FERPA Guide for School-Based ABA - What Every District Needs to Know

Key Takeaways

Student behavioral health records in schools fall under FERPA, not HIPAA. Schools are not HIPAA-covered entities for student education records. FERPA protects IEPs, Behavior Support Plans (BSPs), behavioral data, evaluations, and medication records. Parents have the right to inspect, review, and request corrections to these records. When students turn 18, these rights transfer to them. When selecting ABA data collection software, districts need vendors that operate as “school officials” under their direct control with proper data use agreements.

If you’re a school administrator, special education director, or BCBA working in schools, understanding FERPA is essential. Not just because compliance matters - but because families trust you with sensitive information about their children.

This guide covers what FERPA protects, how it differs from HIPAA, parent rights, disclosure exceptions, and what to look for when evaluating behavior data tools for your district.

What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that protects the privacy of student education records. It applies to all schools and districts that receive funding from the U.S. Department of Education - which includes virtually all public K-12 schools.

FERPA gives parents three core rights:

1. Access - The right to inspect and review their child’s education records
2. Amendment - The right to request corrections to inaccurate or misleading records
3. Control - The right to consent before the school discloses personally identifiable information (PII) from education records

When a student turns 18 or enrolls in a postsecondary institution, these rights transfer from the parent to the student (called an “eligible student”).

What Records Does FERPA Protect?

FERPA covers any record maintained by the school that contains personally identifiable information about a student. For special education and ABA programs, this includes:

The key principle: if a record is maintained by the school and identifies a specific student, FERPA applies.

FERPA vs. HIPAA - The Critical Distinction

Here’s what many school staff don’t realize: HIPAA does not apply to most student health and behavioral records in schools.

The U.S. Department of Education and the Department of Health and Human Services have issued joint guidance clarifying that when FERPA applies, HIPAA does not. These laws are mutually exclusive for the same record.

flowchart TD
    A[Student Health/Behavioral Record] --> B{Who maintains it?}
    B -->|School| C{Is school a HIPAA covered entity?}
    B -->|Healthcare provider| D[HIPAA applies]
    C -->|No - most K-12 schools| E[FERPA applies]
    C -->|Yes - rare cases| F{Is record part of education record?}
    F -->|Yes| E
    F -->|No| D

    style E fill:#90EE90
    style D fill:#FFB6C1

FERPA vs. HIPAA Comparison

Why does this matter? Schools sometimes hesitate to share information for fear of “violating HIPAA.” In most cases, HIPAA doesn’t apply to their student records. Understanding this distinction helps schools make appropriate decisions about information sharing - especially for threat assessment, IEP teams, and coordination with service providers.

Parent Rights Under FERPA for Behavioral Records

Parents of students with IEPs or 504 Plans have specific rights regarding behavioral data:

Right to Inspect and Review

Parents can request to see any education record, including:

• Raw data from behavioral assessments
• Session notes from ABA services
• ABC data collection records
• Progress monitoring graphs
• Emails and notes about their child

Schools must provide access within a “reasonable period of time” - no more than 45 days after the request. Under IDEA (Individuals with Disabilities Education Act), this timeline is even shorter: parents must be able to review records “without unnecessary delay” before IEP meetings, due process hearings, or resolution sessions.

Right to Request Amendments

If parents believe a record is inaccurate or misleading, they can request a correction. If the school disagrees, parents can:

1. Request a formal hearing
2. Add a statement to the record explaining their objection
3. The statement becomes part of the permanent record

Right to Consent Before Disclosure

Schools generally cannot share personally identifiable information from education records without written parental consent. This includes sharing behavioral data with:

• Outside therapists
• Private ABA providers
• Researchers
• Other school districts (though records can be transferred when a student enrolls)

However, FERPA includes important exceptions.

FERPA Disclosure Exceptions

FERPA allows disclosure without consent in specific circumstances. Understanding these exceptions is crucial for school-based ABA programs:

flowchart LR
    subgraph "Consent Required"
        A[General disclosure to outside parties]
    end

    subgraph "No Consent Needed"
        B[School officials with legitimate interest]
        C[Transfer to new school]
        D[Health/safety emergency]
        E[Studies for school improvement]
        F[Audit/evaluation by authorized reps]
        G[Directory information - if properly noticed]
    end

    A -.->|"Parent written consent"| Outside[External Parties]
    B --> Internal[Internal Use]
    C --> NewSchool[Receiving School]
    D --> Emergency[Emergency Responders]

1. School Official Exception

Schools can disclose records to “school officials” who have a “legitimate educational interest.” This is the most commonly used exception and is critical for ABA data tools.

A school official can include:

• Teachers and administrators
• Counselors and psychologists
• School nurses
• Contractors and consultants performing services for the school
• Software vendors operating under school control

For a vendor to qualify as a school official, they must:

• Perform a service the school would otherwise use employees for
• Be under the direct control of the school regarding use and maintenance of records
• Use records only for authorized purposes
• Not re-disclose records without school permission

2. Health or Safety Emergency

Schools can disclose records without consent when there’s an “articulable and significant threat” to health or safety, and knowledge of the information is necessary to protect someone.

This is relevant for threat assessment teams and crisis situations. Observations, behavioral data, and notes about concerning behavior can be shared with appropriate parties (including law enforcement) when necessary to protect students or staff.

3. Studies Exception

Schools can share records with organizations conducting studies to:

• Develop or validate predictive tests
• Administer student aid programs
• Improve instruction

The study cannot allow personal identification of students outside the organization, and data must be destroyed when no longer needed.

4. Audit and Evaluation Exception

State and local education authorities can access records to audit or evaluate federally-supported education programs - including special education compliance.

What Schools Should Look for in ABA Data Tools

When evaluating behavior data collection software, districts need more than a checkbox that says “FERPA compliant.” Here’s what actually matters:

1. The Vendor Operates as a School Official

The software provider must meet the school official exception criteria. This typically requires a data use agreement that specifies:

• The vendor performs services for the school
• The school maintains direct control over data use
• Data is used only for authorized educational purposes
• No unauthorized re-disclosure
• Procedures for data breach notification
• Data retention and destruction policies

Questions to ask:

• “Do you sign data use agreements or data protection addendums?”
• “How do you handle data breach notification?”
• “What happens to our data if we stop using your service?“

2. Appropriate Access Controls

Behavioral data is sensitive. The tool should provide:

• Role-based permissions - Paraprofessionals, teachers, BCBAs, and administrators may need different access levels
• Audit logging - Track who accessed what and when
• Student-level controls - Limit which staff can see which students’ data

Questions to ask:

• “Can we control who sees behavioral data at the student level?”
• “Do you log access to student records?“

3. Data Security Measures

While FERPA doesn’t mandate specific security standards (unlike HIPAA), schools still need vendors with adequate protection:

• Encryption at rest (256-bit AES or equivalent)
• Encryption in transit (TLS 1.2 or higher)
• Secure cloud infrastructure (SOC 2 compliant hosting)
• Regular security assessments

Questions to ask:

• “Where is our data stored?”
• “What encryption do you use?”
• “Do you have SOC 2 certification or equivalent?“

4. Parent Access Considerations

Since parents have the right to inspect records, consider:

• Can you export data in readable formats?
• Can you generate reports for parent review?
• How quickly can you produce records if requested?

FERPA Compliance Checklist for ABA Data Tools

Use this checklist when evaluating behavior data collection software for your district:

Legal and Administrative

• Vendor signs data use agreement or FERPA-compliant contract addendum
• Contract specifies vendor as “school official” under school’s direct control
• Contract limits data use to authorized educational purposes
• Contract prohibits re-disclosure without school consent
• Contract specifies data retention and destruction procedures
• Contract includes data breach notification requirements

Access and Security

• Role-based access controls available
• Ability to limit staff access to specific students
• Audit logs track who accesses student data
• Data encrypted at rest (256-bit AES or equivalent)
• Data encrypted in transit (TLS 1.2+)
• Vendor uses SOC 2 compliant infrastructure

Data Management

• Data can be exported in standard formats (CSV, PDF, Excel)
• Records can be produced within 45 days for parent requests
• Vendor has clear data deletion procedures when contract ends
• Backup and disaster recovery procedures documented

Practical Considerations

• Works on school devices (including Chromebooks)
• Doesn’t require students to create accounts
• Supports offline use for areas with poor connectivity
• Integrates with district single sign-on (SSO) if required

Common Questions from Districts

”Do we need a BAA (Business Associate Agreement) for behavioral data?”

Not typically. BAAs are a HIPAA requirement, and most school-maintained behavioral records fall under FERPA, not HIPAA. What you need is a data use agreement or FERPA-compliant contract addendum that specifies the vendor’s obligations.

”Can BCBAs share data with a student’s private ABA provider?”

Only with written parent consent. Even if both work with the same student, the school cannot share education records with an outside provider without the parent’s written authorization.

”Can our threat assessment team access behavioral data?”

Yes. Under FERPA, threat assessment team members can be designated as school officials with legitimate educational interest. Additionally, the health and safety emergency exception allows disclosure when there’s an articulable and significant threat.

”What about sharing data with researchers?”

FERPA’s studies exception allows this if the study improves instruction or develops assessments. A written agreement must govern the research, ensure PII protection, and require data destruction when the study ends.

”Our state has additional privacy laws. Does FERPA preempt them?”

No. State laws can add protections beyond FERPA, but cannot reduce them. Many states (including California, New York, and others) have additional student privacy laws. Check your state’s requirements.

How TallyFlex Approaches School Compliance

TallyFlex was built with school privacy requirements in mind. Here’s how we address FERPA considerations:

• Data use agreements - We sign FERPA-compliant agreements with districts
• Role-based access - Administrators control who can see which students
• Encryption - 256-bit AES at rest, TLS 1.3 in transit
• Google Cloud infrastructure - SOC 2 compliant hosting
• Audit logging - 7-year retention of access records per our privacy policy
• Data exports - CSV, Excel, and PDF exports for parent record requests
• Chromebook compatible - Works on the devices schools already have
• Offline mode - Collect data even without internet, sync when connected

We’re not just checking boxes. As a tool built in collaboration with a practicing BCBA, we understand that behavioral data is sensitive and families trust schools to protect it.

Key Takeaways

1. FERPA, not HIPAA, governs student behavioral data in schools. Don’t let HIPAA confusion prevent appropriate information sharing.

2. Parents have rights. They can inspect records, request amendments, and must consent before disclosure to outside parties (with exceptions).

3. The school official exception is key for software. Vendors must be under school control, use data only for authorized purposes, and sign appropriate agreements.

4. Look beyond “FERPA compliant” marketing. Ask about data use agreements, access controls, encryption, and breach notification procedures.

5. State laws may add requirements. Check your state’s student privacy laws in addition to federal FERPA requirements.

Additional Resources

• U.S. Department of Education Student Privacy Policy Office
• Joint Guidance on FERPA and HIPAA
• Responsibilities of Third-Party Service Providers under FERPA
• FERPA 201: Data Sharing under FERPA (Training)

What’s Next?

• Evaluating data tools? See our Schools page for how TallyFlex handles district requirements
• Need a data use agreement? Contact us at support@tallyflex.com
• Ready to try it? Get started with TallyFlex - all features available during trial