HIPAA - Access to Patient Records during AFIX & VFC Visits
Health Insurance Portability and Accountability Act of 1996
August 11, 2003
This guidance is intended to give health care providers and public health agencies specific information regarding the HIPAA Privacy Rule and access to patient records during Assessment, Feedback, Incentives, Exchange (AFIX) and Vaccines for Children (VFC) site visits. Several frequently asked questions posed to the CDC legal counsel for interpretation are presented below. Additional sources of information and reference materials available on the internet are also included.
Questions answered on this page:
Can patient records be reviewed by health department staff, or their contractual agents such as the American Academy of Pediatrics (AAP) or the Visiting Nurses Association (VNA), for the purpose of conducting AFIX provider site visits?
Yes. Under 45 CFR § 164.512(b) of the HIPAA Privacy Rule, covered entities may disclose protected health information without authorization to public health authorities that are authorized by law to collect such information for public health purposes. AFIX, authorized under section 317 of the Public Health Service Act, is a public health strategy to raise immunization coverage levels and improve standards of practices at the provider level. AFIX providers, as covered entities, may share patient records with health department staff or their contractors because a health department is a public health authority authorized by law to review patient records for AFIX purposes, or because health department contractors are acting under a grant of authority from a public health authority. In addition, state health departments may have authority under applicable state law to collect this information.
Can patient records be reviewed by health officials or their agents for the purpose of conducting VFC provider site visits?
Yes. As explained in the answer to question 1 above, under 45 CFR § 164.512(b) of the HIPAA Privacy Rule, covered entities may disclose protected health information without authorization to public health authorities that are authorized by law to collect such information for public health purposes. VFC is a public health program that provides vaccines for children in certain eligibility groups. The VFC program was authorized under Section 1928 of the Social Security Act and has been delegated to CDC to administer. VFC providers, as covered entities, may share patient records with health officials or their agents because a health department is a public health authority authorized by law to review patient records for VFC purposes, or because contractors are acting under a grant of authority from a public health authority.
Are VFC providers required to allow health officials access to the immunization records of children in their practice to determine compliance with VFC requirements?
The HIPAA Privacy Rule permits providers to share immunization records with public health officials for public health purposes as otherwise authorized by law. Under the VFC statute, at 42 U.S.C. 1396s(c)(2), as a condition of participation in the VFC program providers must share immunization records with health officials to verify compliance with VFC program requirements, including:
- screening of all children in their practice to determine VFC eligibility;
- to determine provider compliance with the VFC immunization schedule regarding the appropriate periodicity, dosage and contraindications applicable to the vaccines;
- to determine provider compliance with applicable State law, including any such law relating to any religious or other exemption;
- to verify that VFC vaccine-eligible children are not being charged for the cost of the vaccine;
- to verify that any administration fees being charged do not exceed the caps established by CMS;
- to verify that the provider does not deny administration of vaccine to vaccine-eligible children due to the inability of the child’s parent to pay an administration fee.
Can health care providers, daycare operators, Head Start and school officials share immunization information with another provider or school to update missing immunization history or bring children into compliance with daycare, Head Start and school requirements?
Health care providers (or other covered entities) may share immunization information with other health care providers as needed to make treatment decisions, such as to give further immunizations. Providers may also disclose immunization information to schools, without authorization, if permitted or required by State law. These State laws would not be preempted by the Privacy Rule. (45 CFR 160.203(c)). In the absence of such a State law, it appears that such disclosures to schools will require individual authorization. Immunization records held by day care centers and schools are not protected health information under the Privacy Rule. Disclosures of immunization information by schools is covered by the Family Educational Rights and Privacy Act (FERPA). (45 CFR 164.501).
Can patient identifiers, including name and birthdate, be collected and stored electronically, incidental to AFIX or VFC visits?
Yes. Under 45 CFR § 164.512(b) of the HIPAA Privacy Rule, covered entities may disclose protected health information--including name, birthdate, and other individually identifiable health information--to public health authorities that are authorized by law to collect such information for public health purposes. However, other requirements of the Privacy Rule (including minimum necessary, verification of identity, and accounting requirements) may apply to covered entities making these disclosures. For a full explanation of these requirements, see the website of the Office for Civil Rights (www.hhs.gov/ocr/hipaa) (responsible for enforcing the Privacy Rule), or CDC/DHHS guidance on the Privacy Rule and Public Health, in the MMWR, HIPAA Privacy Rule and Public Health (printable version is available at www.cdc.gov/mmwr/pdf/other/m2e411.pdf
).
Once protected health information has been disclosed to a public health authority for a public health activity pursuant to section 164.512(b) of the Privacy Rule, the information may be stored in whatever way is reasonable for conducting the public health activity, including electronically, so long as the storage is consistent with other applicable State and Federal law.
Links to additional sources of information may be found on the CDC website at www.cdc.gov/vaccines/programs/iis/ or by returning to the HIPAA Policies page.
.pdf files: To view and print the .pdf files on this site, you will need Adobe Acrobat Reader. Use this link to obtain a free copy of Adobe Acrobat Reader (exit). We highly recommend that you upgrade to the latest version if haven't already.
Content last reviewed on April 24, 2007
Content Source: National Center for Immunization and Respiratory Diseases