The HIPAA of Education

Did you see the University of Minnesota football team’s bowl game boycott? Believe it or not, it could have a major effect on you and your children’s future and privacy.

Ten Minnesota players were suspended from their bowl game because of an investigation into an alleged sexual assault. When the players asked for the reason behind the suspensions, they were told the details of the case were unavailable. Thinking that their teammates were not being given a fair process, the rest of the team boycotted their bowl game. The players were eventually told the details of the investigation, and once they heard what may have happened they immediately ended their boycott. But why should you care about Minnesota football? And what does their boycott have to do with your cybersecurity?

Because the Minnesota football story shows just how out of date FERPA is.

The Family Educational Rights and Privacy Act (FERPA) was passed in 1974 to make sure students’ educational records would only be seen by the right eyes. But the problem is that the law doesn’t clearly define what a student record is. For example, the reason the football players were not told why their teammates were suspended was because the details of the investigation were classified as student records. And that means that no one but the student, since the individual was over 18, had the right to decide who could see the details.

The result? You get a whole football team thinking their teammates are being suspended for no reason. But that’s not the only reason FERPA is due for major rewrites.

FERPA was written in 1974 when student records were actual paper files locked away in a school basement. Clearly, that’s not how modern schools work today. Student records are digital files that can be accessed not just by school officials but students and parents through online portals. And whenever there is access to digital files from home computers or mobile devices, the risk for cybercrime skyrockets. When anyone can access something remotely, whatever malware on their devices can be introduced to the host network the moment they log in.

Just look at the medical industry for example. HIPAA is a strict set of guideline to ensure that a patient’s medical records are never seen by anyone other than the patient, and if a hospital or practice doesn’t comply they will be swamped with fines that start in the thousands and only go up. The threat of cybercrime is simply too high today to not have a strong security standard in place.

And what do schools have? They have an act passed in 1974 that hasn’t had any major amendments for cybersecurity.

That’s the bad news. The good news is changes are coming down the pipeline. The H.R. 3157 – Student Privacy Protection Act is a bill in the senate that will update FERPA and make it compliant with modern cybersecurity threats. Some of the major changes the bill would make would be giving education authorities the rights to enforce compliance, making educational agencies have an official responsible for the security of student records, and authorizing fines ranging from $100 to $1.5 million.

In the 40+ years that FERPA has been law no school has ever been found in violation of the law. It will be awhile until the Student Privacy Protection Act passes through congress, but you can be sure that when it does schools across the country will be scrambling to become compliant with cybersecurity standards they’ve never dealt with before. If you want yourself, your children, and your children’s school to be a step ahead inform yourself on everything that’s happening in the cybersecurity world. That way you won’t be scrambling for cover when the HIPAA of education comes to town.

image_pdfimage_print