discloses without consent PII from education records to a community-based organization, with the exception of disclosures made under the “school official” exception, the disclosure must be recorded.  FERPA require schools to record all requests for access to, and all disclosures of, PII from the education records of each student, except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student.  See 34 CFR

May the community-based organization receiving PII from education records redisclose PII from education records without written consent?

No.  Regardless of whether the community-based organization received the PII under the school official, studies, or audit/evaluation exception, the answer is the same – the community-based organization may not redisclose it unless such redisclosure is on behalf of the disclosing entity and is consistent with FERPA.  (34 CFR § 99.33).  If further redisclosure is contemplated, we recommend that provisions addressing authorized redisclosures be included in any agreement with the community-based organization.

Should the school or LEA contact FPCO if the community-based organization has violated FERPA?

While FERPA does not require that you notify us, we recommend that you contact FPCO if a community-based organization violates FERPA and provide us with information concerning the violation and any actions that you have taken.  FPCO has the authority to impose what is informally known as “the five-year rule ban” against the community-based organization if FPCO determines that it has violated certain provisions under FERPA.  The five-year rule means that FPCO can instruct the originating LEA or school to not provide the community-based organization with further access to PII from students’ e

What should the school or LEA do if it finds that a community-based organization has misused or inappropriately redisclosed the PII from the education records it received from the school or LEA?

If the community-based organization misuses or inappropriately rediscloses PII from education records, the school or LEA should immediately take steps to address and mitigate any harm or damage caused by the violation.  The LEA or school should evaluate its options under the penalty and termination provisions of its written agreement, contract, or arrangement with the community-based organization and check any relevant State or local laws.  Depending on the severity of the circumstance, the LEA or school may decide to terminate its relationship with the community-based organization and requ

Must the LEA ensure that a community-based organization designated as its authorized representative complies with FERPA?

Yes.  Before the LEA discloses PII from education records to a community-based organization designated as an authorized representative, the LEA is required to use “reasonable methods” to ensure to the greatest extent practicable that the community-based organization is FERPA-compliant. This specifically means ensuring that the community-based organization:


Subscribe to Family Policy Compliance Office RSS