No; however, State or other applicable laws may impose retention requirements for such records. Further, in most cases, the Privacy Rule will not provide protections to the immunization records maintained by a school because: (1) the school is not a HIPAA covered entity; or (2) the records are maintained by an educational institution or agency to which the Family Educational Rights and Privacy Act (FERPA) applies and, thus, are protected by FERPA and not HIPAA.

No, 45 CFR 164.512(b)(1)(vi) of the Privacy Rule permits the disclosure of proof of immunization about a student or prospective student only to a school that is required by State or other law to have such information prior to admitting the student. In the limited case where a school is not subject to a school entry law but seeks proof of immunization of students, a covered health care provider may either provide the proof of immunization to the parent of the student (or student, if applicable) to give to the school, or obtain the parent’s (or student’s, if applicable) written authorization to provide the requested information directly to the school.

No. The Privacy Rule permits a covered entity to use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of that law. See 45 CFR 164.512(a). In such cases, the covered entity is not required to also meet the conditions of 45 CFR 164.512(b)(1)(vi) in making the required by law disclosure.

In most cases, it is anticipated that a health care provider will obtain agreement for the disclosure of proof of immunization to a school at the time a particular disclosure is needed. For example, a parent may call and request that a covered health care provider send proof of his or her child’s immunizations to an elementary school before the child is to begin school. If that child moves to a different school and is unable to transfer the immunization records to the new school, the parent may then need to request that the health care provider send the child’s records directly to the new school. However, in some circumstances the scope of the agreement may vary based on the needs of the parent and the school. For example, a parent may agree to the health care provider making multiple disclosures over a period of time, such as where updates are required by a school when a series of vaccinations have been completed.

No. It is expected that in most cases a school has designated an administrative official or employee, such as a school nurse, to receive and maintain proof of student immunizations to comply with applicable law. Given the designated person may vary from school to school, the Privacy Rule permits the health care provider to make the disclosure to whoever at the school is identified in the parent’s request or school’s instructions to the parent.

The Privacy Rule does not prescribe the nature and form of the documentation, allowing covered entities the flexibility to determine what is appropriate for their purposes and to address the varied circumstances in which parental agreement may be obtained. The documentation must only make clear that agreement was obtained as required by 45 CFR 164.512(b)(1)(vi) of the Privacy Rule. For example, if a parent or guardian submits a written or email request to a covered entity to disclose proof that his or her child has been immunized to the child’s school, a copy of the request would suffice as documentation of the agreement. Likewise, if a parent or guardian calls the covered entity and requests over the phone that proof of his or her child’s immunization be disclosed to the child’s school, a notation in the child’s medical record or elsewhere of the phone call would suffice as documentation of the agreement. The documentation for these purposes need not include the signature of a parent or guardian or any of the other elements required under the Privacy Rule for a written HIPAA authorization. As with other documentation required under the Privacy Rule, documentation of parental agreement for these purposes must be maintained for six years. See 45 CFR 164.530(j).

Yes, provided the school is required by law to have proof of immunizations in order to admit the child, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi). Where the individual who is a student or prospective student is an adult or emancipated minor, the provider may make the disclosure with the agreement of the student herself. In either case, the agreement may be obtained orally or in writing, but must be documented (e.g., by placing in the medical record a copy of a written request, or notation of an oral request, from a parent for the provider to disclose the proof of immunization to the school).