Family Educational Rights and Privacy Act (FERPA)

FERPA is the Family Education Rights and Privacy Act of 1974, also known as the “Buckley Amendment”. FERPA is a federal law designed to protect the privacy of a student’s education records and prohibits the University from disclosing information from those records without the written consent of the student. The law applies to all schools which receive funds under applicable programs from the U.S. Department of Education.

What rights does a student have under FERPA?

The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to their education records. Those rights are the following:

  1. The right to inspect and review the student’s education records within 45 days of the day the University receives a request for access.
  2. The right to request an amendment of the student’s education records that the student believes to be inaccurate or misleading.
  3. The right to consent to disclosures of personally identifiable information contained in the student’s education records, except to the extent that FERPA authorizes disclosure without consent.

The right to file a complaint with the U.S. Department of Education concerning alleged failures by Maryland University of Integrative Health (MUIH) to comply with the requirements of FERPA. The name and address of the office that administers FERPA is

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-4605

When does FERPA begin at MUIH?

For newly admitted students, FERPA becomes effective once the credentials for My MUIH and your MUIH email have been issued. Persons who apply to the university and are not accepted are not covered by FERPA.

What is an education record?

Education records are all records that directly relate to a student and are maintained by an institution. These records may be in any format: electronic, handwritten, printed, typed, film, microfiche, etc. FERPA does not extend to information gained by personal observation or, in some circumstances, information learned from others. 

Examples of education records include but are not limited to: 

  • advising notes
  • student email  
  • grades, tests, class schedules
  • employment records for student jobs,
  • financial aid documents and documents that relate to a student’s account including billing.
  • student disciplinary records
  • application for admissions, transcripts, and test scores of students who have confirmed at MUIH

Except as provided by law, MUIH will not release personally identifiable information from the student’s record without the student’s prior consent. “Student” applies to all students, including continuing education students, students auditing classes, distance education students, and former students.

What is not an education record?

Records not considered part of an education record include but are not limited to:

  • sole possession records that are used by an individual to serve as a “memory jogger” for the creator of that record
  • law enforcement unit records 
  • medical treatment records that include, but are not limited to records maintained by physicians, psychiatrists, and psychologists.
  • alumni records (information obtained from a former student after graduation)

Who is considered a school official?

FERPA provides one exception to disclosure without consent and that is to a school official with a legitimate educational interest. A school official is a person employed by the University in an administrative, supervisory, academic, research, or support staff position; a person or company with whom the University has contracted (such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. Upon request, MUIH discloses education records without consent to officials of another school in which a student seeks enrollment or intends to enroll.

What constitutes legitimate educational interest?

FERPA permits university employees to have access to student education records in which they have a “legitimate educational interest.” Such access does not require prior written consent of the student. Legitimate educational interest is considered necessary for employees to carry out their job. Important points pertaining to “legitimate educational interest include:

  • Curiosity is not legitimate educational interest. Having access to student education records does not equate to license to access them.
  • Employment by MUIH does not constitute legitimate educational interest. Accessing student education records must be related to your job responsibilities in support of the University’s educational mission.
  • Any person with access to student records, regardless of title or status, should consider educational need to know before accessing a record.  Just because you can, doesn’t mean you should. School officials should ask yourself: Do you need that information to do your job?

What is considered directory information at MUIH?

Directory information is information contained in the education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed. FERPA permits the disclosure of directory information without a student’s consent unless that student has prohibited the release of the information. 

 At MUIH the following is considered directory information:

  • name
  • major field of study
  • participation in officially recognized activities
  • degrees, honors, awards
  • dates of attendance
  • enrollment status (full-time/part-time)
  • email

Can a student block their directory information from being released?

Currently enrolled students may withhold the disclosure of directory information under FERPA. To withhold disclosure, students must speak with the Registrar’s Office and complete the appropriate form. Once the form has been completed, all directory information will be withheld until the student notifies the Registrar’s Office in writing to cancel the request.

Students are advised that blocking the release of directory information results in the following:

  • Student name is excluded from printed material and electronic such as commencement programs or MUIH articles.
  • Student name, email, and photo will be removed from the Microsoft Outlook email directory.
  • Enrollment and degree awarded inquiries from third parties, including potential employers and insurance companies, will neither receive a confirmation of enrollment nor a graduation verification. 
  • No Information will be released to any person(s) on the telephone or via email.
  • No information will be automatically released to the National Student Clearinghouse for loan deferment purposes.
  • Address changes must be made by the student only, in person at the Registrar’s office, or by mailing a written request along with a copy of photo identification to the Registrar’s office.
  • It is important to note that a student’s request for confidentiality does not permit the student to be anonymous in the classroom (including an online “classroom”) nor to impede or be excluded from classroom communication.

What student information needs to be handled securely?

All educational records directly related to a student and maintained by the institution should be handled securely. Registration forms, grades and transcripts, student information displayed on a computer screen, student schedules, class assignments, class rosters, and any electronic or paper document with the student’s ID or grades on it are all education records and should be handled with FERPA and data security in mind.

What security measures should be taken to protect student data?

  • Always confirm the identity of a student whether speaking with them on the phone or in person. Contact the Registrar’s Office for further guidance if needed.
  • Shred any confidential information. Do not place it in the trash can.
  • Do not save student data on personal computers or unapproved discs or drives.
  • Refer requests for information from the education record of a student to the proper record custodian (e.g., Registrar, Student Accounts, Financial Aid, Student Affairs, etc.)
  • Only use the MUIH e-mail account to send and receive information for students, faculty, and staff.

Is it okay to send sensitive data via e-mail?

E-mail is not a secure method of transmitting sensitive data. Restricted information such as grades, or personally identifiable information such as a social security number should never be sent through e-mail. Please take care not to forward or reply to emails which are sent to you containing sensitive data without removing such data prior to transmission.

All faculty, staff, and students should only use their MUIH e-mail account to send and receive information. Faculty and staff should only send communications to students via both parties’ password protected MUIH accounts (email or the Canvas classroom message function). Further questions regarding e-mail security should be addressed to the Office of Information Technology

What are faculty responsibilities regarding FERPA?

Faculty are responsible for controlling access and protecting the student records they access or possess. Tips for faculty include:

  • be conscious and aware of others who may be able to overhear your conversations or see your computer screen; 
  • only send communications to students through both parties’ password protected MUIH accounts (email or the Canvas classroom message function)
  • never provide anyone with student information, including schedules;
  • keep confidential papers in password protected electronic devices or locked filing cabinets and shred rather than trash. 
  • post final grades in Canvas and refer students there should the student have questions about their grade. 
  • never publically post grades in physical locations in class or online.
  • be sensitive to student privacy; decline requests from third parties—please refer them to the Registrar’s Office; 
  • never volunteer confidential information in letters of recommendation without first getting specific written consent from the student.
  • when in doubt, reach out and contact the Registrar’s Office.

How should faculty and staff handle letters or recommendations or reference letters?

Do not include any non-directory information in a recommendation or reference letter unless you are specifically authorized to do so by the requesting student. The student must request the release of this information in writing.

Do FERPA rights cease?

Students’ FERPA rights do not cease after enrollment ends or the student graduates. Former students have the same rights as currently attending students. Under common law regarding privacy rights, the privacy interests of an individual expire with death. Information that a former student provides as an alumni is not subject to FERPA.

What should you do if you receive a subpoena for a student records?

If you receive a subpoena regarding a student’s education record, please contact the Registrar’s Office before you respond. There are FERPA regulations that the University must comply with before responding to subpoenas or court orders.

Are student workers bound by FERPA guidelines?

Yes. Student employees of the University are under the same obligation to uphold FERPA rights and regulations as faculty and staff. Student employees with access to student records must complete the FERPA training provided by the Office of Human Enrichment.

Who can provide further information about FERPA?