Skip to main content
BCBA Tools & Compliance

FERPA and Student Behavior Data

When a BCBA, teacher, or paraprofessional records behavior data in a school setting, that data usually becomes part of the student education record. That single fact pulls it under the Family Educational Rights and Privacy Act (FERPA), the federal law that governs the privacy of student records. Understanding both whether your data is FERPA protected and who is allowed to see it is essential to practicing legally and ethically in schools.

Is school behavior data protected under FERPA?

In most cases, yes. FERPA applies to education records, which it defines broadly as records that are directly related to a student and maintained by an educational agency or institution (or a party acting for it). Behavior data collected as part of a student program, an IEP, a behavior intervention plan, or a functional behavior assessment is directly related to that student and is maintained by the school, so it falls squarely within the definition.

There is a narrow exception for sole possession records, sometimes called private notes. These are records kept by one person as a personal memory aid, not shared with or accessible to anyone else, and not placed in the student file. The moment such notes are shared with a colleague, entered into a system, or used in decision making, they typically stop qualifying as sole possession records and become part of the education record.

The practical takeaway: assume that the behavior data you collect at school is FERPA protected unless you have a specific, documented reason to believe otherwise.

What secure storage looks like

FERPA requires schools to use reasonable methods to protect education records from unauthorized access. It does not prescribe a single technology, but the expectation is real safeguards rather than open spreadsheets or paper left on a desk.

  • Data encrypted in transit and at rest so it cannot be read if intercepted or if a device is lost.
  • Authenticated access, meaning each user signs in with their own credentials rather than sharing a generic login.
  • Role-based permissions so staff see only the students and data relevant to their role.
  • Audit trails and the ability to revoke access promptly when staff change roles or leave.

Who can access student behavior data?

FERPA limits access to education records to a defined set of people. For behavior data, the people who can generally access it without separate written consent are:

  • School officials with a legitimate educational interest. This includes teachers, behavior analysts, administrators, and contractors performing institutional services, but only for the students they actually work with and only as needed to do their jobs.
  • Parents and guardians of a student who is under 18 and still a dependent, who have the right to inspect and review their child education records.
  • Eligible students, meaning students who are 18 or older or who attend a postsecondary institution. At that point, FERPA rights transfer from the parent to the student.
  • Third parties outside that circle, including outside agencies, researchers, or service providers not acting as school officials, generally need prior written consent from the parent or eligible student. Specific FERPA exceptions exist, such as health and safety emergencies, transfers to a school where the student enrolls, and certain audit or evaluation purposes, but these are limited and should be applied carefully rather than treated as a default.

How ChartMyBehavior fits

ChartMyBehavior is built for FERPA-aligned school workflows. Data is encrypted in transit and at rest, access is authenticated, and permissions are role based so staff only see the students they are assigned to. The platform is designed to support a school in meeting its FERPA obligations.

To be clear about scope: ChartMyBehavior is built for school education-record workflows under FERPA. It is not positioned as a HIPAA-covered clinical platform, and it does not replace your district policies or the legal advice of your own counsel. If you operate in a clinical, HIPAA-covered setting, confirm that any tool you use meets those separate requirements.

Frequently asked questions

Is behavior data collected at school covered by FERPA or HIPAA?
Behavior data that is part of a student education record at a school is generally covered by FERPA, not HIPAA. HIPAA typically applies to covered health care providers and health plans. Many records that would otherwise be health information become FERPA-governed education records once they are maintained by a school. ChartMyBehavior is built for FERPA-aligned school workflows and is not positioned as a HIPAA-covered clinical platform.
Can a parent see all of their child behavior data?
Parents and guardians of a student under 18 generally have the right to inspect and review their child education records, which includes behavior data that is part of those records. Once a student turns 18 or enters a postsecondary institution, those rights transfer to the student as an eligible student.
Can I share behavior data with an outside provider?
Generally only with prior written consent from the parent or eligible student, unless a specific FERPA exception applies, such as a health or safety emergency or a school official arrangement. When in doubt, get written consent and follow your district policy.