Policies
> HIPAA > FAQs
HIPAA
Health
Insurance Portability & Accountability
Act of 1996
HIPAA and Public Health Site Visits
Access to Patient Records during
AFIX and VFC Visits
August
11, 2003
|
At
a Glance: This guidance
is intended to give health
care providers and public health
agencies specific information
regarding the HIPAA Privacy
Rule and access to patient
records during Assessment,
Feedback, Incentives, Exchange
(AFIX) and Vaccines for Children
(VFC) site visits. Several
frequently asked questions
posed to the CDC legal counsel
for interpretation are presented
below. Additional sources of
information and reference materials
available on the internet are
also included. |
|
|
Questions answered on this page: |
- Can
patient records be reviewed by
health department staff, or their
contractual agents such as the
AAP or the VNA, for the purpose
of conducting AFIX provider site
visits?
- Can
patient records be reviewed by
health officials or their agents
for the purpose of conducting
VFC provider site visits?
- Are
VFC providers required to allow
health officials access to the
immunization records of children
in their practice to determine
compliance with VFC requirements?
- Can
health care providers, daycare
operators, Head Start and school
officials share immunization
information with another provider
or school to update missing immunization
history or bring children into
compliance with daycare, Head
Start and school requirements?
- Can
patient identifiers, including
name and birthdate, be collected
and stored electronically, incidental
to AFIX or VFC visits?
- Can
patient records be reviewed by
health department staff, or their
contractual agents such as the
American Academy of Pediatrics
(AAP) or the Visiting Nurses
Association (VNA), for the purpose
of conducting AFIX provider site
visits?
Yes.
Under 45 CFR § 164.512(b)
of the HIPAA Privacy Rule,
covered entities may disclose
protected health information
without authorization to public
health authorities that are
authorized by law to collect
such information for public
health purposes. AFIX, authorized
under section 317 of the Public
Health Service Act, is a public
health strategy to raise immunization
coverage levels and improve
standards of practices at the
provider level. AFIX providers,
as covered entities, may share
patient records with health
department staff or their contractors
because a health department
is a public health authority
authorized by law to review
patient records for AFIX purposes,
or because health department
contractors are acting under
a grant of authority from a
public health authority. In
addition, state health departments
may have authority under applicable
state law to collect this information.
Top
- Can
patient records be reviewed by
health officials or their agents
for the purpose of conducting
VFC provider site visits?
Yes.
As explained in the answer
to question 1 above, under
45 CFR § 164.512(b) of
the HIPAA Privacy Rule, covered
entities may disclose protected
health information without
authorization to public health
authorities that are authorized
by law to collect such information
for public health purposes.
VFC is a public health program
that provides vaccines for
children in certain eligibility
groups. The VFC program was
authorized under Section 1928
of the Social Security Act
and has been delegated to CDC
to administer. VFC providers,
as covered entities, may share
patient records with health
officials or their agents because
a health department is a public
health authority authorized
by law to review patient records
for VFC purposes, or because
contractors are acting under
a grant of authority from a
public health authority.
Top
- Are
VFC providers required to allow
health officials access to the
immunization records of children
in their practice to determine
compliance with VFC requirements?
The
HIPAA Privacy Rule permits
providers to share immunization
records with public health
officials for public health
purposes as otherwise authorized
by law. Under the VFC statute,
at 42 U.S.C. 1396s(c)(2), as
a condition of participation
in the VFC program providers
must share immunization records
with health officials to verify
compliance with VFC program
requirements, including:
- screening
of all children in their
practice to determine VFC
eligibility;
-
to determine provider compliance
with the VFC immunization
schedule regarding the appropriate
periodicity, dosage and contraindications
applicable to the vaccines;
-
to determine provider compliance
with applicable State law,
including any such law relating
to any religious or other
exemption;
-
to verify that VFC vaccine-eligible
children are not being charged
for the cost of the vaccine;
-
to verify that any administration
fees being charged do not
exceed the caps established
by CMS;
-
to verify that the provider
does not deny administration
of vaccine to vaccine-eligible
children due to the inability
of the child’s parent
to pay an administration
fee.
Top
- Can
health care providers, daycare
operators, Head Start and school
officials share immunization
information with another provider
or school to update missing immunization
history or bring children into
compliance with daycare, Head
Start and school requirements?
Health
care providers (or other covered
entities) may share immunization
information with other health
care providers as needed to
make treatment decisions, such
as to give further immunizations.
Providers may also disclose
immunization information to
schools, without authorization,
if permitted or required by
State law. These State laws
would not be preempted by the
Privacy Rule. (45 CFR 160.203(c)).
In the absence of such a State
law, it appears that such disclosures
to schools will require individual
authorization. Immunization
records held by day care centers
and schools are not protected
health information under the
Privacy Rule. Disclosures of
immunization information by
schools is covered by the Family
Educational Rights and Privacy
Act (FERPA). (45 CFR 164.501).
Top
- Can
patient identifiers, including
name and birthdate, be collected
and stored electronically, incidental
to AFIX or VFC visits?
Yes.
Under 45 CFR § 164.512(b)
of the HIPAA Privacy Rule, covered
entities may disclose protected
health information--including
name, birthdate, and other individually
identifiable health information--to
public health authorities that
are authorized by law to collect
such information for public health
purposes. However, other requirements
of the Privacy Rule (including
minimum necessary, verification
of identity, and accounting requirements)
may apply to covered entities
making these disclosures. For
a full explanation of these requirements,
see the website of the Office
for Civil Rights (www.hhs.gov/ocr/hipaa)
(responsible for enforcing the
Privacy Rule), or CDC/DHHS guidance
on the Privacy Rule and Public
Health, in
the MMWR,
HIPAA Privacy Rule and Public
Health (printable version
is available at http://www.cdc.gov/mmwr/pdf/other/m2e411.pdf).
Once
protected health information
has been disclosed to a public
health authority for a public
health activity pursuant to section
164.512(b) of the Privacy Rule,
the information may be stored
in whatever way is reasonable
for conducting the public health
activity, including electronically,
so long as the storage is consistent
with other applicable State and
Federal law.
Links
to additional sources of information
may be found on the CDC website
at www.cdc.gov/nip/registry
or by returning to the HIPAA
Policies page.
|
Return
to HIPAA Policies page
|