Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. Privacy
  5. Guidance Materials
  6. Student Immunizations
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Security Rule NPRM
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and Part 2
    • Change Healthcare Cybersecurity Incident FAQs
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
      • HIPAA and Final Rule Notice
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

Student Immunizations

45 CFR 164.512(b)(1)(vi)

Background

The HIPAA Privacy Rule strikes an important balance between protecting the privacy of individuals’ protected health information (PHI) and allowing the disclosure of PHI in a number of circumstances to those responsible for ensuring public health and safety.  One circumstance involves the disclosure of student immunization information to schools.  Schools play an important role in preventing the spread of communicable diseases among students by ensuring that students entering classes have received various immunizations.  Most States have “school entry” laws, which prohibit a child from attending school unless the school has proof that the child has been appropriately immunized.  Some States allow a child to begin school provisionally for a certain period of time while the school waits for the necessary immunization information.  Typically, schools ensure compliance with State requirements by requesting immunization records from parents, who then request them from their child’s health care provider.  To ensure schools are able to receive the necessary documentation of immunization in a timely manner and admit children without undue delay, the HIPAA Privacy Rule permits a covered health care provider to disclose proof of immunization directly to a school that is required by law to have such proof prior to admitting a student, with the oral or written agreement of a parent or guardian.

How the Rule Works

The Privacy Rule permits a covered health care provider to disclose proof of immunization about a student or prospective student to a school that is required by State or other law to have such proof prior to admitting the student, provided the health care provider obtains and documents the agreement to the disclosure from either:

  • A parent, guardian, or other person acting in loco parentis of the student, if the student is an unemancipated minor; or
  • The student himself or herself, if the student is an adult or emancipated minor.

See 45 CFR 164.512(b)(1)(vi).

The agreement may be obtained orally or in writing, and need not be signed or contain the other elements required in a formal, written HIPAA authorization.  While the agreement itself need not be in writing, a covered health care provider is required to document the agreement to the disclosure.  The Privacy Rule does not prescribe the nature or format of the documentation, which may vary depending on how the agreement was obtained.  For example, a copy of a written request by a parent to disclose proof of immunization, or a notation in a child’s medical record of a phone conversation with a parent who requests that the provider disclose proof of immunization, would suffice as documentation of the parent’s agreement to the disclosure.  An agreement for purposes of this provision remains effective until revoked by the parent, guardian, or other person acting in loco parentis, or by the student, if applicable.

Frequently Asked Questions on Student Immunizations 

Back to Top

Content created by Office for Civil Rights (OCR)
Content last reviewed September 19, 2013
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy