New regulations promote risk of FERPA violations

I mentioned a while ago that I was going to write about FERPA violations that I see on a regular basis.  There are new regulations in New York that promote electronic record keeping by educational programs, so now seems like a good time to document some of my experiences in the last couple years related to FERPA violations.

As background I will report that I am a strong proponent of technology and I believe that technology applications provide us with excellent opportunities to improve efficiencies in service delivery.  I am not a Luddite.  Or anything even remotely similar.  However, parents should take note that educational records are not as secure as they should be.  Here is a new ruling that should make parents  be even more concerned with privacy of their educational records:

SECTIONS 200.2 and 200.4

Teacher Access to Students’ Individualized Education Programs (IEPs)

Consistent with Chapter 279 of the Laws of 2012:
Section 200.2(b)(11)(i) provides that, in lieu of providing a paper or electronic copy of the IEP, school district policy may provide that the student’s teachers, related service providers and other service providers have access to a copy of a student’s IEP electronically; and that if the policy provides that the IEP is to be accessed electronically, the policy must ensure that the individuals responsible for the implementation of the IEP are notified and trained on how to access the IEP electronically.
200.2(b)(11)(i) each regular education teacher, special education teacher, related service provider and/or other service provider, as defined in clause (a) of this subparagraph, who is responsible for the implementation of a student’s individualized education program (IEP) is provided a paper or electronic copy of such student’s IEP, including amendments to the IEP, made pursuant to section 200.4(g) of this Part, prior to the implementation of such program or shall be able to access such student’s IEP electronically.  If the policy provides that students’ IEPs are to be accessed electronically, then such policy shall also ensure that the individuals responsible for the implementation of a student's IEP shall be notified and trained on how to access such IEPs electronically

 In simple terms, there will probably be even fewer paper copies of IEPs floating around - and greater reliance on using the electronic record.  For the vast majority of cases in NY, that means that the www.iepdirect.com website will be relied upon even more for communication and documentation of educational records.

For purposes of educating the public, I will outline common ways that school districts and their agents commonly violate FERPA law.  These are not exaggerated in any way and I do not list them to stir any local pot.  This is just fact and is my direct experience.

1. Some school districts do not have controlled procedures for 'assigning' children to providers within the IEP Direct system.  That means that when I log onto the IEP Direct system that I have FULL access to EVERY child who receives special education services in the entire district.  It is standard practice to restrict viewing only to those children that a provider has responsibility for.  In one district I not only have access to every preschool child (I am a preschool provider) but I also have access to every school age child!  I have brought this issue to the district's attention for as many years as they have had the IEP Direct system in place, and they don't fix it.

What does full access mean?  Well, I can view a child's IEP, every evaluation that was completed on a child - including the social history that sometimes includes information that is particularly sensitive.  That information is helpful if I am your child's service provider - but it is not information that should be freely available to anyone who happens to have access to the system.

2. During a recent Department of Health Early Intervention audit we experienced a FERPA violation on the part of IPRO, the auditing agency (rather ironic, as their purpose is to make sure that PROVIDERS don't engage in such errors).  In preparation for their audit IPRO sent my agency a list of children who we had never seen through the early intervention program.  We recognized some names because we knew the children through the CPSE special education system.  However, we were not aware (prior to the release of information) that they were previously in the Early Intervention Program - apparently some of the children were seen by another agency - or they were just working off of a preschool database and not an early intervention database.  Who knows - but when we brought this to their attention IPRO informed us that they made a 'database error' and sent a revised list of children.  We were also informed of 'staffing changes' and that a different person would be completing our audit - I am not sure if this was related to the FERPA violation.

3. A billing manager for a rather large school district routinely sends out distribution list requests to service providers.  In response, it is common for a provider to respond with specific student data and send out their information to every agency on the distribution list - and then the district would re-re-disclose the same confidential information by forwarding it all to everyone on the list as an exemplar of how to handle the concern that the original district had!  I don't think that many parents would like it if they knew that their child's data was disclosed as part of an exemplar.

4. An agency who provides coordination services works with multiple providers would routinely violate FERPA with emails listing meeting dates for children - and the lists would include multiple children who were all being seen by different agencies.  That means that although I had interest in one child on that list - I certainly was not supposed to be privy to the data of the other 30 children!

5. The last example I want to talk about also relates to our last IPRO audit.  We were found to have a deficiency on our release of information form because we did not have a space on the form that listed WHY information was being transmitted.  I told the reviewer that I did not want to include this information because in my opinion it was not my business to know why a parent would want information transmitted.  Interestingly, the auditor looked at it a totally different way - they indicated that this information needs to be on the form because parents have a right to know MY purposes when I am asking THEM for permission to send their data to other places.  This was a real juxtaposition - the auditor's automatic assumption was that I was the origination for releasing information and I had a responsibility to tell families why I was sending their information out.   In fact, I would NEVER ask a family to send information somewhere - I would only send it where THEY told me to send it!  And it is none of my business to know why they want me to send it somewhere!!!  This is a real illustration of a fundamental problem with the way this process is viewed.  For the record, I complained to the State about this requirement but I have not heard back from them about this  yet.

Parents should know that when they receive services in early intervention and school systems that there is great risk to the privacy of those records.  New regulations that promote use of electronic communication technology are likely to increase the risk of FERPA violation.

Is this a big deal?  YES!  It does not matter if the data released 'only' indicates that a child is receiving occupational therapy.  Your child's educational records are supposed to be private and you should have the expectation that information is not released.

In my opinion these types of FERPA violations don't occur out of malice but they do occur out of carelessness, out of a disregard for the sensitive nature of the information, and out of a warped sense of who should be initiating the release of information.  The frequency and magnitude of these violations is significant.  Parents should demand more accountability from their districts and providers when it comes to privacy of educational records.

Comments

Cheryl said…
I agree that #1 seems to be a prevalent error. In our system since the therapists were migrant and had multiple schools to cover (or a different professional would cover an IEP meeting than the one who evaluated the child) everyone had access to every child in the district. However, the computer maintains a record of who has accessed, which is visible to all users. I imagine that could come with similar consequences as looking up a hospital record you were not permitted to see, that if an audit was performed they could determine if a provider was accessing too many records or one that was not appropriate for them. in hospital cases that usually doesn't happen except for high profile cases, employees, or the occasional random audit so it's certainly not foolproof. Maybe if the parent could see the list of who accessed the record change would be quicker in coming.
10:33 AM
Christopher J. Alterio said…
Thanks for your comment, Cheryl. I am not sure if this particular system tracks 'views' but I am aware that it tracks edits.

One concern that I have though is that even having the child's name 'viewable' is a FERPA violation in itself because the child's presence on the list indicates that they are actively open within the special education system. That information should not be openly transmitted.

I think that we have to improve human systems and basic understanding of privacy laws in order to keep up with the pace of our technologies.
1:05 PM
Your Therapy Source Inc said…
I certainly understand your concerns. Although for myself, I work in NY and only have access to the students on my caseload on IEP direct. If my caseload changes I have to request the new child to be added and when a child leaves he/she is automatically removed.
10:02 PM
Post a Comment

Popular posts from this blog

Deconstructing the myth of clothing sensitivity as a 'sensory processing disorder'

Please note first that there is no formally recognized clinical designation of  'sensory processing disorder.'   It is a term constructed by occupational therapists that has not been formally recognized by the larger medical community. In our clinic we receive many referrals from local pediatricians when parents have concerns about children being overly sensitive to their clothing.  Most often the children referred are from four to seven years old and the families are severely disrupted by the children's behaviors and responses to clothing issues.  Commonly, children will have severely constricted tolerance for certain outfits, want to wear the same clothes repeatedly, complain that clothing is itchy/scratch/bumpy/wiggly/ouchie, and this all leads to disruption of daily dressing routines.  There is no doubt that the behavioral concerns are very real. The pediatricians tend to be appropriately conservative and provide families with good behavioral management suggestions
Read more

On retained primitive reflexes

Each year I receive several emails from colleagues about 'retained primitive reflexes.'  I am also seeing an increased number of reports from local 'health care' providers who are documenting these alleged problems so I thought I would write a summary of my opinion on this topic.   Predatory 'health care' providers including some OTs, PTs, chiropractors, and behavioral optometrists are creating a new 'market' for treating this alleged 'problem.'  Parents should be very wary of these practitioners and other professionals should challenge these practices whenever they are seen. The following is the kind of information that causes concern and was provided to me by a colleague as a sample from a student's IEP: The student continues to demonstrate the following retained primitive reflexes that at times interfere with his ability to demonstrate appropriate adaptive responses: Fear Paralysis Reflex, Moro Reflex, Palmer Reflex, Tonic Labyri
Read more

Twenty years of SIPT - where do we go next?

Standardized tests are periodically discarded or updated because the normative group that the test was developed around may have changed characteristics. I am unaware of any 'industry standards' regarding the life expectancy of standardized tests; rather, professionals in a field tend to come to consensus about the relative usefulness of tests on their own. I would be interested in knowing what other therapists think about the Sensory Integration and Praxis Tests - which were published in 1989. I became certified in the administration of these tests seventeen years ago. At first I found them highly useful but the more I gave the tests the more I understood the limitations. Now it has gotten to a point where I do my best to discourage people when they ask for this test - not just because of the inherent weaknesses of the test construction but also because of how old the norms are. There have been some legitimate concerns with the tests including extremely poor test-retest re
Read more