Silverbrook Elementary School (SES), in Fairfax Station, Virginia, has a history of sharing personally identifiable information about students, which is a violation of the Family Educational Rights and Privacy Act (FERPA). (See “Worried About Hackers? FCPS has Been Breaching Studentsâ€™ and Staffâ€™s Privacy for Years“, “FERPA Violation: Silverbrook Elementary School Studentsâ€™ Privacy Violated; Behind the Scenes, Choosing Students to â€œEnrichâ€” and “Silverbrook ES Principal Advises Staff Member: â€œNo Paper/Email Trailâ€“)
On at least two occasions, since 2015, Fairfax County Public Schools (FCPS) has provided SES “FERPA/confidentiality training”.
Looks like SES needs more.
As the 2019-20 school year winded down, SES created a public sign-up sheet for medication pick up.
The sign-up form was accessible by anyone with the link, which turned it into a public list of children taking medication.
Medication is the business of no one outside the parents, the children taking medication, and the individuals at the school who have to have this information.
At the elementary school level, health-related information is usually included in education records, which makes this information protected under the Family Educational Rights and Privacy Act (FERPA), rather than under HIPAA.
The U.S. Department of Health and Human Services advises:
In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition â€œeducation recordsâ€ under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.
Among other things, FERPA affords parents (and students once they turn 18) “some control over the disclosure of personally identifiable information from the education records.”
The U.S. DOE defines “education records” as:
Records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution. These records include but are not limited to grades, transcripts, class lists, student course schedules, health records (at the K-12 level), student financial information (at the postsecondary level), and student discipline files. The information may be recorded in any way, including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail.
5.12.20, SES sent its first email, asking parents to use Sign-Up Genius to pick up medication. This email went to both families with medication and w/out medication at the schoolâ€”and gave everyone access to the link to access this information.
Click on the image above, to access the site on which this email still resides.
5.15.20, SES sent a reminder email to parents, asking them to sign up for medication pick-up.
Although some parents were comfortable signing up to the form and listing their name, their child’s name, and in some cases, even the medication, it doesn’t change the fact that they shouldn’t have been in that position.
5.18.20, SES sent out another email, this time specifically to parents it knew had medication at the school, and asked that the parents sign up for a pick-up slot. So, it wasn’t enough that SES sent two general emails, it then thought it appropriate to have a front-office staff member email parents, again making it clear that SES wanted everyone to sign up using its form.
Not one of these families should have been put in this positionâ€”and more than one was uncomfortable with SES’ approach.
Since FCPS has provided FERPA/confidentiality training a number of times at this point, perhaps leadership needs to be addressed.