Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Health & Medicine

FERPA Confidentiality of Records Quiz: Student Privacy and HIPAA

Quick, free HIPAA and FERPA quiz to test your knowledge. Instant results.

Editorial: Review CompletedCreated By: Paris ChangUpdated Aug 25, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art illustration for quiz on dark blue background featuring FERPA HIPAA confidentiality rules and records protection

This FERPA confidentiality of records and HIPAA quiz helps you check your understanding of student records privacy and shared health information. Answer short, real-world questions and see where to improve. After you finish, try our HIPAA privacy compliance quiz, practice with a student privacy quiz, or broaden your skills with a privacy and security quiz.

What does FERPA stand for?
Family Educational Rights and Privacy Act
Families' Education Records Protection Act
Federal Educational Rights and Public Access Act
Federal Education Records Privacy Act
FERPA is a federal law that protects the privacy of student education records under the Family Educational Rights and Privacy Act. It grants parents the right to inspect and review their children's education records and governs disclosure.
Which of the following is considered Protected Health Information (PHI) under HIPAA?
Athletic team roster
Student's GPA
Library checkout history
Patient's medical record number
Under HIPAA, PHI includes any identifiable health information, such as medical record numbers. This distinguishes it from academic or directory information covered by FERPA.
Which records are covered by FERPA?
Classroom seating charts only
Financial aid application status only
Grades, transcripts, and disciplinary records
Athletic performance metrics
FERPA covers student education records such as grades, transcripts, and disciplinary files, whether maintained by the institution or a party acting for the institution.
What is the primary enforcement body for HIPAA regulations?
Federal Trade Commission (FTC)
Department of Education (ED)
Food and Drug Administration (FDA)
Office for Civil Rights (OCR)
The Office for Civil Rights (OCR) within HHS enforces HIPAA's Privacy and Security Rules, investigates complaints, and conducts compliance reviews.
Under FERPA, when can a school release 'directory information' without consent?
Never, directory information is always private
After notifying students and allowing an opt-out
Only with written academic counselor approval
Only for research purposes
FERPA allows schools to designate certain information as directory information and release it if they notify students annually and give them the opportunity to opt out.
Who is considered a 'school official' under FERPA?
Visitor observing a class
Faculty member with legitimate educational interest
External vendor without a BAA
Parent of another student
FERPA defines a school official as an employee or agent with a legitimate educational interest in accessing student records for educational purposes.
Does FERPA apply to records of students who have graduated?
No, only K-12 students
No, only current students
Yes, but only for five years
Yes, indefinitely
FERPA protections apply to education records of students regardless of their enrollment status, including graduates, indefinitely.
Which of the following is NOT protected under HIPAA?
Laboratory test results
Prescription history
An individual's dietary preference
Medical diagnosis
HIPAA protects identifiable health information related to diagnosis, treatment, and health status. Simple dietary preferences not linked to health conditions are not PHI.
What is the 'minimum necessary' standard under HIPAA?
Releasing records in full to law enforcement always
Providing PHI only to patients themselves
Sharing all records once consent is given
Disclosing only the least amount of PHI needed
The minimum necessary standard requires covered entities to limit the use, disclosure, and requests for PHI to the minimum needed to accomplish the intended purpose.
When can an educational institution disclose education records without student consent under FERPA?
To newspapers for publication
To any prospective employer
To comply with a court order or subpoena
To parents of other students
FERPA allows disclosure of education records without consent in response to a court order or subpoena, provided the institution attempts to notify the student.
How long are education records required to be retained under FERPA regulations?
No specific federal retention period
Three years after graduation
Five years after last attendance
Ten years after issuance
FERPA itself does not specify retention timelines; retention is governed by state law or institutional policy. Institutions must comply with applicable nonfederal requirements.
Which FERPA right allows a student to challenge the content of their education records?
Right to provide consent for every disclosure
Right to a hearing on disciplinary actions only
Right to request amendment
Right to opt out of directory information
FERPA grants students the right to request that schools amend records they believe to be inaccurate or misleading. Schools must comply or provide a hearing process.
Under HIPAA, which of these is required in a Business Associate Agreement (BAA)?
FERPA opt-out mechanisms
Permitted uses and disclosures of PHI
Student disciplinary procedures
Athletic eligibility criteria
A BAA must specify the permitted uses and disclosures of PHI by the business associate and require safeguards, reporting breaches, and compliance obligations.
What is an example of an indirect identifier under FERPA?
Directory phone number
Student ID number
Public event schedule
Campus mailbox location
A student ID number is an indirect identifier that, combined with other data, can uniquely identify a student and is therefore protected unless designated directory info.
In research involving education records, what must an institution obtain under FERPA?
Dean's verbal approval
Only IRB approval
Nothing, if data is de-identified by name only
Student consent or a FERPA waiver
FERPA requires institutions to obtain written consent from students or a waiver from the Family Policy Compliance Office for research access to identifiable education records.
Which entities are considered 'covered entities' under HIPAA?
Nonprofit advocacy groups only
Health plans, healthcare clearinghouses, and healthcare providers
Educational institutions, athletic programs, and financial aid offices
Student organizations, alumni associations, and donors
HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit PHI electronically, making them subject to HIPAA rules.
How does FERPA treat records maintained by a school clinic for student treatment?
Not protected by any federal law
As PHI, governed by HIPAA only
As directory information
As education records, not subject to HIPAA
Records of a school health clinic used solely for treatment of students are considered education records under FERPA, not PHI under HIPAA.
Which method is an acceptable HIPAA de-identification standard?
Masking photocopied records
Safe Harbor removal of 18 identifiers
Encrypting emails without key management
Redacting student grades only
The Safe Harbor method requires removal of 18 specific identifiers to de-identify PHI so that re-identification risk is very small.
Under FERPA, what constitutes a 'legitimate educational interest'?
Access necessary for a school official to perform duties
Sharing with external media
Any curiosity-driven review
Parents of other students requesting grades
A legitimate educational interest exists when a school official needs to review records to fulfill professional responsibilities, such as advising or teaching.
What annual requirement does a school have under FERPA regarding policy notification?
Submit directory information to media
Publish student grades online
Notify students of their rights under FERPA
Encrypt all paper records
FERPA requires schools to annually notify students of their rights under the Act, including inspection rights and consent requirements for disclosure.
Under HIPAA's Breach Notification Rule, what is the maximum time to notify individuals of a breach?
90 days from discovery
60 days from discovery
120 days from discovery
30 days from discovery
HIPAA requires covered entities to notify affected individuals no later than 60 calendar days after discovering a breach of unsecured PHI.
Which FERPA exception allows third-party verification of student attendance for financial aid purposes?
Audit or evaluation exception
Directory information disclosure
School official exception
Health or safety emergency exception
The audit or evaluation exception permits educational agencies to disclose records without consent to authorized representatives for auditing, evaluation, or enforcement of federal or state-supported education programs.
How does HIPAA define 'psychotherapy notes' differently from other records?
Not covered by HIPAA
Separate, more restricted from PHI, requiring specific consent
Publicly disclosable by law
Included in general medical records
Under HIPAA, psychotherapy notes are treated with heightened privacy and generally require specific patient authorization for most disclosures, separate from other PHI.
A university health center maintains student counseling records. When must HIPAA apply instead of FERPA?
If the student signs a FERPA waiver for academic use
If the clinic bills insurance in its own name and uses electronic transactions
If the clinic is staffed by non-university personnel
If the records are stored in the registrar's office
HIPAA applies when a health clinic bills third-party payers under its own provider number and conducts electronic transactions, making it a covered entity, even on a campus.
0
{"name":"What does FERPA stand for?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What does FERPA stand for?, Which of the following is considered Protected Health Information (PHI) under HIPAA?, Which records are covered by FERPA?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand FERPA confidentiality requirements -

    Learn the core provisions of the Family Educational Rights and Privacy Act and how they protect student records. Gain clarity on parental and student rights under FERPA.

  2. Apply HIPAA compliance principles -

    Master the fundamentals of the Health Insurance Portability and Accountability Act to safeguard health information. Discover how to handle protected health data in educational settings.

  3. Analyze student privacy scenarios -

    Evaluate real-world situations to determine appropriate responses under FERPA confidentiality rules. Hone your decision-making skills for secure records handling.

  4. Identify permissible disclosures -

    Distinguish between allowable and prohibited data sharing under both FERPA and HIPAA. Learn which exceptions permit disclosure without violating privacy laws.

  5. Evaluate records protection protocols -

    Assess current practices for storing, accessing, and transmitting student and health records. Pinpoint gaps in compliance and areas for strengthening security.

  6. Recommend privacy best practices -

    Formulate actionable strategies to maintain compliance in educational and healthcare contexts. Ensure ongoing adherence to FERPA confidentiality of records and HIPAA standards.

Cheat Sheet

  1. FERPA Fundamentals -

    FERPA (Family Educational Rights and Privacy Act) controls access to education records and requires written consent for disclosures, except under specific exceptions like health and safety emergencies (U.S. Dept. of Education, 34 CFR Part 99). Use the mnemonic "F-E-R-P-A: First, Education Records Privacy Assured" to recall its focus on student record confidentiality. Reviewing this is essential for any ferpa confidentiality of records quiz.

  2. HIPAA Privacy Rule Essentials -

    The HIPAA Privacy Rule protects individually identifiable health information (PHI) and mandates safeguards and breach notifications; covered entities must comply within 60 days of any breach (HHS.gov). Think "H-I-P-A-A: Health Info Protected Always Act" to remember key requirements. This concept often shows up in a hipaa compliance trivia quiz.

  3. Directory Information & Opt-Out Rights -

    FERPA allows schools to designate certain non-sensitive details - like name, major, and enrollment status - as "directory information," which may be disclosed unless a student opts out. Mnemonic: "DIR-ECT" (Disclosure Is Restricted if Explicitly Canceled by the student or Tutor). This principle is frequently tested on a student privacy quiz to ensure proper opt-out handling.

  4. School Officials & Legitimate Educational Interest -

    FERPA permits disclosure without consent to school officials with a legitimate educational interest (e.g., counselors or IT staff when supporting online learning), provided institutions maintain strict access controls. Remember "SAS" (Staff, Authorized, Student need-to-know) to track who qualifies. This rule is a staple of any thorough education privacy rules test.

  5. HIPAA Breach Response & Risk Assessment -

    Under HIPAA, entities must perform a risk assessment using the formula Risk = Threat × Vulnerability × Impact, implement encryption, and notify affected individuals within 60 days of a breach (HHS.gov). A handy trick: "Assess, Encrypt, Alert" summarizes the compliance workflow. Mastering this strengthens your performance on a health information protection quiz.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Politics & Civics Quizzes

Powered by: Quiz Maker