Disclosing student information during school emergencies
The assumption that FERPA is an absolute barrier to sharing student information is one of the more consequential misconceptions in school administration. It leads institutions to withhold information they are legally permitted, and in some cases obligated, to share during emergencies, while simultaneously creating a false sense of legal security about the broader protections the statute provides. Neither outcome serves students well.
FERPA does protect student educational records with significant force. It also contains express provisions that authorize disclosure when the safety of students or others is genuinely at risk. The question is not whether schools can share information during emergencies; it is under what conditions they can do so, with whom, and what obligations attach to that disclosure.
What does FERPA actually permit during a school emergency?
The statute's health and safety emergency exception, codified at 34 C.F.R. § 99.36, permits educational institutions to disclose personally identifiable information from student records, without prior consent, to any person whose knowledge of that information is necessary to protect the health or safety of the student or other individuals. The exception is not limited to law enforcement; it extends to medical personnel, public health authorities, and any other party whose involvement is relevant to addressing the emergency.
The standard is necessity, not convenience. A school administrator who shares student medical information with a treating physician because that information is needed to guide emergency care is squarely within the exception. The same administrator sharing that information with a parent's neighbor because they seemed concerned is not.
FERPA also grants institutions discretion in applying this exception. The Department of Education has historically given schools significant deference in determining what constitutes an emergency, provided the decision was made on the basis of the facts available at the time and not in hindsight. What the regulation does not protect is a pattern of treating every difficult situation as an emergency in order to sidestep consent requirements that would otherwise apply.
Share student data safely during emergencies with secure redaction tools.
Who can receive student information under the emergency exception?
The exception is purpose-driven, not role-driven. A disclosure is permissible not because the recipient holds a particular title but because their involvement is necessary to address the specific emergency. Law enforcement officers responding to a threat need relevant background on the individuals involved. Medical responders need health information that might affect treatment decisions. A school counselor coordinating a response may need to communicate student information to multiple parties simultaneously.
What the exception does not authorize is categorical disclosure: informing all parents of all students about an incident, releasing student information to media organizations because an emergency is of public concern, or disclosing records to individuals whose involvement is speculative rather than necessary. The scope of permissible disclosure maps directly onto the scope of the emergency itself.
Schools should also be aware that when a student has reached the age of 18, FERPA's rights transfer from the parents to the student. In emergency situations involving adult students, institutions disclosing to parents must have either the student's consent or another applicable legal basis for that disclosure. The urgency of an emergency does not override this transfer of rights, and institutions that routinely contact parents of adult students without adequate legal basis are creating compliance exposure that is independent of any emergency situation.
What records should be accessible and how should they be maintained?
For emergency disclosure to function practically, relevant records must be accessible to authorized personnel at the point of need. A health and safety emergency, by definition, does not allow time for extended record retrieval. Institutions should maintain clear internal documentation of which student records may be disclosed under emergency conditions, who has authority to authorize that disclosure, and which external parties, such as local emergency services or public health departments, are approved recipients.
This requires deliberate preparation. Student emergency contact information, relevant medical conditions, individualized education plans that bear on emergency response, and threat assessment records should be organized, maintained, and accessible in a way that allows rapid retrieval under pressure. The same records must be protected against unauthorized access under non-emergency conditions.
The organizational challenge is that the same infrastructure that enables rapid disclosure during an emergency must also prevent casual or unauthorized access at all other times. That balance is not achieved through good intentions; it is achieved through system design. Access controls, audit logs, and defined authorization hierarchies are the mechanisms through which institutions demonstrate that their emergency disclosure capabilities operate within legal limits.
What obligations apply after an emergency disclosure?
FERPA requires that disclosures made under the health and safety emergency exception be recorded in the student's file. The record must identify the parties to whom information was disclosed, the date of disclosure, and the legitimate interest each party had that justified receiving the information. This documentation requirement exists for every disclosure made under this exception, without regard to how urgent the circumstances were or how straightforward the decision seemed at the time.
Post-emergency documentation is frequently neglected. Institutions that focus exclusively on managing the emergency itself and defer record-keeping indefinitely create audit risk and, in the event of a complaint or investigation, face the burden of reconstructing disclosures from memory rather than from contemporaneous records. The documentation requirement is not burdensome if it is built into the emergency response protocol; it becomes burdensome only when treated as an afterthought.
The broader lesson is that emergency provisions in FERPA reward preparation. Institutions that have considered in advance what constitutes an emergency, who may authorize disclosure, to whom disclosure may be made, and how that disclosure will be documented are far better positioned to act correctly under pressure than those encountering these questions for the first time in a crisis.
Safeguarding sensitive education records through the right technology infrastructure means having systems that both protect student data under ordinary conditions and support defensible, auditable disclosure when emergencies genuinely require it. Pimloc's Secure Redact platform gives educational institutions the tools to manage that balance, ensuring that access to student information is controlled, documented, and compliant regardless of the circumstances under which it is needed.