How does HIPAA apply to student immunization records?

School immunization records are protected by HIPAA when they are created and maintained by covered entities rather than schools. In this instance, HIPAA, rather than FERPA, dictates how schools can access student immunization records during the enrollment process and before admission. 

Are student immunization records considered protected health information (PHI)?

Student immunization records are considered protected health information (PHI) under HIPAA. They fall into this category because they contain personal details about the student's medical history, specifically the vaccinations they have received from their chosen healthcare provider outside of a school environment. 

How does HIPAA apply to student immunization records?

When healthcare providers maintain immunization records, they are considered PHI (unlike school based records which are governed by FERPA).  This means that disclosures of these records need to comply with HIPAA’s requirements for the protection of patient information. The measures for this protection include the use of secure communication methods such as HIPAA compliant email when sharing any PHI. 

There are also additional requirements set in place when it comes to the disclosure of immunization records with schools. HHS guidance states, “The Privacy Rule permits a covered health care provider to disclose proof of immunization about a student or prospective student to a school that is required by State or other law to have such proof before admitting the student…”

The guidance goes on to provide that healthcare providers need to obtain and document the agreement to the disclosure from either: 

• A parent, guardian, or other person acting in loco parentis (i.e., person or entity acting as a caregiver in the place of a parent) 
• The student himself if he is an emancipated minor
  
  

Best practices to ensure that student immunization records remain secure 

Use secure electronic transmission

• Use encrypted communication methods like HIPAA compliant email when sending any PHI including student immunization records.
• Establish a practice of sending all emails, including nonPHI communications, through HIPAA compliant platforms. 

Data minimization

• Share only the necessary information for school admissions, 
• Avoid sharing full patient histories or additional medical information that does not relate to immunizations. 

Verification of recipients

• Before sending immunization records, verify the identity and authorization of the school personnel. 

Obtain appropriate consent

• Ensure that appropriate consent from parents or guardians is documented before sharing immunization records with schools. 
• The consent should specify what information is being shared and with whom.
  
  

FAQs

What is FERPA? 

The Family Educational Rights and Privacy Act protects the privacy of student education records and gives parents certain rights regarding those records. 

When are student medical records covered by FERPA? 

When they are maintained by a school as part of a student's educational records and directly related to a student's educational experience. 

What is the Privacy Rule?

It establishes the national standards for the protection of individual medical records.