What is FERPA and who does it protect? HIPAA vs FERPA

What is FERPA?


With each passing year, the amount of data educational institutions collect continues to grow. While there’s nothing inherently wrong with this, there are a few risks that require more stringent regulation and oversight.

Educational institutions and agencies should maintain a certain level of privacy and ensure reliable data protection of their students. This is where FERPA comes in. So, what does FERPA mean for students, and how does it fare compared to HIPAA? More importantly, how to ensure FERPA compliance? Read on and find out.

What Is FERPA and Who Does it Protect?

FERPA is an abbreviation for the Family Educational and Privacy Act. This law’s main role is to protect the privacy of student education records. It enables students to inspect and review their education records and change misleading and inaccurate data.

Under FERPA, aspects like scores and grades on exams, deficiencies in specific subject areas, and overall progress are all defined as personally identifiable information. Parents can only access this protected information under the student’s written authorization.

And, at the post-secondary level, parents don’t have any right to inspect the children’s education records. This right becomes strictly limited to the student to whom the information pertains.

Is FERPA a Federal Law?

Yes, FERPA is a federal law, meaning that it covers all US states equally, without any exceptions. It applies to any public or private elementary, secondary, or post-secondary school that gets funds from the US Department of Education.

When Was FERPA Enacted?

FERPA was enacted on August 21, 1974, by then-president Ford. This act made a big impact right after it was signed into law and alarmed colleges and universities about how it pertains to higher education. This led to the first amendment just a few months after it was enacted, in December 1974.

The December 1974 amendments mainly clarified ambiguous language and defined some rules and regulations more precisely. They further strengthened the rights of students and provided them with tangible tools to challenge content and correct misleading or inaccurate information.

There were several big amendments in the following decades, primarily in 1998, 2008, and 2013. With the onset of the COVID-19 pandemic, FERPA also included some exceptions to its general immunization and health records.

To be more precise, it added a “health and safety emergency” exception that changes the general consent rule. This exception allows educational institutions and agencies to disclose personally identifiable information without the individual's prior consent.

FERPA Student Rights

So, to fully understand the importance of FERPA for students, we should go over all of the rights students and parents have under this act. Here’s an overview of FERPA students' rights:

  • Transparent oversight of educational records
  • Corrections and amendments to the existing records
  • Setting rules on who can see the records

When the child turns 18, all of these FERPA rights are transferred from the parents onto the student. Of course, besides the rights, it’s important to discuss the limitations FERPA imposes on the parents and students. With this in mind, sometimes, the educational institution is allowed to release information without consent. This includes scenarios like:

  • Legitimate educational interest from school officials
  • Health and safety emergencies
  • Juvenile justice system proceedings
  • Transfer from one school to another


While both present crucial federal laws that protect the privacy and security of individuals, HIPAA and FERPA have some discernible differences that are worth noting. The main difference is that HIPAA applies to the healthcare industry, while FERPA applies to the education industry.

Secondly, the two acts also have different compliance rules. More accurately, FERPA applies to any elementary, secondary, or post-secondary public or private school. It also applies to any state or local education agency that receives funds from the US Department of Education, as we’ve mentioned before.

In comparison, HIPAA compliance rules apply to healthcare providers, health plans, healthcare clearinghouses, and other business associates that act on behalf of any covered entities in the healthcare industry.

Looking at the protected information, FERPA protects the students’ education records. This includes any information that directly relates to any student. In this sense, HIPAA also sits on the same branch in terms of protected information, only focusing on it from a healthcare perspective. More specifically, it protects individually identifiable health information.

Lastly, we should compare HIPAA and FERPA through the lens of the two acts’ permitted disclosures. We’ve already discussed the permitted disclosures according to FERPA. In the context of HIPAA, information disclosures are allowed to the individual for treatment, payment and healthcare operations, public interest, and other limited opportunities. 

How to Maintain HIPAA / FERPA Compliance

It’s essential for educational institutions’ IT departments to have a firm grasp of FERPA compliance rules, as they are responsible for storing and securing all valuable student information. According to the Infosec Institute, the best practices for IT departments to ensure FERPA or HIPAA compliance include:

  • Ensuring data encryption on physical devices
  • Detecting and resolving any potential weaknesses in the institution’s IT infrastructure
  • Regular monitoring to prevent outside breaches and internal user mistakes
  • Keeping up with the latest FERPA/HIPAA amendments and updates

Complying with both HIPAA and FERPA takes quite some time and research. You need to consult legal counsel, find out what applies to your institution, create policies, and educate your staff on the latest HIPAA / FERPA compliance.

How Hideez Can Help Ensure FERPA Compliance

If your goal is to maintain compliance with the latest FERPA standards, the Hideez Authentication Service provides you with all of the tools to do so. Consisting of four core components, it can keep your organization and students safe from any privacy risks. Here are the four main elements of the Hideez Authentication Service:

  • Hideez Server - allows IT admins to grant or restrict access to individuals without compromising user data. It delivers convenient and secure passwordless FIDO2 authentication and 2FA.
  • Hideez Authenticator - a free mobile app available on Android and iOS that transforms the user’s mobile device into a personal security token. It enables students or teachers to use biometrics or unique one-time QR codes to sign into their accounts quickly.
  • Hideez Keys - an optional element of the Hideez Authentication Service, this is a physical security key with a handful of helpful features. It possesses features like passwordless authentication, password management and autofill, one-time password generating, proximity lock/unlock capabilities, and RFID tag properties.
  • Hideez Client - reliable client software for Windows PCs with full password management and proximity authentication functionality.

With the above in mind, we can say that the Hideez Authentication Service brings a number of distinct benefits. All of the data is kept on physical devices in the form of the Hideez security key or the Hideez Authenticator, which you set up on your mobile device. This allows for remote access control and privileged access management.

Moreover, your staff gets access to affordable and time-saving technology in the form of fast and secure passwordless logins. From a security standpoint, Hideez protects you against fake phishing emails, spoofing, and man-in-the-middle attacks.

And most importantly, in the context of this article, you get compliance with modern security and privacy standards like FERPA, CIPA, NIST, and FIPS 140-2. Schedule a personalized demo call with our expert or request a free 30-day trial right away!

Related Posts