University of Alabama faculty members were threatened by department leaders Aug. 24 with “serious consequences” if they shared news of coronavirus infections on campus.

Arizona State University, which boasts one of the largest student enrollment numbers in the country, divulged its first case count in the past week amid public pressure after the school’s president refused to.

With coronavirus clusters popping up around campus in August, the University of North Carolina at Chapel Hill told its student newspaper it would not reveal the number of people infected in the outbreaks.

As students file onto campuses across the country for in-person classes, these universities and others tightened transparency, wielding one or a combination of two significant federal laws: FERPA, a federal law protecting the privacy of student education records, and HIPAA, a federal health privacy rule.

But these laws do not apply to withholding overall coronavirus campus data, three legal experts told The Washington Post.

While major coronavirus outbreaks at universities restarting in the fall have grabbed national headlines, schools incorrectly citing federal privacy laws have shrouded what students and faculty know about the virus spreading across their campuses, according to the experts.

With no national standardized reporting protocol for coronavirus cases at colleges, keeping track of on-campus outbreaks has been largely left to schools, which widely vary in what they disclose to the public. Administrators have been left scrambling to balance students’ individual privacy with public updates on the virus.

The U.S. Department of Education in March released coronavirus guidelines for FERPA, the Family Educational Rights and Privacy Act, saying that schools could share coronavirus data as long as it does not give out personal information of students. But given the current crisis, the department also advised schools that they could use an emergency exemption that applies to situations such as a school shooting, natural disaster or “the outbreak of an epidemic disease,” according to the federal agency.

Coronavirus data can be shared without pointing to individuals if the school shares blanket numbers, experts said.

“I totally sympathize that you don’t want to say ‘John Smith has corona’ to the class but you could easily say ‘a student in this class has tested positive for corona,' ” said LeRoy Rooker, former director of the Department of Education’s Family Policy Compliance Office and a leading authority on educational privacy law.

The same week that the University of Alabama tallied 1,368 confirmed cases across the school’s three campuses — one of the highest infection counts among the nation’s universities — faculty were pressed to “NEVER, EVER refer to, mention, or discuss student health,” according to an email to the English department obtained by The Post.

“This injunction extends to what some might consider an anonymized statement like, ‘Two students in my class tested positive,’ ” the email stated. “Even if this seems like an innocuous statement, it is not. In the current environment, people can make deductions, making ANY reference to student health a potential HIPAA violation.”

However, HIPAA, the Health Insurance Portability and Accountability Act, explicitly states who it oversees: health-care providers such as doctors and pharmacists.

When asked by The Post, the university referred to its teaching FAQ page, which instead cited FERPA, a law that applies to a student’s education records.

The University of Alabama maintains it has not traced a single infection to a classroom and points to the social distancing and masking rules it has set.

“As noted, the University will endeavor to protect the privacy of students and avoid publicly identifying a student who has tested positive,” according to a section of the FAQ page provided by a school spokesman.

But the email has left instructors in fear of breaching laws that don’t even apply to them, said Michael Innis-Jiménez, an American history and labor studies professor at the University of Alabama.

“We’re really nervous, anxious and scared,” he said. “It’s a big mystery exactly how [the virus] is going to get you if it’s going to get you. People are really worried about that, and to be forced to keep your job, and be in that position — and you’re willing to be in that position — and be told that ‘we’re going to keep it a secret if you were in the same room as somebody.’”

When Sarah Cheshire, a creative writing graduate student who teaches classes at the University of Alabama, got the email, she was shocked by the implications and began researching the federal law.

“Everything I read contradicted what was told to us,” Cheshire said. “I’m concerned about the largest issue it represents of institutionalized silencing, weaponizing the law in a misrepresentative way in order to achieve their ends.”

With face covering and social distancing restrictions, students may feel discouraged to honestly report their close contact with peers, Cheshire said, for fear of repercussions. Faculty may only be notified of their contact with an infected student if the patient discloses they were near others sans mask.

Innis-Jimenez and Cheshire, who are both on the steering committee of the United Campus Workers union chapter, said other faculty were afraid of speaking out, concerned the school would penalize them.

FERPA applies to records kept by the school and not faculty so the enforcement doesn’t apply to individual professors, said Frank LoMonte, director of the Brechner Center for Freedom of Information at the University of Florida.

“There’s a lot of mythology about how broad [FERPA] is but that’s only mythology,” LoMonte said.

If an infected student disclosed to a professor and the teacher announced it to the class, that is not a violation of FERPA, LoMonte said, but it could arguably be counter to common privacy law if the professor doesn’t have valid justification.

“The reason universities are so confused about this is that their lawyers have been misusing FERPA for decades to block public records requests for things that FERPA doesn’t cover,” he said.

Schools are also required to report immediate campus safety threats under the Clery Act, a consumer protection law.

Carl Bergstrom, a University of Washington biology professor who studies infectious diseases, said that while he doesn’t know of data to back it up, he suspects students and faculty at schools with updated trackers would be kept abreast of the risk of the virus and make knowledgeable decisions.

“A better informed campus community is a safer campus community,” he said.

But at Arizona State University, until a sudden change in the past week, school officials told the student newspaper, the State Press, that the school wouldn’t share the number of infections, citing privacy laws. The New York Times reported it faced similar responses when requesting case counts from colleges across the country for its tracker.

ASU spokesman Chris Fiscus told The Post that the school has “multiple legal requirements in play,” including HIPPA and FERPA.

“Application of those considerations is dependent upon a variety of factors as they exist at any given point in time and whether the disclosed information could lead to the identity of specific individuals,” Fiscus said.

Fiscus said the school’s disclosure in the past week will be the first of weekly updates sent by the administration. The institution will not maintain a tracker, Fiscus said, but students could go to the local health department’s website to look at cases in their Zip codes.

The University of North Carolina at Chapel Hill’s student newspaper, the Daily Tar Heel, also asked its school for individual case numbers within clusters but was told that FERPA forbade it. The school defined a cluster as five or more cases but said offering more detail than that could disclose personal detail about students, the student newspaper reported.

The school later backtracked, providing the number of students within clusters.

When asked about citing FERPA, a school spokesman sent a section of the Department of Education guidance that explains that the institution cannot disclose details that “would allow a reasonable person in the school community to identify the students who are absent due to COVID-19 with reasonable certainty.”

But for a school to be forbidden from disclosing numbers that could violate a student’s privacy, the numbers would need to point to individuals, which might not be the case in a large dorm identified as a cluster, Northwestern University law professor Matthew Kugler said.

“Particularly in a small class, you could imagine if you say two students tested positive, maybe someone else in the class sees two students who aren’t there the next class,” Kugler said. “Saying 20 people tested positive in a large dorm would be, one, essential information and, two, not identifiable.”

As the pandemic continues to bear down on college campuses, administrators may continue to withhold data for fear of violating FERPA. The penalty to the university for a FERPA offense can only be handed down by the Department of Education, not via lawsuit.

In some ways, refusing to share the data is safer legally. There’s no legal repercussion for citing privacy law to justify limiting access to information as long as it doesn’t violate public record laws, LoMonte said.

“One of the great flaws with federal privacy law is that the door only swings one way — you can only get in trouble for being undercompliant with the law and not being overly compliant,” LoMonte said. “If you’re knowingly and frivolously misusing privacy law to conceal information then you should pay consequences for that.”