Health Information Compliance Alert

Published on Mon Nov 08, 2021 PDF

Question: With the emergency authorization of the Pfizer- BioNTech COVID-19 Vaccine for children 5 to 11 years of age solidified, we wondered how vaccination disclosures for students would work since we are still under a public health emergency (PHE) and rules about the COVID-19 vaccinations seem to be evolving quickly. Do HIPAA and FERPA apply, are they separate, or do the regulations overlap at all when it comes to students’ health privacy and vaccination disclosures?

Ohio Subscriber

Answer: When a covered entity (CE) discloses a student’s COVID-19 vaccination status to a school, the procedures would be the same as it would be for any other vaccination. This transfer of protected health information (PHI) falls under the HIPAA Privacy Rule on the part of the CE.

“A covered health care provider may disclose proof of a student’s immunizations directly to a school nurse or other person designated by the school to receive immunization records if the school is required by State or other law to have such proof prior to admitting the student, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure,” reminds the HHS Office for Civil Rights (OCR) in online guidance.

On the other hand, the federal privacy rights of students’ personal identifiable information (PII) are covered under the Family Educational Rights and Privacy Act of 1974 (FERPA) versus the students’ health privacy rights, which are protected under HIPAA.

“Generally speaking, educational institutions subject to FERPA are prohibited from sharing any personally identifiable information in a student’s educational record, unless they have specific written consent from the student’s parents and guardians, or from the adult student,” warns the National Vaccine Information Center’s online guidance. “While school vaccine information is usually a part of the educational record, protection from disclosure also depends on what entity is gathering vaccination information.”

Reminder: Your state’s vaccine laws will determine whether HIPAA or FERPA or both factor into the privacy equation. For example, if a state mandates that college students must have a COVID-19 vaccination and that state requires vaccination be sent directly to the health department instead of the university, then HIPAA would be the law involved. The reason why is because vaccine-tracking agencies fall under the HIPAA regulation for third-party disclosures of PHI.

But if your state puts the onus of collecting and storing vaccine information on the student’s educational institution, then FERPA is the law of the land. The student’s personal health records can only be disclosed to third-parties and vaccine-tracking registries after written consent from the parents or adult student are given.

When schools and universities offer healthcare services to students, then HIPAA and FERPA would both apply.

COVID caveat: Similar to OCR’s extensive COVID-19 PHE guidance, the Department of Education offers additional FERPA insight in a Frequently Asked Questions (FAQ) set on the intersection of the law and the virus. Some of the topics that the FAQs focus on include the following:

• PII disclosure without consent during a PHE to public health agencies
• PII disclosures to school and local communities after a COVID-19 diagnosis
• PII disclosure to the media
• PII disclosure refusals
• Storage and timeline of requests for release of PII to government agencies

Bottom line: Check your state’s laws on COVID vaccination mandates, testing, disclosures, and storage of PHI and PII before implementing any new protocols, policies, or procedures.