Is Coviu FERPA compliant?

FERPA stands for Family Educational Rights and Privacy. The Federal Law is a regulation published by the U.S. Department of Education to protect the privacy of parents and students

Background

In the US, the Family Educational Rights and Privacy Act (FERPA) is the Federal Law that affords parents and students the right to have access to education records, seek to have records updated, and the right to control the disclosure of that information to third parties.

Telehealth is increasingly used by schools to conduct assessments and deliver therapy. With educational records and personally identifiable information (PII) being transmitted over telehealth, schools should be aware of FERPA-requirements relating to telehealth.

Purpose

The purpose of this document is to describes how Coviu supports schools in maintaining FERPA-compliance and provide practical suggestions for schools implementing FERPA-compliant telehealth.

FERPA-Compliant Telehealth

FERPA is a Privacy Rule and does not include explicit information about security standards (U.S. Department of Education). The Health Insurance Portability and Accountability Act of 1996 (HIPAA), has a Privacy Rule and a Security Rule, and defines how providers must protect personally identifiable information (PII).

Coviu supports schools to comply with FERPA and HIPAA in the following ways:

  • Coviu is HIPAA compliant.

  • All transmitted Call data (including images and documents) are transmitted peer-to-peer and encrypted with end-to-end encryption.

  • Only anonymous Call data is retained on Coviu’s servers after the Call for a limited amount of time and only for the purposes of debugging any call connection issues a client might ask us about.

  • No student PII is retained on Coviu.
  • The only type of Educational Records Coviu stores are outcomes of standardised assessments and there is no student identifying information stored with the test results.
  • Coviu does not sell to third parties or commercialise any data obtained by any use of the application.

  • Customer data is stored on servers located in the United Stated with third-party provider (Amazon Web Services) to mitigate risk of an overseas exposure.

In summary, Coviu does not store student’s PII, and thus meets the core requirements of FERPA. For more information on how Coviu protects PII, see Coviu Privacy Policy.

Recommendations

  • As Coviu does not store any student’s PII on their servers, schools should keep records outside Coviu for any telehealth Calls (e.g. date, time, student, and assessor’s name), as required.

  • Update any business continuity and data breach protocols to include information shared during telehealth Calls, if required.

  • Electronic consent forms used prior to telehealth consults can be updated to align with any consent forms under FERPA. FERPA permits electronic consent (U.S. Department of Education).

  • If a school must share educational records or PII with a third-party (including Coviu), the school may be able to do so under the “school official” exception (U.S. Department of Education).

References