Monday, January 14, 2013

New regulations promote risk of FERPA violations

I mentioned a while ago that I was going to write about FERPA violations that I see on a regular basis.  There are new regulations in New York that promote electronic record keeping by educational programs, so now seems like a good time to document some of my experiences in the last couple years related to FERPA violations.

As background I will report that I am a strong proponent of technology and I believe that technology applications provide us with excellent opportunities to improve efficiencies in service delivery.  I am not a Luddite.  Or anything even remotely similar.  However, parents should take note that educational records are not as secure as they should be.  Here is a new ruling that should make parents  be even more concerned with privacy of their educational records:

SECTIONS 200.2 and 200.4

Teacher Access to Students’ Individualized Education Programs (IEPs)

Consistent with Chapter 279 of the Laws of 2012:
Section 200.2(b)(11)(i) provides that, in lieu of providing a paper or electronic copy of the IEP, school district policy may provide that the student’s teachers, related service providers and other service providers have access to a copy of a student’s IEP electronically; and that if the policy provides that the IEP is to be accessed electronically, the policy must ensure that the individuals responsible for the implementation of the IEP are notified and trained on how to access the IEP electronically.
200.2(b)(11)(i) each regular education teacher, special education teacher, related service provider and/or other service provider, as defined in clause (a) of this subparagraph, who is responsible for the implementation of a student’s individualized education program (IEP) is provided a paper or electronic copy of such student’s IEP, including amendments to the IEP, made pursuant to section 200.4(g) of this Part, prior to the implementation of such program or shall be able to access such student’s IEP electronically.  If the policy provides that students’ IEPs are to be accessed electronically, then such policy shall also ensure that the individuals responsible for the implementation of a student's IEP shall be notified and trained on how to access such IEPs electronically

 In simple terms, there will probably be even fewer paper copies of IEPs floating around - and greater reliance on using the electronic record.  For the vast majority of cases in NY, that means that the website will be relied upon even more for communication and documentation of educational records.

For purposes of educating the public, I will outline common ways that school districts and their agents commonly violate FERPA law.  These are not exaggerated in any way and I do not list them to stir any local pot.  This is just fact and is my direct experience.

1. Some school districts do not have controlled procedures for 'assigning' children to providers within the IEP Direct system.  That means that when I log onto the IEP Direct system that I have FULL access to EVERY child who receives special education services in the entire district.  It is standard practice to restrict viewing only to those children that a provider has responsibility for.  In one district I not only have access to every preschool child (I am a preschool provider) but I also have access to every school age child!  I have brought this issue to the district's attention for as many years as they have had the IEP Direct system in place, and they don't fix it.

What does full access mean?  Well, I can view a child's IEP, every evaluation that was completed on a child - including the social history that sometimes includes information that is particularly sensitive.  That information is helpful if I am your child's service provider - but it is not information that should be freely available to anyone who happens to have access to the system.

2. During a recent Department of Health Early Intervention audit we experienced a FERPA violation on the part of IPRO, the auditing agency (rather ironic, as their purpose is to make sure that PROVIDERS don't engage in such errors).  In preparation for their audit IPRO sent my agency a list of children who we had never seen through the early intervention program.  We recognized some names because we knew the children through the CPSE special education system.  However, we were not aware (prior to the release of information) that they were previously in the Early Intervention Program - apparently some of the children were seen by another agency - or they were just working off of a preschool database and not an early intervention database.  Who knows - but when we brought this to their attention IPRO informed us that they made a 'database error' and sent a revised list of children.  We were also informed of 'staffing changes' and that a different person would be completing our audit - I am not sure if this was related to the FERPA violation.

3. A billing manager for a rather large school district routinely sends out distribution list requests to service providers.  In response, it is common for a provider to respond with specific student data and send out their information to every agency on the distribution list - and then the district would re-re-disclose the same confidential information by forwarding it all to everyone on the list as an exemplar of how to handle the concern that the original district had!  I don't think that many parents would like it if they knew that their child's data was disclosed as part of an exemplar.

4. An agency who provides coordination services works with multiple providers would routinely violate FERPA with emails listing meeting dates for children - and the lists would include multiple children who were all being seen by different agencies.  That means that although I had interest in one child on that list - I certainly was not supposed to be privy to the data of the other 30 children!

5. The last example I want to talk about also relates to our last IPRO audit.  We were found to have a deficiency on our release of information form because we did not have a space on the form that listed WHY information was being transmitted.  I told the reviewer that I did not want to include this information because in my opinion it was not my business to know why a parent would want information transmitted.  Interestingly, the auditor looked at it a totally different way - they indicated that this information needs to be on the form because parents have a right to know MY purposes when I am asking THEM for permission to send their data to other places.  This was a real juxtaposition - the auditor's automatic assumption was that I was the origination for releasing information and I had a responsibility to tell families why I was sending their information out.   In fact, I would NEVER ask a family to send information somewhere - I would only send it where THEY told me to send it!  And it is none of my business to know why they want me to send it somewhere!!!  This is a real illustration of a fundamental problem with the way this process is viewed.  For the record, I complained to the State about this requirement but I have not heard back from them about this  yet.

Parents should know that when they receive services in early intervention and school systems that there is great risk to the privacy of those records.  New regulations that promote use of electronic communication technology are likely to increase the risk of FERPA violation.

Is this a big deal?  YES!  It does not matter if the data released 'only' indicates that a child is receiving occupational therapy.  Your child's educational records are supposed to be private and you should have the expectation that information is not released.

In my opinion these types of FERPA violations don't occur out of malice but they do occur out of carelessness, out of a disregard for the sensitive nature of the information, and out of a warped sense of who should be initiating the release of information.  The frequency and magnitude of these violations is significant.  Parents should demand more accountability from their districts and providers when it comes to privacy of educational records.


Cheryl said...

I agree that #1 seems to be a prevalent error. In our system since the therapists were migrant and had multiple schools to cover (or a different professional would cover an IEP meeting than the one who evaluated the child) everyone had access to every child in the district. However, the computer maintains a record of who has accessed, which is visible to all users. I imagine that could come with similar consequences as looking up a hospital record you were not permitted to see, that if an audit was performed they could determine if a provider was accessing too many records or one that was not appropriate for them. in hospital cases that usually doesn't happen except for high profile cases, employees, or the occasional random audit so it's certainly not foolproof. Maybe if the parent could see the list of who accessed the record change would be quicker in coming.

Christopher Alterio said...

Thanks for your comment, Cheryl. I am not sure if this particular system tracks 'views' but I am aware that it tracks edits.

One concern that I have though is that even having the child's name 'viewable' is a FERPA violation in itself because the child's presence on the list indicates that they are actively open within the special education system. That information should not be openly transmitted.

I think that we have to improve human systems and basic understanding of privacy laws in order to keep up with the pace of our technologies.

Your Therapy Source Inc said...

I certainly understand your concerns. Although for myself, I work in NY and only have access to the students on my caseload on IEP direct. If my caseload changes I have to request the new child to be added and when a child leaves he/she is automatically removed.