45 CFR 164.512(b)(1)(vi)
The HIPAA Privacy Rule strikes an important balance between protecting the privacy of individuals’ protected health information (PHI) and allowing the disclosure of PHI in a number of circumstances to those responsible for ensuring public health and safety. One circumstance involves the disclosure of student immunization information to schools. Schools play an important role in preventing the spread of communicable diseases among students by ensuring that students entering classes have received various immunizations. Most States have “school entry” laws, which prohibit a child from attending school unless the school has proof that the child has been appropriately immunized. Some States allow a child to begin school provisionally for a certain period of time while the school waits for the necessary immunization information. Typically, schools ensure compliance with State requirements by requesting immunization records from parents, who then request them from their child’s health care provider. To ensure schools are able to receive the necessary documentation of immunization in a timely manner and admit children without undue delay, the HIPAA Privacy Rule permits a covered health care provider to disclose proof of immunization directly to a school that is required by law to have such proof prior to admitting a student, with the oral or written agreement of a parent or guardian.
How the Rule Works
The Privacy Rule permits a covered health care provider to disclose proof of immunization about a student or prospective student to a school that is required by State or other law to have such proof prior to admitting the student, provided the health care provider obtains and documents the agreement to the disclosure from either:
- A parent, guardian, or other person acting in loco parentis of the student, if the student is an unemancipated minor; or
- The student himself or herself, if the student is an adult or emancipated minor.
See 45 CFR 164.512(b)(1)(vi).
The agreement may be obtained orally or in writing, and need not be signed or contain the other elements required in a formal, written HIPAA authorization. While the agreement itself need not be in writing, a covered health care provider is required to document the agreement to the disclosure. The Privacy Rule does not prescribe the nature or format of the documentation, which may vary depending on how the agreement was obtained. For example, a copy of a written request by a parent to disclose proof of immunization, or a notation in a child’s medical record of a phone conversation with a parent who requests that the provider disclose proof of immunization, would suffice as documentation of the parent’s agreement to the disclosure. An agreement for purposes of this provision remains effective until revoked by the parent, guardian, or other person acting in loco parentis, or by the student, if applicable.