February 22, 2013. Today, we examine modified HIPAA Privacy Rule considerations regarding healthcare provider disclosure of immunization records for students in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Student immunization records are protected under two federal laws: HIPAA, via the HIPAA Privacy Rule, as discussed below, and the Family Educational Rights and Privacy Act (FERPA) “once a student’s immunization records are obtained and maintained by an educational institution or agency to which FERPA applies. This posting focuses on the HIPAA Privacy Rule provisions vis-à-vis such records prior to their receipt by an educational institution or agency to which FERPA applies. For further information on the “intersection of FERPA and HIPAA, consult Joint Guidance on the Application of FERPA and HIPAA to Student Health Records. 78 Federal Register 5616
The Final Rule states: “The Privacy Rule, at 45 CFR 164.512(b) [Uses and Disclosures for which an authorization or opportunity to agree or object is not required], recognizes that covered entities must balance protecting the privacy of health information with sharing health information with those responsible for ensuring public health and safety, and permits covered entities to disclose the minimum necessary protected health information to public health authorities or other designated persons or entities without an authorization for public health purposes specified by the Rule.
“Schools play an important role in preventing the spread of communicable diseases among students by ensuring that students entering classes have been immunized. Most States have ‘school entry laws’ which prohibit a child from attending school unless the school has proof that the child has been appropriately immunized. …
“Typically, schools ensure compliance with those requirements by requesting the immunization records from parents (rather than directly from a health care provider). However, where a covered health care provider is requested to send the immunization records directly to a school, the Privacy Rule generally requires written authorization by the child’s parent before a covered health care provider may do so…. “
Because of concerns with the difficulty of obtaining authorization in some cases, the “National Committee on Vital and Health Statistics …recommended that HHS regard disclosure of immunization records to schools to be a public health disclosure, thus eliminating the requirement for [written] authorization…. While written authorization … would no longer have been required for disclosure of such information under the proposal, the covered entity would still have been required to obtain agreement, which may have been oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual him- or herself, if the individual is an adult or emancipated minor.” 78 Federal Register 5616
Final Rule. “The final rule adopts the proposal to amend 45 CFR 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor….
“The final rule additionally requires that covered entities document the agreement obtained under this provision… The documentation must only make clear that agreement was obtained as permitted under this provision. For example, if a parent or guardian submits a written or email request to a covered entity to disclose his or her child’s immunization records to the child’s school, a copy of the request would suffice as documentation of the agreement. Likewise, if a parent or guardian calls the covered entity and requests over the phone that his or her child’s immunization records be disclosed to the child’s school, a notation in the child’s medical record of elsewhere of the phone call would suffice as documentation of the agreement.”
“[W]e still require active agreement from the appropriate individual, and a health care provider may not disclose immunization records to a school under this provision without such agreement…. A mere request by a school to a health care provider for the immunization records of a student would not be sufficient to permit disclosure under this provision.” 78 Federal Register 5617
There is another distinction worth noting here, with emphasis added: “[T]he Privacy Rule at 45 CFR 164.512(a) permits a covered entity to use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law…. [W]ith regard to State laws that permit but do not require covered entities to disclose immunization records to schools, this does not meet the requirements of the provisions at 164.512(a), and disclosures of immunization records are subject to the Privacy Rule agreement and documentation requirements. 78 Federal Register 5618
Note, “the Privacy Rule at 45 CFR 164.512(b) permits a covered entity to disclose protected health information for public health activities. Disclosures of protected health information to State immunization registries are therefore permitted by the Privacy Rule and also do not require authorization.” 78 Federal Register 5618.
This modification facilities removal of identified bottlenecks in getting immunization records to schools and lessens burdens on covered healthcare providers in documenting written or oral agreements by appropriate parties for doing so. It is important to note that such documentation is required to be maintained under the Privacy Rule Documentation standard at 45 CFR 164.530(j).
Here is the modified paragraph relating to school immunization records at 45 CFR 164.512(b)(1)(vi)
(b) Standard: Uses and disclosures for public health activities. (1) A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:
(vI) A school, about an individual who is a student or prospective student of the school, if:
(A) The protected health information that is disclosed is limited to proof of immunization;
(B) The school is required by State or other law to have such proof of immunization prior to admitting the individual; and
(C) The covered entity obtains and documents the agreement to the disclosure from either:
(1) A parent, guardian, or other person acting in loco parentis of the individual, if the individual is an unemancipated minor; or
(2) The individual, if the individual is an adult or emancipated minor.
On Monday, we look at 45 CFR 160.408: Factors considered in determining the amount of a civil money penalty.