What type or form of documentation of parental agreement is required under the Privacy Rule in order for a health care provider to be permitted to disclose proof of a child’s immunizations to a school that is subject to a school entry law? For how long must such documentation be maintained?
The Privacy Rule does not prescribe the nature and form of the documentation, allowing covered entities the flexibility to determine what is appropriate for their purposes and to address the varied circumstances in which parental agreement may be obtained. The documentation must only make clear that agreement was obtained as required by 45 CFR 164.512(b)(1)(vi) of the Privacy Rule. For example, if a parent or guardian submits a written or email request to a covered entity to disclose proof that his or her child has been immunized to the child’s school, a copy of the request would suffice as documentation of the agreement. Likewise, if a parent or guardian calls the covered entity and requests over the phone that proof of his or her child’s immunization be disclosed to the child’s school, a notation in the child’s medical record or elsewhere of the phone call would suffice as documentation of the agreement. The documentation for these purposes need not include the signature of a parent or guardian or any of the other elements required under the Privacy Rule for a written HIPAA authorization. As with other documentation required under the Privacy Rule, documentation of parental agreement for these purposes must be maintained for six years. See 45 CFR 164.530(j).