FERPA Guide for School-Based ABA - What Every District Needs to Know

Key Takeaways

Student behavioral health records in schools fall under FERPA, not HIPAA. Schools are not HIPAA-covered entities for student education records. FERPA protects IEPs, Behavior Support Plans (BSPs), behavioral data, evaluations, and medication records. Parents have the right to inspect, review, and request corrections to these records. When students turn 18, these rights transfer to them. When selecting ABA data collection software, districts need vendors that operate as “school officials” under their direct control with proper agreements governing data use.

If you’re a school administrator, special education director, or BCBA working in schools, understanding FERPA is essential. Not just because compliance matters - but because families trust you with sensitive information about their children.

This guide covers what FERPA protects, how it differs from HIPAA, parent rights, disclosure exceptions, and what to look for when evaluating behavior data collection apps for your district.

What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records. It applies to all schools and districts that receive funding from the U.S. Department of Education - which includes virtually all public K-12 schools.

FERPA gives parents three core rights:

1. Access - The right to inspect and review their child’s education records
2. Amendment - The right to request corrections to inaccurate or misleading records
3. Control - The right to consent before the school discloses personally identifiable information (PII) from education records

When a student turns 18 or enrolls in a postsecondary institution, these rights transfer from the parent to the student (called an “eligible student”). For students with disabilities, the age-of-majority transfer may be governed by state law and the student’s guardianship status.

What Records Does FERPA Protect?

FERPA covers any record maintained by the school that contains personally identifiable information about a student. For special education and ABA programs, this includes:

The key principle: if a record is maintained by the school and identifies a specific student, FERPA applies.

FERPA vs. HIPAA - The Critical Distinction

Here’s what many school staff don’t realize: HIPAA does not apply to most student health and behavioral records in schools.

The U.S. Department of Education and the Department of Health and Human Services have issued joint guidance clarifying that the HIPAA Privacy Rule specifically excludes education records covered by FERPA from its definition of protected health information (PHI). In practice, this means student records maintained by a school as part of the education record are governed by FERPA, not HIPAA - even if they contain health or behavioral information.

flowchart LR
    A(Health/Behavioral Record) --> B{Who maintains it?}
    B -->|School| C{HIPAA covered entity?}
    B -->|Outside provider| D(HIPAA applies)
    C -->|No - most schools| E(FERPA applies)
    C -->|Yes - bills Medicaid| F{Part of education record?}
    F -->|Yes| E
    F -->|No| D

    style E fill:#d4edda,stroke:#28a745
    style D fill:#f8d7da,stroke:#dc3545

Note: Some schools employ healthcare providers (such as nurses or therapists) who bill Medicaid directly. In these rare cases, the school may be a HIPAA-covered entity for those specific treatment records that are not part of the student’s education record. When in doubt, consult your district’s legal counsel.

FERPA vs. HIPAA Comparison

Why does this matter for your district? Schools sometimes hesitate to share information for fear of “violating HIPAA.” In most cases, HIPAA doesn’t apply to their student records. Understanding this distinction helps schools make appropriate decisions about information sharing - especially for threat assessment, IEP teams, and coordination with service providers.

This distinction also matters when choosing a behavior data collection app. Apps designed for clinical ABA settings often focus on HIPAA compliance alone. For schools, you need a vendor that understands FERPA - one that operates as a school official under your direct control and signs data use agreements (not just BAAs). TallyFlex was built with both clinical and school requirements in mind, including data protection agreements, role-based access controls, and encryption that meets both HIPAA and FERPA requirements.

Parent Rights Under FERPA for Behavioral Records

Parents of students with IEPs or 504 Plans have specific rights regarding behavioral data:

Right to Inspect and Review

Parents can request to see any education record, including:

• Raw data from behavioral assessments
• Session notes from ABA services
• ABC data collection records
• Progress monitoring graphs
• Emails and notes about their child

Schools must provide access within a “reasonable period of time” - no more than 45 days after the request. Under IDEA (34 CFR §300.613), parents must be able to inspect and review records without unnecessary delay and before any IEP meeting, due process hearing, or resolution session. While IDEA does not set a separate, shorter deadline than FERPA’s 45 days, the “without unnecessary delay” and “before any meeting” requirements mean schools should provide access well ahead of scheduled meetings.

Right to Request Amendments

If parents believe a record is inaccurate or misleading, they can request a correction. If the school disagrees, parents can:

1. Request a formal hearing
2. Add a statement to the record explaining their objection
3. The statement becomes part of the permanent record

Right to Consent Before Disclosure

Schools generally cannot share personally identifiable information from education records without written parental consent. This includes sharing behavioral data with:

• Outside therapists
• Private ABA providers
• Researchers
• Other school districts (though records can be transferred when a student enrolls)

However, FERPA includes important exceptions.

FERPA Disclosure Exceptions

FERPA allows disclosure without consent in specific circumstances. Understanding these exceptions is crucial for school-based ABA programs:

flowchart LR
    subgraph "Consent Required"
        A(General disclosure to outside parties)
    end

    subgraph "No Consent Needed"
        B(School officials with legitimate interest)
        C(Transfer to new school)
        D(Health/safety emergency)
        E(Studies for or on behalf of school)
        F(Audit/evaluation by authorized reps)
        G(Directory information - if properly noticed)
    end

    A -.->|"Parent written consent"| Outside(External Parties)
    B --> Internal(Internal Use)
    C --> NewSchool(Receiving School)
    D --> Emergency(Emergency Responders)

1. School Official Exception

Schools can disclose records to “school officials” who have a “legitimate educational interest.” This is the most commonly used exception and is critical for ABA data collection apps.

A school official can include:

• Teachers and administrators
• Counselors and psychologists
• School nurses
• Contractors and consultants performing services for the school
• Software vendors operating under school control

For a vendor to qualify as a school official, they must:

• Perform a service the school would otherwise use employees for
• Be under the direct control of the school regarding use and maintenance of records
• Use records only for authorized purposes
• Not re-disclose records without school permission

Important: To use this exception, schools must include the criteria for determining who qualifies as a school official with legitimate educational interest in their annual FERPA notification to parents.

2. Health or Safety Emergency

Schools can disclose records without consent when there’s an “articulable and significant threat” to health or safety, and knowledge of the information is necessary to protect someone.

This is relevant for threat assessment teams and crisis situations. Observations, behavioral data, and notes about concerning behavior can be shared with appropriate parties (including law enforcement) when necessary to protect students or staff.

3. Studies Exception

Schools can disclose records to organizations conducting studies for, or on behalf of, the school or other educational agencies to:

• Develop or validate predictive tests
• Administer student aid programs
• Improve instruction

A written agreement must govern the research, specify the purpose and scope, ensure PII protection, and require data destruction when no longer needed for the study’s purpose. The study cannot allow personal identification of students outside the research organization.

4. Audit and Evaluation Exception

State and local education authorities can access records to audit or evaluate federally-supported education programs - including special education compliance.

What Schools Should Look for in ABA Data Collection Apps

When evaluating behavior data collection software, districts need more than a checkbox that says “FERPA compliant.” Here’s what actually matters:

1. The Vendor Operates as a School Official

The software provider must meet the school official exception criteria. This typically requires a data use agreement that specifies:

• The vendor performs services for the school
• The school maintains direct control over data use
• Data is used only for authorized educational purposes
• No unauthorized re-disclosure
• Procedures for data breach notification
• Data retention and destruction policies

Questions to ask:

• “Do you sign data use agreements or data protection addendums?”
• “How do you handle data breach notification?”
• “What happens to our data if we stop using your service?“

2. Appropriate Access Controls

Behavioral data is sensitive. The app should provide:

• Role-based permissions - Paraprofessionals, teachers, BCBAs, and administrators may need different access levels
• Audit logging - Track who accessed what and when
• Student-level controls - Limit which staff can see which students’ data

Questions to ask:

• “Can we control who sees behavioral data at the student level?”
• “Do you log access to student records?“

3. Data Security Measures

FERPA does not include a dedicated security rule comparable to HIPAA’s, but schools are still expected to use reasonable methods to protect education records. In practice, the following measures represent industry standards:

• Encryption at rest (256-bit AES or equivalent)
• Encryption in transit (TLS 1.2 or higher)
• Secure cloud infrastructure (SOC 2 compliant hosting)
• Regular security assessments

Questions to ask:

• “Where is our data stored?”
• “What encryption do you use?”
• “Do you have SOC 2 certification or equivalent?“

4. Parent Access Considerations

Since parents have the right to inspect records, consider:

• Can you export data in readable formats?
• Can you generate reports for parent review?
• How quickly can you produce records if requested?

FERPA Compliance Checklist for ABA Data Collection Apps

Use this checklist when evaluating behavior data collection software for your district:

Legal and Administrative

• Vendor signs data use agreement or FERPA-compliant contract addendum
• Contract specifies vendor as “school official” under school’s direct control
• Contract limits data use to authorized educational purposes
• Contract prohibits re-disclosure without school consent
• Contract specifies data retention and destruction procedures
• Contract includes data breach notification requirements

Access and Security

• Role-based access controls available
• Ability to limit staff access to specific students
• Audit logs track who accesses student data
• Data encrypted at rest (256-bit AES or equivalent)
• Data encrypted in transit (TLS 1.2+)
• Vendor uses SOC 2 compliant infrastructure

Data Management

• Data can be exported in standard formats (CSV, PDF, Excel)
• Records can be produced within 45 days for parent requests
• Vendor has clear data deletion procedures when contract ends
• Backup and disaster recovery procedures documented

Practical Considerations

• Works on school devices (including Chromebooks)
• Doesn’t require students to create accounts (also relevant for COPPA if students are under 13)
• Supports offline use for areas with poor connectivity

Common Questions from Districts

”Do we need a BAA (Business Associate Agreement) for behavioral data?”

Not typically. BAAs are a HIPAA requirement for covered entities sharing PHI with business associates. Since most school-maintained behavioral records fall under FERPA, not HIPAA, a BAA is not the right agreement. What you need is a data use agreement or FERPA-compliant contract addendum that specifies the vendor’s obligations as a school official.

”Can BCBAs share data with a student’s private ABA provider?”

Only with written parent consent. Even if both work with the same student, the school cannot share education records with an outside provider without the parent’s written authorization.

”Can our threat assessment team access behavioral data?”

Yes. Under FERPA, threat assessment team members can be designated as school officials with legitimate educational interest. Additionally, the health and safety emergency exception allows disclosure when there’s an articulable and significant threat.

”What about sharing data with researchers?”

FERPA’s studies exception allows this if the study is conducted for, or on behalf of, the school and improves instruction or develops assessments. A written agreement must govern the research, specify the purpose and scope, ensure PII protection, and require data destruction when the study ends.

”Our state has additional privacy laws. Does FERPA preempt them?”

No. State laws can add protections beyond FERPA, but cannot reduce them. Many states (including California, New York, and others) have additional student privacy laws. Check your state’s requirements.

How TallyFlex Approaches School Compliance

TallyFlex was built with school privacy requirements in mind. Here’s how we address FERPA considerations:

• Data protection agreements - We sign DPAs with districts upon request, and BAAs for clinical settings
• Role-based access - Administrators control who can see which students
• Encryption - 256-bit AES at rest, TLS 1.3 in transit
• Google Cloud infrastructure - SOC 2 compliant hosting
• Audit logging - 7-year retention of access records per our privacy policy
• Data exports - CSV, Excel, and PDF exports for parent record requests
• Chromebook compatible - Works on the devices schools already have
• Offline mode - Collect data even without internet, sync when connected

We’re not just checking boxes. As an app built with BCBA input from day one, we understand that behavioral data is sensitive and families trust schools to protect it.

Summary

1. FERPA, not HIPAA, governs student behavioral data in schools. The HIPAA Privacy Rule excludes education records from its definition of PHI. Don’t let HIPAA confusion prevent appropriate information sharing.

2. Parents have rights. They can inspect records, request amendments, and must consent before disclosure to outside parties (with exceptions).

3. The school official exception is key for software vendors. Vendors must be under school control, use data only for authorized purposes, and sign appropriate data use agreements. Schools must include school official criteria in their annual FERPA notification.

4. Look beyond “FERPA compliant” marketing. Ask about data use agreements, access controls, encryption, and breach notification procedures.

5. State laws may add requirements. Check your state’s student privacy laws in addition to federal FERPA requirements.

Additional Resources

• U.S. Department of Education Student Privacy Policy Office
• Joint Guidance on FERPA and HIPAA
• Responsibilities of Third-Party Service Providers under FERPA
• FERPA 201: Data Sharing under FERPA (Training)

What’s Next?

• Evaluating data collection apps? See our Schools page for how TallyFlex handles district requirements
• Need a data protection agreement? Contact us at support@tallyflex.com
• Want to see how it works? See how TallyFlex handles school data collection
• Learn more: How ABA Data Collection Apps Support School-Based Teams