School is in session once again—and many students will return to the classroom for the first time since March 2020. School reopening policies vary from state to state but, with cases on the rise, communities want evidence that it is safe to return to school buildings. State and district leaders are dealing with a number of uncertainties, including rising COVID-19 cases and what that means for the prospect of a smooth transition into the school year. What remains clear, however, is that collecting and reporting data on school COVID-19 and vaccination rates is absolutely allowable under federal law.
We’re setting the record straight: collecting and reporting data on school COVID and vaccination rates is absolutely allowable under federal law—the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA). When we allow the public conversation to incorrectly cite federal laws as the barrier to transparency, we’re neither helping communities nor protecting privacy. It’s time for facts, not myths.
So, here are the facts:
FERPA, the nation’s primary student privacy law, protects student records and requires parental permission for the release of personally identifiable information from their child’s record. Sharing the number of COVID-19 cases in schools does not require the publication of personally identifiable information. US Department of Education guidance answers common questions about how schools can protect student privacy, while also ensuring transparency, in the time of COVID-19. The guidance answers questions about the law’s emergency exemption, which allows for personal information to be shared with public health officials on a case-by-case basis.
HIPAA governs the sharing of sensitive patient health information by healthcare providers. As with FERPA, this law does not prohibit school, district and state officials from sharing information about the number of COVID-19 cases in schools.
These resources clarify best practices for maintaining privacy during COVID-19:
- AASA, The School Superintendents Association and Future of Privacy Forum provide practical scenarios to illustrate how administrators can provide the public important information about COVID-19 cases in schools, while maintaining student data privacy.
- This Student Privacy Compass issue brief lists questions that officials should ask when it comes to administering COVID-19 health screenings. These considerations provide the basis for policies to ensure that privacy is protected, and that communities can trust institutions to share accurate data.
- The Center for Democracy & Technology lays out five steps for protecting student data privacy and equity in schools no matter where learning takes place.
- The US Department of Health and Human Services website features a frequently asked questions page about how HIPAA applies to COVID-19 vaccination status in the workplace.
And there is precedent for publicly reporting data on vaccination rates for students and adults. In fact, all 50 states currently have school entry requirements for vaccinations. These Centers for Disease Control and Prevention (CDC) resources provide more information:
- The SchoolVaxView tool allows users to view data on vaccination rates for routine vaccinations such as DTap, MMR, and Polio.
- The AdultVaxTool uses survey data to provide a landscape for adult vaccination rates for routine vaccinations. Data can be viewed at the state and county-level, and it can also be broken down by race and ethnicity.
Privacy and safety is never an either/or. When officials cite privacy laws as reasons to withhold data from the public, they erode trust. Student data privacy can be protected while shining a light on information that communities and families need to make decisions about their safety.
