Element 11.5 – Confidentiality of Student Educational Records
At a medical school, medical student educational records are confidential and available only to those members of the faculty and administration with a need to know, unless released by the student or as otherwise governed by laws concerning confidentiality.
Hidden Curriculum
Policies do not explicitly define what constitutes a “student educational record,” who has “a need to know,” or how access is controlled. Too many individuals have access to systems (e.g., MedHub, One45, OASIS) containing evaluations, grades, or academic actions—sometimes including course coordinators, residents, or administrative staff who don’t need it.
Best Practice
Good record-keeping isn’t just about following rules; it’s about handling student information thoughtfully and responsibly. Academic files should be kept separate from health, financial, or disciplinary records so sensitive information doesn’t get mixed up. Review role-based access controls for electronic systems and restrict permissions to those with a demonstrable educational need. Only faculty or staff who genuinely need the information, like advisors helping with course planning, graders reviewing exams, or staff arranging accommodations, should be able to access it. Physical records should be locked away, and digital files protected with encryption, secure logins, and two-factor authentication. Staff should receive regular training on privacy, FERPA, and handling sensitive data. And then keep attestations that learning modules on this subject were completed, or emails were sent etc. Students should be reminded each year about their rights and what counts as confidential versus directory information. Even details like letters of recommendation, exam scores, or notes on academic actions should only be shared with those who truly need them, keeping exposure to a minimum and upholding the law.
Continuous Quality Improvement
Confidentiality isn’t a “set it and forget it” policy. Schools need to review and update their policies regularly, audit who has accessed records, refresh privacy training, and improve technology systems to keep information secure. Feedback from staff and students helps identify gaps, and every update reinforces the importance of treating sensitive information responsibly. This ongoing attention ensures that student records remain protected and that the lessons of professionalism and trust continue to be reinforced.
