HIPAA, FERPA, and Immunizations: HIPAA & HITECH Act Blog by Jonathan P. Tomes


A client asked me to write a blog post regarding to whom the organization could disclose immunization records. Here it is:

One of the problems of complying with immunization requirements is that they are regulated not only by HIPAA but also by the Family Educational Rights and Privacy Act (“FERPA”) In other words, once a student’s immunization records are obtained and maintained by an educational institution or agency, FERPA applies. And individuals obtain many immunizations because they are required for enrollment in a school or other school-related functions, such as participating in an exchange student program in another country.

Thus, this issue really has three parts. The first part of this issue comes up when no law or regulation requires the reporting of the immunization to an employer, a school, or another entity. In that case, the health information regarding the immunization is the same as any other protected health information (“PHI”) and can thus be disclosed only as permitted by the Privacy Rule—that is, for treatment, payment, or health care operations, pursuant to an authorization, or in certain emergency situations in which, for example, an emergency department physician needs to know whether a patient has been immunized.

Second, the immunization may be required by an employer as a condition of employment, such as a when a health care worker must have a specific vaccine, such as a Hepatitis B vaccine (unless a blood test shows immunity to Hepatitis B). In that event, the employee should have signed an authorization.

Third, a school requires proof of vaccination to attend, to perform certain activities, or to go on certain events, such as an exchange school visit to a foreign country.

The first part of the issue is fairly clear. Just follow the HIPAA rules, which we have discussed exhaustively in this blog and in our books and articles.

The second part of the issue is a little murky, but is not extremely difficult. The employment contract or other documentation, such as an authorization to release inoculation information, specifies that the employee consents (authorizes) the health care provider performing the inoculation to provide the data to the employer as a condition of employment.

The third part of the issue is more complicated. As stated above, student immunization records are protected under two federal laws: (1) HIPAA, via the HIPAA Privacy Rule, and (2) FERPA, once a student’s immunization records have been obtained and maintained by an educational institution or agency to which FERPA applies. HIPAA has extensive guidance on releasing inoculation information in the education setting, which were recently amended. See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule was March 26, 2013, and covered entities and business associates had to comply by September 23, 2013.

Generally, schools ensure compliance with state immunization requirements for students by requesting immunization records from parents, who then request them from their child’s health care provider. To ensure that schools are able to receive the necessary documentation of immunization in a timely manner and to admit children without undue delay, the HIPAA Privacy Rule permits a covered health care provider, with the oral or written agreement of a parent or guardian, to disclose proof of immunization directly to a school that is required by law to have such proof before admitting a student.

As to the interaction between HIPAA and FERPA, HIPAA’s final rule amended 45 C.F.R. § 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school in cases in which state or other law requires the school to have such information before admitting the student. Although written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, but must be documented, from a parent, guardian, or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor.

The rule adds that “we still require active agreement from the appropriate individual, and a health care provider may not disclose immunization records to a school under this provision without such agreement . . . . A mere request by a school to a health care provider for the immunization records of a student would not be sufficient to permit disclosure under this provision.” 78 Federal Register 5617.

The documentation can be as simple as a note in the medical record that the adult student or the parent consented to the disclosure.

seo by: k.c. seo