Select Page

Regulatory Confusion and Complexity

County DD Boards navigate the complexities of multiple overlapping regulations — HIPAA, FERPA, IDEA, Ohio Revised Code, and Ohio Administrative Code.   This is not easy.  Yesterday, the Department of Education (DoE)  and the Department of Health and Human Services Office of Civil Rights (OCR) have teamed up to offer updated guidance on how FERPA and HIPAA apply to student health records.  Most of the clarifications provided in this detailed guidance document will have limited relevance to DD Boards.  For example, it addresses issues for post-secondary institutions, private schools, schools with health clinics, none of which apply to DD Boards.  We have excerpted a number of these clarifications which may apply to DD Boards.

Why the Change?

Although FERPA and HIPAA, themselves, have not changed, the guidance was ready for an update amid the growing opioid crisis.  Advice for disclosing student education and health records include the following updates:

  • Focus is given to mental health concerns
  • Direction is provided for the release of records of deceased individuals to their families
  • Language has been added to include “substance use disorder”
  • Clarity is given in regards to disclosing PHI and PII to law enforcement, the Protection and Advocacy system, and the National Instant Criminal Background Check System

Read below for more…

The following are all taken from the guidance document, the full text of which is available HERE

 

Mental Health Concerns

What options do the parents of an eligible student with mental illness have under FERPA if they are concerned about the student’s mental health and the eligible student refuses to provide consent to permit a school subject to FERPA to share PII from education records with the family?

Under FERPA, an eligible student’s education records and treatment records (which constitute
education records if made, maintained, or used for any purpose other than the eligible student’s
treatment) may be disclosed, without appropriate consent, if the disclosure meets one of the exceptions to FERPA’s general consent rule. See 20 U.S.C. §§ 1232g(b)(1), (b)(2), (b)(3), (b)(5), (b)(6), (h), (i), and (j); 34 CFR § 99.31. For example, a university physician treating an eligible
student might determine that the student’s treatment records should be disclosed to the student’s
parents. This disclosure may be made, without consent of the eligible student, if the eligible
student is claimed as a dependent under section 152 of the Internal Revenue Code of 1986. 20
U.S.C. § 1232g(b)(1)(H); 34 CFR § 99.31(a)(8). If the eligible student is not claimed as a
dependent, the disclosure may be made to the parents if the conditions of any other exception to
FERPA’s general requirement of consent are met, such as if the disclosure is in connection with
a health or safety emergency and the parents’ knowledge of the records is necessary to protect
the health or safety of the eligible student or other persons. 20 U.S.C. § 1232g(b)(1)(I); 34 CFR
§§ 99.31(a)(10) and 99.36.

If the exceptions to FERPA’s general consent requirement do not apply and the eligible student
refuses to provide written consent for the disclosure, then FERPA would prohibit the school
from making the disclosure. However, FERPA would not prevent school officials from listening
to the concerns of family members or other care givers, nor preclude a school official from
sharing personal observations of the student not based on information contained in the student’s
education record. 

Under HIPAA, when can information be shared about someone who presents a serious danger to self or others?

The HIPAA Privacy Rule permits a covered entity to disclose PHI, including psychotherapy notes,
when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or
lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a
person(s) reasonably able to prevent or lessen the threat. This may include, depending on the
circumstances, disclosure to law enforcement, family members, the target of the threat, or others
whom the covered entity has a good faith belief can mitigate the threat. The disclosure also must
be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i).
For example, consistent with other laws and ethical standards, a mental health provider whose
teenage patient has made a credible threat to inflict serious and imminent bodily harm on one or
more fellow students may alert law enforcement, a parent or other family member, school
administrators or campus police, or others the provider believes may be able to prevent or lessen
the chance of harm. In such cases, the covered entity is presumed to have acted in good faith where
its belief is based upon the covered entity’s actual knowledge (i.e., based on the covered entity’s
own interaction with the patient) or in reliance on a credible representation by a person with
apparent knowledge or authority (i.e., based on a credible report from a family member or other
person). See 45 CFR § 164.512(j)(4).

For threats or concerns that do not rise to the level of “serious and imminent,” other HIPAA
Privacy Rule provisions may apply to permit the disclosure of PHI. For example, covered entities
generally may disclose PHI about a minor child to the minor’s personal representative (e.g., a
parent or legal guardian), consistent with State or other laws. See 45 CFR § 164.502(b).

Under FERPA, when can PII from a student’s education records be shared, without prior written consent, about someone who presents a serious danger to self or others?

FERPA provides that PII from a student’s education records, including student health records,
may be disclosed by educational agencies and institutions to appropriate parties in connection
with a health or safety emergency, without the consent of the parent or eligible student, if
knowledge of the information is necessary to protect the health or safety of the student or other
individuals. 20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36.

For example, if an eligible student storms out of a teacher’s office stating that, “I know where
my parents keep their guns, and someone is going to pay” and the teacher believes that the
student is on his way home to and may try to use the weapons, FERPA’s health or safety
exception would permit the teacher to contact the parents, police, or others in a position to help,
to warn them that the student is on the way home and threatened to use a weapon against others.

Educational agencies and institutions are responsible for making the determination as to whether
a health or safety emergency exists. See 34 CFR § 99.36(c). Pursuant to § 99.36(c) of the FERPA
regulations, in determining whether it may rely on FERPA’s health or safety emergency
exception:

an educational agency or institution may take into account the totality of the
circumstances pertaining to a threat to the health or safety of a student of other
individuals. If the educational agency or institution determines that there is an
articulable and significant threat to the health or safety of the student or other
individuals, it may disclose information from education records to any person
whose knowledge of the information is necessary to protect the health or safety of
the student or other individuals. If, based on the information available at the time
of the determination, there is a rational basis for the determination, the [U.S.
Department of Education] will not substitute its judgment for that of the
educational agency or institution in evaluating the circumstances and making its
determination.

(Emphasis added.) See also 73 Fed. Reg. 74,806, 74,837 (Dec. 9, 2008) (explaining that the U.S.
Department of Education amended FERPA’s health or safety emergency exception to add
subsection (c) in order to “provide[ ] greater flexibility and deference to school administrators so
they can bring appropriate resources to bear on a circumstance that threatens the health or safety
of individuals.”).

The U.S. Department of Education discussed the health or safety emergency exception to
FERPA’s general consent requirement in some detail in the preamble to the 2008 Federal
Register notice implementing changes to the FERPA regulations, 73 Fed. Reg. 74,806, 74,836­
74,839 (Dec. 9, 2008), and in guidance entitled “Addressing Emergencies on Campus,” issued in
June 2011. In the preamble, the U.S. Department of Education explained that:

the phrase “articulable and significant threat” means that if a school official can
explain why, based on all the information then available, the official reasonably
believes that a student poses a significant threat, such as a threat of substantial
bodily harm, to any person, including the student, the school official may disclose
education records to any person whose knowledge of information from those
records will assist in protecting a person from that threat.

73 Fed. Reg. at 74,838. The U.S. Department of Education also stated that:

to be “in connection with an emergency” means to be related to the threat of an
actual, impending, or imminent emergency, such as a terrorist attack, a natural
disaster, a campus shooting, or the outbreak of an epidemic. An emergency could
also be a situation in which a student gives sufficient, cumulative warning signs
that lead an educational agency or institution to believe the student may harm
himself or others at any moment. It does not mean the threat of a possible or
eventual emergency for which the likelihood of occurrence is unknown, such as
would be addressed in emergency preparedness activities.

Further, in the June 2011 guidance, the U.S. Department of Education explained the following:

In some situations, a school official may determine that it is necessary to disclose
[PII] from a student’s education records to appropriate parties in order to address
a health or safety emergency . . . This exception to FERPA’s general consent
requirement is limited to the period of the emergency and generally does not
allow for a blanket release of [PII] from a student’s education records. Typically,
law enforcement officials, public health officials, trained medical personnel, and
parents (including parents of an eligible student) are the types of appropriate
parties to whom information may be disclosed under this FERPA exception.
Disclosures for health or safety emergency reasons do not include disclosures to
address emergencies for which the likelihood of occurrence is unknown, such as
would be the case in emergency preparedness activities.

U.S. Department of Education, Addressing Emergencies on Campus, p. 3 (June 2011), available
at https://studentprivacy.ed.gov/resources/addressing-emergencies-campus.
Finally, where an educational agency or institution non-consensually discloses PII from a
student’s education records pursuant to FERPA’s health or safety emergency exception, within a
reasonable period of time after the disclosure, the educational agency or institution must record
in the student’s education records the articulable and significant threat to the health or safety of
the student or other individual(s) that formed the basis for the disclosure, and the parties to
whom the information was disclosed. 34 CFR § 99.32(a)(5).

What options do family members of an adult patient with mental illness have under HIPAA if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider subject to HIPAA share information with the family?

The HIPAA Privacy Rule permits a health care provider to disclose information to the family
members of an adult patient who has decision-making capacity, and indicates that he or she does
not want the disclosure made, only to the extent that the provider perceives a serious and
imminent threat to the health or safety of the patient or others and the family members are in a
position to lessen the threat. See 45 CFR § 164.512(j). Otherwise, under HIPAA, the provider
must respect the wishes of the adult patient who objects to the disclosure.

HIPAA in no way prevents health care providers from listening to family members or other
caregivers who may have concerns about the health and well-being of the patient. A provider can
factor that information into the patient’s care, and should the patient later request access to the
health record, any such information disclosed under a promise of confidentiality (such as that
shared by a concerned family member with the provider), may be withheld from the patient if the
disclosure would be reasonably likely to reveal the source of the information. See 45 CFR §
164.524(a)(2)(v). This exception to the patient’s right to access their PHI allows loved ones to
disclose relevant health or safety information with providers without fear of disrupting their
relationship with the patient.

Disclosure of Records of Deceased Individual

Does HIPAA allow a parent to access the medical records of his or her deceased child?

HIPAA defers to applicable State laws regarding who qualifies as an individual’s personal
representative, and thus who can obtain and make decisions about sharing the individual’s health
information upon the individual’s death, when the individual dies without designating a legal
personal representative. See 45 CFR § 164.502(g)(4). The parent of a deceased minor child
generally is the child’s personal representative.

Does FERPA allow a parent to access the education records of his or her deceased child?

Consistent with common law principles, the U.S. Department of Education interprets the FERPA
rights of eligible students to lapse or expire upon the death of the eligible student. Therefore,
FERPA would not protect the education records of a deceased eligible student, and an
educational agency or institution may disclose such records at its discretion or consistent with
State law. However, at the elementary and secondary level, FERPA rights do not lapse or expire
upon the death of a non-eligible student because FERPA provides specifically that the rights it
affords rest with the parents of students until that student reaches 18 years of age or attends a
postsecondary institution. Once the parents are deceased, the records are no longer protected by
FERPA.

 

Substance Use Disorder

Does HIPAA allow a healthcare provider to disclose PHI about a minor child with a mental health condition and/or substance sue disorder to the parents of the minor?

YES- The HIPAA Privacy Rule generally allows a covered entity to disclose PHI about a minor child
to the child’s parent, as the minor child’s personal representative, when the disclosure is not
inconsistent with State or other law.

In some cases, such as when a minor may receive treatment without a parent’s consent under
applicable law, the parents are not treated as the minor’s personal representative. See 45 CFR §
164.502(g)(3). In such cases where the parent is not the personal representative of the minor,
other HIPAA Privacy Rule provisions may allow the disclosure of PHI about the minor to the
parent.

For example, if a provider believes a minor presents a serious danger to self or others, the
HIPAA Privacy Rule permits a covered entity to disclose PHI to a parent or other person(s) if the
covered entity has a good faith belief that: (1) the disclosure is necessary to prevent or lessen the
serious and imminent threat and (2) the parent or other person(s) is reasonably able to prevent or
lessen the threat. The disclosure also must be consistent with applicable law and standards of
ethical conduct. See 45 CFR § 164.512(j)(1)(i); see also provisions related to 42 CFR Part 2
regulating the disclosure and re-disclosure of substance-use disorder information by Part 2
programs.

For example, a minor makes statements to his physician that he plans to harm himself or others.
The HIPAA Privacy Rule permits the physician, including a mental health provider, to contact a
parent (or anyone) who the health care provider has a reasonable belief is in a position to lessen
or prevent the harm.

Does FERPA permit a school to disclose PII from the education records of a student with a mental health condition and/or substance use disorder to the parents of the student?

Yes- FERPA permits schools to disclose PII from education records to the parent of a student who is not an eligible student. See 34 CFR § 99.31(a)(12). Further, under FERPA, a school must generally provide a parent of a student who is not an eligible student with an opportunity to
inspect and review his or her child’s education records within 45 days of the receipt of a request.
20 U.S.C. § 1232g(a)(1)(A); 34 CFR § 99.10(b). While required to provide a parent of a student
who is not an eligible student with access to their child’s education records, a school is not
generally required by FERPA to provide copies of education records. See 20 U.S.C. §
1232g(a)(1)(A); 34 CFR § 99.10. One of the exceptions in which a school may be required to
provide a copy of the education records requested is in the context of a request for access to
education records from a parent or student who is not an eligible student where the
circumstances would effectively prevent the parent from exercising his or her right to inspect and
review education records; in this context, the school would be required to either provide the
parent with a copy of the education records requested or make other arrangements that would
allow for the parent to inspect and view the requested records. 34 CFR § 99.10 (d). An example
of circumstances effectively preventing a parent from inspecting or reviewing education records
is where the parent does not live within commuting distance of the school.

Disclosure to Law Enforcement

Under FERPA, can an educational agency or institution disclose, without prior written consent, PII from a student’s education records, including health records, to the educational agency’s or institution’s law enforcement officials?

Yes, if certain conditions are met. By way of background, many schools have their own law
enforcement units to monitor safety and security and enforce any local, State, or Federal law or
refer such enforcement matters to appropriate authorities. Those schools that do not have specific
law enforcement units may designate a particular office or school official to be responsible for
monitoring safety and security and referring potential or alleged violations of law to local
authorities. Some smaller school districts and colleges employ off-duty police or sheriff’s
department officers to serve as school security officers.
If a law enforcement official is an employee of an educational agency or institution and meets
the criteria specified in the school’s annual notification of FERPA rights to parents and eligible
students for being a “school official” who has been determined to have a “legitimate educational
interest” in the education records, then the law enforcement unit official may be considered a
school official to whom PII from students’ education records may be disclosed, without prior
written consent of a parent or eligible student. See 20 U.S.C. § 1232g(b)(1)(A); 34 CFR §§
99.7(a)(3)(iii) and 99.31(a)(1)(i)(A). Educational agencies and institutions may also consider law
enforcement unit officials, such as off-duty police or sheriffs’ department officers and School
Resource Officers (SROs) who are not employees of the educational agency or institution, to be “school officials,” to whom PII from student’s education records may be disclosed, without appropriate consent, if the law enforcement unit officials: 

  1. Perform an institutional service or function for which the educational agencies
    or institutions would otherwise use employees (for, e.g., to ensure school
    safety and security);
  2. Are under the “direct control” of the educational agencies or institutions with
    respect to the use and maintenance of the education records (for, e.g., through
    a memorandum of understanding (MOU) that establishes data use restrictions
    and data protection requirements);
  3. Are subject to FERPA’s use and re-disclosure requirements in 34 CFR §
    99.33, which provides that the PII from education records may be used only
    for the purposes for which the disclosure was made (for, e.g., to promote
    school safety and the physical security of students), and which limits the redisclosure of PII from education records; and,
  4. Meet the criteria specified in the educational agencies’ or institutions’ annual
    notification of FERPA rights for being “school officials” who have been
    determined to have “legitimate educational interests” in the education records.

See 20 U.S.C. § 1232g(b)(1)(A); 34 CFR §§ 99.7(a)(3)(iii) and 99.31(a)(1)(i)(A) and (B)(1)-(3).
In situations where the law enforcement official is not a school official with a legitimate
educational interest, the school may only disclose a student’s education records, including health
records, to that official with the prior, written consent of the parent or eligible student, unless an
exception applies. One such exception that could apply is FERPA’s health or safety emergency
exception (discussed in greater detail in Question 21 above). Under this FERPA exception, a
student’s education records, including health records, may be disclosed, without the prior written
consent of a parent or eligible student, to appropriate parties in connection with an emergency, if
knowledge of the information is necessary to protect the health or safety of the student or other
individuals. See 20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36.

For more information on this issue, see the following guidance entitled, “School Resource
Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act
(FERPA),” issued by the U.S. Department of Education’s Privacy Technical Assistance Center
in February 2019 –
https://studentprivacy.ed.gov/sites/default/files/resource_document/file/SRO_FAQs_2-5­
19_0.pdf.

Does HIPAA permit an educational agency or institution to disclose PHI to a Protection and Advocacy system where the disclosure is required by law?

Yes. Protection and Advocacy (P&A) systems are designated by the governor of each State and
territory to protect and advocate for the rights of individuals with disabilities, including by
investigating incidents of abuse or neglect. Each P&A system administers multiple P&A
programs authorized by Congress through legislation such as the Developmental Disabilities
Assistance and Bill of Rights Act (DD Act) (for individuals with developmental disabilities), the Protection and Advocacy for Individuals with Mental Illness Act (PAIMI Act) (for individuals with mental illness), and section 509 of the Rehabilitation Act of 1973 (Rehabilitation Act) (for
certain individuals with disabilities who, for example, are not eligible for P&A services under the
DD Act or PAIMI Act). These statutes and their implementing regulations require that access to
records be provided to P&A systems under certain circumstances. See DD Act at 42 U.S.C. §
15043(a)(2)(I) and (J), 45 CFR § 1386.22; PAIMI Act at 42 U.S.C. § 10805(a)(4), 42 CFR §
51.41; and the Rehabilitation Act at 29 U.S.C. § 794e(f)(2), 34 CFR § 381.10(a)(2).

The Privacy Rule permits a covered entity to disclose PHI without an individual’s authorization
to a P&A system to the extent that such disclosure is required by law and the disclosure complies
with the requirements of that law. See 45 CFR § 164.512(a). Thus, a covered entity may disclose
PHI to the P&A system, as required by the DD Act, PAIMI Act, or section 509 of the
Rehabilitation Act, as well as any other Federal statute authorizing a P&A program, when the
P&A system requests access to such records in carrying out its protection and advocacy
functions under these Acts. Similarly, covered entities may disclose PHI to the P&A system
where another Federal, State, or other law mandates such disclosures, consistent with the
requirements in such law.

Where disclosures are required by law, the Privacy Rule’s minimum necessary standard does not
apply; instead, the law requiring the disclosure will establish the limits on what should be
disclosed. Moreover, with respect to disclosures required by law, a covered entity cannot use the
Privacy Rule as a reason not to comply with its other legal obligations. 

Does FERPA permit an educational agency or institution to disclose PII from a student’s education records to a Protection and Advocacy system?

Yes, in certain circumstances. For instance, an educational agency or institution may disclose PII
from a student’s education records to a P&A system, where a parent of a student under 18 and
not in attendance at an institution of postsecondary education, or an eligible student, provides
prior written consent to disclose such PII to the P&A system. Additionally, as we previously
stated in an amici curiae brief jointly filed by the U.S. Departments of Education and Health and
Human Services before the U.S. Court of Appeals for the Second Circuit, there are also
circumstances in which an educational agency or institution may disclose such PII to the P&A
system without obtaining such prior written consent, such as in connection with an emergency
under FERPA’s health or safety exception (set forth in 20 U.S.C. § 1232g(b)(1)(I) and 34 CFR
§§ 99.31(a)(10) and 99.36), if the P&A system’s knowledge of the PII is necessary to protect the
health or safety of the student or other individuals.2 We noted that “the facts supporting a
P&A’s determination that a mentally ill student’s health or safety is in serious jeopardy, see 42
U.S.C. § 10805(a)(4)(C), for example, might also support a school’s determination that an
‘emergency’ existed in which disclosure of [PII from education records] was ‘necessary to
protect the health or safety of the student or other persons.’ 20 U.S.C. § 1232g(b)(1)(I).” Id. at
15-16. However, we also recognized that a P&A system’s request for name and contact
information might not always satisfy a FERPA exception to the general requirement of consent
and that, in those instances where the DD Act, the PAIMI Act, or section 509 of the Rehabilitation Act conflict with FERPA, “FERPA does not bar a P&A from obtaining access to the name of and contact information for a parent, guardian, or other legal representative of a minor student with a disability or mental illness where the P&A’s probable cause determination
satisfies the requirements for access to records under the PAIMI Act and the DD Act.” Id. at 15­
16. We concluded that where the statutes are in conflict, “the specific access provisions of the
PAIMI Act and the DD Act (and [section 509 of the Rehabilitation Act] by incorporation) are
properly understood as a limited override of FERPA’s generally applicable non-disclosure
requirements.” Id. at 15. We viewed a P&A system’s access to such PII from education records
as generally being consistent with Congress’ intent relating to student privacy in part because a
P&A system “is required to maintain the confidentiality of any student records it receives, see 42
U.S.C. § 10806(a) …,” such that we saw little risk of the public disclosure of the information
that FERPA is intended to prevent. Id. at 19-20. 

Does HIPAA permit a school-based health care provider to report a student to the National Instant Criminal Background Check System (NICS)?

Most likely no. Although HIPAA allows limited disclosures to the National Instant Criminal
Background Check System (NICS) by a designated set of covered entities, this permission most
likely would not apply to covered entities that operate in the school context.

NICS is maintained by the Federal Bureau of Investigation (FBI) to conduct background checks
on persons who may be disqualified from possessing or receiving firearms based on State law or
Federal prohibited categories, including those who have been “involuntarily committed to a
mental institution” or “adjudicated as a mental defective” (e.g., found incompetent to stand trial).
See 27 CFR § 478.11.

HIPAA’s permission to disclose to NICS applies only to covered entities that are: (1) An entity
designated by a State to report, or which collects information for purposes of reporting, on behalf
of a State, to the NICS; or (2) A court, board, commission, or other lawful authority that makes a
commitment or adjudication that causes an individual to become subject to disqualification as
described above. For these covered entities, the Privacy Rule allows disclosure of only the
limited demographic and certain other information needed for purposes of reporting to NICS and
expressly prohibits the disclosure of diagnostic or clinical information for such purposes. See 45
CFR § 164.512(k)(7).

It is unlikely that a school health provider is a HIPAA covered entity designated by a State to
report to NICS or given the authority to order a student’s involuntary commitment, but if it is,
such a provider could make limited disclosures concerning a student to NICS.

More information can be found online at OCR’s NICS page.

Does FERPA permit an educational agency or institution to disclose, without prior written consent, PII from a student’s education records to the NICS?

FERPA permits records of a law enforcement unit of an educational agency or institution,
subject to the provisions of 34 CFR § 99.8, to be reported to NICS without obtaining the prior
written consent of parents or eligible students because such records are not covered as “education
records” under FERPA. Among the exclusions from the definition of “education records” – and thus from the privacy protections of FERPA – are records of a law enforcement unit of an educational agency or institution. 20 U.S.C. 1232g(a)(4)(B)(ii); 34 CFR § 99.3 (definition of “education records,” subsection (b)(2)). These records must be: (1) created by a law
enforcement unit; (2) created for a law enforcement purpose; and (3) maintained by the law
enforcement unit. 20 U.S.C. 1232g(a)(4)(B)(ii); 34 CFR § 99.8(b)(1). Law enforcement unit
records do not include the following: (1) records created by a law enforcement unit for a law
enforcement purpose that are maintained by a component of the educational agency or institution
other than the law enforcement unit; or (2) records created and maintained by a law enforcement
unit exclusively for a non-law enforcement purpose, such as a disciplinary action or proceeding
conducted by the educational agency or institution. 34 CFR § 99.8(b)(2). Under FERPA, “law
enforcement unit” means any individual, office, department, division, or other component of an
educational agency or institution, such as a unit of commissioned police officers or
noncommissioned security guards, that is officially authorized or designated by that agency or
institution to (1) enforce any local, State, or Federal law, or refer to appropriate authorities a
matter for enforcement of any local, State, or Federal law against any individual or organization
other than the agency or institution itself; or (2) maintain the physical security and safety of the
agency or institution. 34 CFR § 99.8(a)(1). Therefore, subject to State or local law, educational
agencies and institutions may disclose records of a law enforcement unit, as set forth in 34 CFR
§ 99.8, to anyone, including NICS, without consent from parents or eligible students. 

Stay tuned for a deep-dive into HIPAA, FERPA, and IDEA for DD Boards coming next month!

Eagle Risk Assessment JumpStart

Use Eagle's Risk Assessment JumpStart to Protect Your Organization

Receive this four page guide to help you assess your security risk and begin taking the right steps to avoid penalties and cyber attacks.

You have Successfully Subscribed!

Pin It on Pinterest