Confidentiality/Security

HIPAA and Schools

How does the Health Insurance Portability and Accountability Act of 1996 (HIPAA) affect the release of immunization data to schools and child care centers?

A school acts as a “public health authority” when it is statutorily required to track the immunization status of its enrolled children. HIPAA allows protected health information – in this case, an individual’s immunization information – to be disclosed to public health authorities for such purposes. While signed authorizations are not required for these public health disclosures, they are permitted by HIPAA. Any release made without a signed authorization needs to be recorded so that there is a record should an individual request an “accounting of disclosures” at a later date.

What qualifies as a “school?”

Under Colorado statue, a “school” is a public, private, or parochial nursery school, day care center, child care facility, family child care home, foster care home, Head Start program, kindergarten, or elementary or secondary school through grade twelve, or a college or university. “School” does not include a public services short-term child care facility as defined in section 26-6-102 (6.7), C.R.S., a guest child care facility as defined in section 26-6-102 (5), C.R.S., a ski school as defined in section 26-6-103.5 (6), C.R.S., or college or university courses which are offered off-campus; or are offered to non-traditional adult students, as defined by the governing board of the institution; or are offered at colleges or universities which do not have residence hall facilities.

Click here for more information about CIIS and HIPAA.