aacrao-logo_transparent

Ask the FERPA Professors

December 8, 2025
  • Collaborative Decision-Making
  • FERPA
  • Registration & Records
  • Family Educational Rights and Privacy Act
  • FERPA
  • FERPA Professor
  • Personal Identification Numbers
  • PII
  • privacy

Dear FERPA Professors,

We are operated as part of a hospital system and recently have begun hitting multiple roadblocks with our IT colleagues, who are only used to "medical" and "HR" rules, but are not familiar at all with FERPA or other items unique to higher education.

Our hospital system IT creates our students' email accounts, and previously, we have provided a list of names and phone numbers (they do not have access to our SIS, nor would it be allowed, as they do not provide IT support for our SIS). Recently, my colleague who submits the list was told they must start including the last four digits of the SSN. They brought it to me because their permissions do not include viewing SSNs, so they would need my assistance in completing the list. Since SSN (or parts of it) is not directory information, I am very reluctant to share the information.  

Our leadership does not necessarily share this concern, so before pushing back too much, I wanted to see how your expertise views this situation and any suggestions you might have as I move forward.

Thank you in advance,

P.I.I.

Dear P.I.I.,

I hope all is well with you.  This is in response to your question regarding the disclosure of the last four digits of students' social security numbers to the hospital system IT.

FERPA prohibits institutions from designating SSNs or any portion thereof—including truncated or masked SSNs—as "directory information," which means these numbers cannot be disclosed without prior written consent from the eligible student or unless another FERPA exception applies. Additionally, SSNs should not be used to authenticate identity for disclosure purposes because the use of any part of an SSN as an identifier still presents privacy and security risks. 

However, based on your inquiry, it sounds like the hospital system IT may be performing an institutional service or function for the institution (i.e., creating students’ email accounts). If so, FERPA’s school official exception may be an option to consider that would permit the non-consensual disclosure of personally identifiable information from education records to IT. Under this exception, an institution is permitted to disclose PII from students’ education records without eligible student consent to contractors and other outside parties performing institutional services or functions.  Under this exception, the institution is required to specify in its annual notice of student rights the criteria for who is considered a “school official" and what constitutes a "legitimate educational interest. The institution must maintain direct control over the third party regarding the use and maintenance of the education records. The third party may use PII only for the authorized purposes set by the institution. Also, disclosure to further third parties is prohibited unless specifically authorized by the institution and in line with FERPA. This is typically accomplished via a contractual agreement specifying the third party's responsibilities, limitations on access, data security, and prevention of unauthorized use or redisclosure. 

However, such agreements are not required under FERPA. If the school official exception is appropriate in your situation, I agree you should only provide hospital system IT with the limited PII necessary to establish student email accounts on behalf of the institution. It is interesting that IT is now saying they need the last four digits of students' social security number to create student email accounts. You may want to pursue why. 

For more information on the school official exception, see Appendix B, page 159 of the 2012 AACRAO FERPA Guide.

I hope this is helpful.  Please let me know if you need further guidance.

The FERPA Professor

Want the Professor to come to your campus? Visit our FERPA compliance training page.

AACRAO members, send your questions to the FERPA Professor at communications@aacrao.org.

Related Content

Join the "Reimagining Registration: Connecting Advising, Policy, and Student Success" webinar on December 16, 2025, 2:00-3:00 p.m. (ET).

Don't miss the new AACRAO Compliance Webinar Series. The first two webinars are: December 17, 2-3 p.m. ET on FERPA, and December 19, 2-3 p.m. ET on Records Retention and Destruction.

Take the AACRAO National Learning Mobility Challenge for Improving Transfer Time-to-Decision.

Visit AACRAO's Bookstore to shop for publications covering a variety of topics, including FERPA, SEM, Transfer, Admissions, Registrar, and more.

Subscribe

AACRAO's bi-weekly professional development e-newsletter is open to members and non-members alike.