Student Privacy
- Children's Online Privacy Protection Rule (COPPA)
- Family Educational Rights and Privacy (FERPA) Annual Notification
- Health Insurance Portability and Accountability Act (HIPPA)
- Protection of Pupil Rights Amendment (PPRA)
- TCS Board Policy: Media Access to Students
Children's Online Privacy Protection Rule (COPPA)
COPPA
(from https://www.studentprivacymatters.org/ferpa_ppra_coppa/#COPPA)
Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998, which is regulated by the Federal Trade Commission, not the US Department of Education.
The primary goal of COPPA is to allow parents to have control over what information is collected online from their children under age 13. The law applies to any operators of websites, online services including web-based testing, programs or “apps” that collect, use, or disclose children’s personal information, whether at home or at school. However, COPPA only applies to personal information collected online from children; it does not cover information collected from adults that may pertain to children.
The personal information can include the child’s name, email, phone number or other persistent unique identifier, and information about parents, friends and other persons. The law recognizes that the school can consent on behalf of the parent to create accounts and enter personal information into the online system– but only where the operator collects personal information for the use and benefit of the school, and for no other commercial purpose. Unfortunately, many schools fail to engage in proper due diligence in reviewing third-party privacy and data-security policies, and inadvertently authorize data collection and data-mining practices that parents find unacceptable.
What rights do parents have under COPPA when online programs are used in schools?
The FTC revised guidance on best practices in March 2015, shifting some parental rights to schools. If your under-13 child is participating in an online program from a service provider or commercial website collecting personal information, whether for instructional, testing, or other purposes, the school and/or vendor or service provider must provide your school with a clear and prominent privacy policy and use practices on its website or elsewhere, including the following:
-
The name, address, telephone number, and email address of the vendors collecting or maintaining personal information through the site or service;
-
A description of what personal information the operator is collecting, including whether the website or program enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
-
That the school can review or have deleted the child’s personal information and refuse to permit its further collection or use, and provide the procedures for doing so.
Best practice on the part of the school would also be to require written consent from parents if their child under 13 is using such a program, especially if the program contains ads or any marketing material.
In any event, when an online operator receives consent from the school, the operator must, upon request, provide schools with the following:
-
A description of the types of personal student data collected;
-
An opportunity to review a student’s information and/or have it deleted;
-
The ability to prevent the online program from any further use or collection of a student’s personal information.
Click Here for additional information on COPPA,
Family Educational Rights and Privacy (FERPA) Annual Notification
Annual FERPA Notification
The Family Educational Rights and Privacy Act (FERPA), a federal law administered by the Department (20 U.S.C. § 1232g; 34 CFR Part 99), affords parents and “eligible students” (students who are at least 18 years old, or, in attendance at a postsecondary institution at any age) certain rights with respect to education records, such as the right to consent to the disclosure of personally identifiable information (PII) from the education records (except in certain circumstances).
Educational Records: “Education records” refers to records, files, documents and other materials which:
-
Contain information directly related to a student, including: state and national assessment results, including information on untested public school students; course taking and completion, credits earned and other transcript information; course grades and grade point average; date of birth, grade level and expected graduation date or graduation cohort; degree, diploma, credential attainment and other school exit information such as receipt of the GED and drop-out data; attendance and mobility; data required to calculate the Federal four-year adjusted cohort graduation rate, including sufficient exit and drop-out information; discipline reports limited to objective information sufficient to produce the Federal Title IV annual incident report; remediation; special education data; demographic data and program participation information; and
-
Are maintained by the school or school district or a person acting for the school or school district.
Personal Identifiable Information (PII): Personal identifiable information (PII) includes, but is not limited to:
-
The student’s name;
-
The name of the student’s parent or other family members;
-
The address of the student or student’s family;
-
A personal identifier, such as a student ID number, or biometric record;
-
Other indirect identifiers, such as student’s date of birth, place of birth, and mother’s maiden name;
-
Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
-
Information requested by a person who the school or school district reasonably believes knows the identity of the student or whom the education record relates.
Directory Information: Directory information is information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. The types of personally identifiable information the school or school district has designated as directory information, but is not limited to:
-
Student's name;
-
Address;
-
Telephone listing;
-
Electronic mail address;
-
Photograph;
-
Grade level;
-
Date of Birth;
-
Major field of study;
-
Enrollment status (e.g., undergraduate or graduate, full-time or part-time);
-
Participation in officially recognized activities and sports;
-
Dates of attendance;
-
Weight and height of members of athletic teams;
-
The most recent educational agency or institution attended;
-
Degrees, honors, and awards received;
-
Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user;
-
A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a PIN, password, or other factor known or possessed only by the authorized user.
III. LEA RESPONSIBILITIES
The school or school district shall:
-
Annually notify parents and guardians of their rights to request student information;
-
Annually notify parents and guardians of its definition of personally identifiable information;
-
Annually notify parents and guardians of its definition of directory information;
-
Adopt procedures to ensure security when providing student records to parents or guardians;
-
Adopt procedures to ensure student records and data are provided only to authorized individuals; and
-
Provide student records and data within forty-five (45) calendar days of a request.
The school shall not collect individual student data on a student’s;
-
Political affiliation;
-
Religion;
-
Voting history;
-
Firearms ownership.
The school or school district shall not collect individual student data on a student’s biometrics, analysis of facial expression, EEG brain wave patterns, skin conductance, galvanic skin response heart rate variability pulse, blood volume, posture, and eye-tracking, without written consent of the parent or student.
IV. NOTICE FOR DIRECTORY INFORMATION
The Family Educational Rights and Privacy Act (FERPA), a Federal law, requires that Tullahoma City Schools (TCS), with certain exceptions, obtain your written consent prior to the disclosure of personally identifiable information from your child’s education records. However, TCS may disclose appropriately designated “directory information” without written consent, unless you have advised the school to the contrary in accordance with TCS procedures. The primary purpose of directory information is to allow the school or school district to include this type of information in certain school publications. Examples include, but are not limited to:
-
A playbill, showing your student’s role in a drama production;
-
The annual yearbook;
-
Honor roll or other recognition lists;
-
Graduation programs; and
-
Sports activity sheets, such as for football, basketball or wrestling, showing weight and height of team members.
Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent. Outside organizations include, but are not limited to, companies that manufacture class rings or publish yearbooks. In addition, now Federal laws require the school, because it receives assistance under the Elementary and Secondary Education Act of 1965 (ESEA), to provide military recruiters, upon request, with the following information- names, addresses and telephone listings-unless parents have advised the school that they do not want their student’s information disclosed without their prior written consent.
Annually, the school or school district must notify parents and students of information it will release as directory information, and of the parents right to exercise his/her right to advise the school that consent for release of such information is denied. The link to this policy is your notice.
V. NOTICE OF PARENTAL RIGHTS CONCERNING EDUCATION RECORDS
The Family Educational Rights and Privacy Act (FERPA) affords parents and students who are 18 years of age or older ("eligible students") certain rights with respect to the student's education records. These rights are:
-
The right to inspect and review the student's education records within 45 calendar days after the day the school or school district receives a request for access.
Parents or eligible students who wish to inspect their child’s or their education records should submit to the school principal or designated school official a written request that identifies the records they wish to inspect. The schoo official will make arrangements for access and notify the parent or eligible student of the time and place where the records may be inspected. -
The right to request the amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.
Parents or eligible students who wish to ask the school to amend their child’s or their education record should write the school principal or designated school official, clearly identify the part of the record they want changed, and specify why it should be changed. If the school decides not to amend the record as requested by the parent or eligible student, the school will notify the parent or eligible student of the decision and of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing. -
The right to provide written consent before the school discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent.
One exception, which permits disclosure without consent, is disclosure to school officials with legitimate educational interests. A school official includes a person employed by the school or school district as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personel) or a person serving on the school board. A school official may also include a volunteer, contractor, or consultant who, while not employed by the school, performs an institutional service or function for which the school would otherwise use its own employees and who is under the direct control of the school with respect to the use and maintenance of PII from education records, such as an attorney, auditor, medical consultant, or therapist; a parent or student volunteering to serve on an official committee, such as a disciplinary or grievance committee; or a parent, student, or other volunteer assisting another school official in performing his or her tasks. A school official typically has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.
Upon request, the school discloses education records without consent to officials of another school or school district in which a student seeks or intends to enroll, or is already enrolled if the disclosure is for purposes of the student’s enrollment or transfer. -
The right to file a complaint with the U.S. Department of Education concerning alleged failures by the school to comply with the requirements of FERPA. The name and address of the Office that administers FERPA are:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202
VI. RESTRICTIONS ON DISCLOSURE OF EDUCATIONAL RECORDS
FERPA permits the disclosure of PII from students’ education records, without consent of the parent or eligible student, if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations. Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student, § 99.32 of the FERPA regulations requires the school to record the disclosure. Parents and eligible students have a right to inspect and review the record of disclosures. A school may disclose PII from the education records of a student without obtaining prior written consent of the parents or the eligible student under the following circumstances:
-
To other school officials, including teachers, within the educational agency or institution whom the school has determined to have legitimate educational interests. This includes contractors, consultants, volunteers, or other parties to whom the school has outsourced institutional services or functions, provided that the conditions listed in § 99.31(a)(1)(i)(B)(1) - (a)(1)(i)(B)(3) are met. (§ 99.31(a)(1))
-
To officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer, subject to the requirements of § 99.34. (§ 99.31(a)(2))
-
To authorized representatives of the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as the State Department of Education (SEA) in trhe parent or eligible student's State. Disclosures under this provision may be made, subject to the requirements of § 99.35, in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs. These entities may make further disclosures of PII to outside entities that are designated by them as their authorized representatives to conduct any audit, evaluation, or enforcement or compliance activity on their behalf, if applicable requirements are met. (§§ 99.31(a)(3) and 99.35)
-
In connection with financial aid for which the student has applied or which the student has received, if the information is necessary for such purposes as to determine eligibility for the aid, determine the amount of the aid, determine the conditions of the aid, or enforce the terms and conditions of the aid. (§ 99.31(a)(4))
-
To State and local officials or authorities to whom information is specifically allowed to be reported or disclosed by a state statute that concerns the juvenile justice system and the system’s ability to effectively serve, prior to adjudication, the student whose records were released, subject to § 99.38. (§ 99.31(a)(5))
-
To organizations conducting studies for, or on behalf of, the school, in order to: (a) develop, validate, or administer predictive tests; (b) administer student aid programs; or (c) improve instruction, if applicable requirements are met. (§ 99.31(a)(6))
-
To accrediting organizations to carry out their accrediting functions. (§ 99.31(a)(7))
-
To parents of an eligible student if the student is a dependent for IRS tax purposes. (§ 99.31(a)(8))
-
To comply with a judicial order or lawfully issued subpoena], if applicable requirements are met. (§ 99.31(a)(9))
-
To appropriate officials in connection with a health or safety emergency, subject to § 99.36. (§ 99.31(a)(10))
-
Information the LEA has designated as “directory information” if applicable requirements under § 99.37 are met. (§ 99.31(a)(11))
-
To an agency caseworker or other representative of a state or local child welfare agency or tribal organization who is authorized to access a student’s case plan when such agency or organization is legally responsible, in accordance with state or tribal law, for the care and protection of the student in foster care placement. (20 U.S.C. § 1232g(b)(1)(L))
-
To the Secretary of Agriculture or authorized representatives of the Food and Nutrition Service for purposes of conducting program monitoring, evaluations, and performance measurements of programs authorized under the Richard B. Russell National School Lunch Act or the Child Nutrition Act of 1966, under certain conditions. (20 U.S.C. § 1232g(b)(1)(K))
Click Here to download the FERPA Opt-Out Form
Health Insurance Portability and Accountability Act (HIPPA)
Summary of the HIPAA Security Rule
This is a summary of key elements of the Security Rule including who is covered, what information is
protected, and what safeguards must be in place to ensure appropriate protection of electronic protected
health information. Because it is an overview of the Security Rule, it does not address every detail of
each provision.
Introduction:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the
U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy
and security of certain health information. To fulfill this requirement, HHS published what are commonly
known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for
Privacy of Individually Identifiable Health Information, establishes national standards for the protection
of certain health information. The Security Standards for the Protection of Electronic Protected Health
Information (the Security Rule) establish a national set of security standards for protecting certain health
information that is held or transferred in electronic form. The Security Rule operationalizes the
protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that
organizations called “covered entities” must put in place to secure individuals’ “electronic protected
health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing
the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting
health information existed in the health care industry. At the same time, new technologies were evolving,
and the health care industry began to move away from paper processes and rely more heavily on the use
of electronic information systems to pay claims, answer eligibility questions, provide health information
and conduct a host of other administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry (CPOE)
systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans
are providing access to claims and care management, as well as member self-service applications. While
this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient
records and test results from wherever they are), the rise in the adoption rate of these technologies
increases the potential security risks.
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing
covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that
the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s
particular size, organizational structure, and risks to consumers’ e-PHI.
This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to
compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their
applicable requirements and should not rely on this summary as a source of legal information or advice.
To make it easier to review the complete requirements of the Security Rule, provisions of the Rule
referenced in this summary are cited in the end notes. Visit our Security Rule section to view the entire
Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between
this summary and the Rule, the Rule governs.
Statutory and Regulatory Background:
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of
1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of
electronic protected health information (e-PHI), electronic exchange, and the privacy and security of
health information.
HIPAA called on the Secretary to issue security regulations regarding measures for protecting the
integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS
developed a proposed rule and released it for public comment on August 12, 1998. The Department
received approximately 2,350 public comments. The final regulation, the Security Rule, was published
February 20, 2003. The Rule specifies a series of administrative, technical, and physical security
procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.
The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.
Who is Covered by the Security Rule:
The Security Rule applies to health plans, health care clearinghouses, and to any health care provider
who transmits health information in electronic form in connection with a transaction for which the
Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business
associates. For help in determining whether you are covered, use CMS's decision tool.
Read more about covered entities in the Summary of the HIPAA Privacy Rule - PDF - PDF.
Business Associates:
The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA
Security Rule. HHS developed regulations to implement and clarify these changes.
See additional guidance on business associates.
What Information is Protected:
Electronic Protected Health Information. The HIPAA Privacy Rule protects the privacy of individually
identifiable health information, called protected health information (PHI), as explained in the Privacy Rule and here - PDF - PDF. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains
or transmits in electronic form. The Security Rule calls this information “electronic protected health
information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
General Rules:
The Security Rule requires covered entities to maintain reasonable and appropriate administrative,
technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or
- transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the
- information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to
unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's
prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two
additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity”
means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI
is accessible and usable on demand by an authorized person.
HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health
plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own
needs and implement solutions appropriate for their specific environments. What is appropriate for a
particular covered entity will depend on the nature of the covered entity’s business, as well as the
covered entity’s size and resources.
Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate
those measures but requires the covered entity to consider:
- Its size, complexity, and capabilities,
- Its technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to e-PHI.
Covered entities must review and modify their security measures to continue protecting e-PHI in a
changing environment.
Risk Analysis and Management:
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk
analysis as part of their security management processes. The risk analysis and management provisions
of the Security Rule are addressed separately here because, by helping to determine which security
measures are reasonable and appropriate for a particular covered entity, risk analysis affects the
implementation of all of the safeguards contained in the Security Rule.
A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI;
- Implement appropriate security measures to address the risks identified in the risk analysis;
- Document the chosen security measures and, where required, the rationale for adopting those
- measures; and
- Maintain continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to
track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security
measures put in place, and regularly reevaluates potential risks to e-PHI.
Administrative Safeguards:
- Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
- Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
Physical Safeguards:
- Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Technical Safeguards
- Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Required and Addressable Implementation Specifications:
Covered entities are required to comply with every Security Rule "Standard." However, the Security
Rule categorizes certain implementation specifications within those standards as "addressable," while
others are "required." The "required" implementation specifications must be implemented. The
"addressable" designation does not mean that an implementation specification is optional. However, it
permits covered entities to determine whether the addressable implementation specification is
reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered
entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative
measure is reasonable and appropriate.
Organizational Requirements:
- Covered Entity Responsibilities. If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
- Business Associate Contracts. HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.
Policies and Procedures and Documentation Requirements:
- A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
- Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).
State Law:
Preemption. In general, State laws that are contrary to the HIPAA regulations are preempted by the
federal requirements, which means that the federal requirements will apply. “Contrary” means that it
would be impossible for a covered entity to comply with both the State and federal requirements, or that
the provision of State law is an obstacle to accomplishing the full purposes and objectives of the
Administrative Simplification provisions of HIPAA.
Enforcement and Penalties for Noncompliance:
- Compliance. The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.
- Learn more about enforcement and penalties in the Privacy Rule Summary - PDF - PDF and on OCR's Enforcement Rule page.
Compliance Dates:
Compliance Schedule. All covered entities, except “small health plans,” must have been compliant
with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply.
Copies of the Rule and Related Materials:
Click Here to view the Combined Regulation Text of All Rules section of our site for the full suite of
HIPAA Administrative Simplification Regulations and HIPAA for Professionals for additional guidance.
Protection of Pupil Rights Amendment (PPRA)
Protection of Pupil Rights Amendment (PPRA)
PPRA affords parents of elementary and secondary students certain rights regarding the conduct of surveys, collection and use of information for marketing purposes, and certain physical exams. These include, but are not limited to, the right to:
- Consent before students are required to submit to a survey that concerns one or more of the following protected areas (“protected information survey”) if the survey is funded in whole or in part by a program of the U.S. Department of Education (ED):
- Political affiliations or beliefs of the student or student’s parent;
- Mental or psychological problems of the student or student’s family;
- Sex behavior or attitudes;
- Illegal, anti-social, self-incriminating, or demeaning behavior;
- Critical appraisals of others with whom respondents have close family relationships;
- Legally recognized privileged relationships, such as with lawyers, doctors, or ministers;
- Religious practices, affiliations, or beliefs of the student or student’s parent; or
- Income, other than as required by law to determine program eligibility.
- Receive notice and an opportunity to opt a student out of:
- Any other protected information survey, regardless of funding;
- Any non-emergency, invasive physical exam or screening required as a condition of attendance, administered by the school or its agent, and not necessary to protect the immediate health and safety of a student, except for hearing, vision, or scoliosis screenings, or any physical exam or screening permitted or required under State law; and
- Activities involving collection, disclosure, or use of personal information collected from students for marketing or to sell or otherwise distribute the information to others. (This does not apply to the collection, disclosure, or use of personal information collected from students for the exclusive purpose of developing, evaluating, or providing educational products or services for, or to, students or educational institutions.)
- Inspect, upon request and before administration or use:
- Protected information surveys of students and surveys created by a third party;
- Instruments used to collect personal information from students for any of the above marketing, sales, or other distribution purposes; and
- Instructional material used as part of the educational curriculum.
These rights transfer from the parents to a student who is 18 years old or an emancipated minor under State law.
TCS will directly notify parents of these policies at least annually at the start of each school year and after any substantive changes. TCS will also directly notify parents of students who are scheduled to participate in the specific activities or surveys noted below via email and will provide an opportunity for the parent to opt his or her child out of participation of the specific activity or survey. TCS will make this notification to parents at the beginning of the school year if the District has identified the specific or approximate dates of the activities or surveys at that time. For surveys and activities scheduled after the school year starts, parents will be provided reasonable notification of the planned activities and surveys listed below and be provided an opportunity to opt their child out of such activities and surveys. Parents will also be provided an opportunity to review any pertinent surveys. Following is a list of the specific activities and surveys covered under this direct notification requirement:
- Collection, disclosure, or use of personal information collected from students for marketing, sales, or other distribution.
- Administration of any protected information survey not funded in whole or in part by ED.
- Any non-emergency, invasive physical examination or screening as described above.
Parents who believe their rights have been violated may file a complaint with:
Student Privacy Policy Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202