What is HIPAA?
In 1996 the U.S. Congress passed the Health Insurance Portability & Accountability Act (HIPAA), which increased individuals' ability to maintain health insurance coverage. In addition, the U.S. Department of Health and Human Services was required under HIPAA to issue regulations:

  • Standardizing the formats of electronic health care claims and transactions (known as the Transaction Rule);
  • Establishing new requirements for the privacy of individually identifiable health care information (known as the Privacy Rule); and
  • Establishing new requirements for the security of electronic health care information (known as the Security Rule).

The FAQs below will discuss some of the effects of these rules on school health programs and staff, including whether school health programs must comply with the requirements of the Transaction, Privacy and Security Rules.

What is a "Public Health Authority" under HIPAA?
HIPAA defines a Public Health Authority as "an agency or authority of the United States, a State or territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate." 45 C.F.R. §164.501

HIPAA provides that covered entities may disclose PHI to a public health authority that "is authorized by law to collect or receive such information for the purposes of preventing or controlling disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations and public health interventions." 45 C.F.R. §164.512 (b)

Is an authorization required before physicians and other covered providers are permitted under HIPAA to disclose information and records related to a patient's immunization status to a public school and its agents, including school nurses?
No, an authorization is not required before physicians and other covered providers disclose information and records related to a patient's immunization status to a school and its agents, including school nurses.

Under HIPAA (45 C.F.R. § 164.512(b)) health care providers are permitted to disclose immunization records, without an individual authorization, to public health authorities that are authorized by law to collect such information.

105 CMR 300.191 (b) provides that "School nurses are authorized to obtain from health care providers the immunization records or other immunization related information required for school admission, without authorization of the child's parent(s) or legal guardian(s)…"

For a more detailed explanation, please visit: Release of immunization records from a health provider to school nurses without an authorization.

How does HIPAA affect a nurse's authority to disclose immunization information to a physician?
The parameters of a school nurse's ability to disclose health information about a student directly to a physician are dictated by the provisions of The Family Education Rights and Privacy Act (FERPA) and not by HIPAA. Therefore, the analysis in question three (3) does not apply when a school nurse discloses information to a physician. Under FERPA, a school nurse generally is not permitted to disclose immunization information to a physician without consent. However, with consent, a school nurse is free to communicate directly with a physician regarding immunization information. Therefore, school nurses should consider seeking consent on an annual basis from a student's parent or guardian to share information with physicians concerning immunizations.

Is an authorization required before physicians and other covered providers are permitted under HIPAA to discuss the treatment of a patient with a school nurse, regarding a patient enrolled at the school?
No, an authorization is not required. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual's authorization, to another health care provider for that provider's treatment of the individual. See 45 CFR 164.506 and the definition of "treatment" at 45 CFR 164.501.

Do school health programs and their staff have to comply with the Transaction Rule?
The answer depends on whether health care providers, including school health programs and staff, transmit any health information in electronic form in connection with a HIPAA standard transaction, making them a covered entity under HIPAA. Covered entities must comply with the requirements of the Transaction Rule, including the use of specified data elements and transaction codes, when engaging in a standard transaction.

There are eight standard transactions under HIPAA, including the billing of third-party payers such as a health plan. Thus, school health programs that transmit any health information in electronic form when billing an insurer (or in connection with any other standard transaction) are covered entities and will have to comply with the requirements of the Transaction Rule when engaging in a standard transaction. School health program staff that are unsure of their potential coverage under the Transaction Rule should speak with school officials or counsel regarding this issue.

One important aspect of the Transaction Rule is that it does not apply to health care providers when billing by paper; nor does the Transaction Rule require providers to switch to electronic billing.

Finally, it should be emphasized that most school nurses will probably never transmit any health information in electronic form in connection with a standard transaction and thus will not have to follow HIPAA's Transaction requirements.

For more information regarding the Transaction Rule, please visit: Centers for Medicare and Medicaid Services.

Do school health programs that must comply with the Transaction Rule also have to comply with the HIPAA Privacy and Security Rules?
The answer depends on whether a school health program maintains records covered by the Family Education Rights and Privacy Act (FERPA).

The question is the basis of much discussion and there is no consensus nationally. Based on an analysis of available materials, and until the HHS Office of Civil Rights provides guidance to the contrary, the Massachusetts Department of Public Health concludes that school health programs and staff at FERPA-covered schools do not have to comply with any of the Privacy or Security Rule's requirements in relation to any health information in education records protected by FERPA. This is true even if they transmit any information electronically in connection with a standard transaction.

The requirements of both of the Privacy and Security Rules apply only to the protected health information (PHI) maintained by a HIPAA covered entity. However, these Rules exclude education records subject to FERPA from the definition of PHI. Congress clearly indicated that FERPA should continue to govern the privacy and security of education records. See 45 C.F.R. § 160.102(a)(3) and § 164.500(a). The transaction rule, however, does not exclude education records subject to FERPA.

But note, school health programs and staff at schools not receiving federal funds (and therefore not covered by FERPA) that engage in a HIPAA standard transaction will need to comply with the requirements of the Transaction, Privacy and Security Rules. The FERPA exception only applies to records maintained by school health programs and staff at schools covered by FERPA. School health program staff that are unsure of their FERPA coverage should speak with school officials or counsel regarding this issue.

For a more detailed explanation, please visit: Memorandum: HIPAA and FERPA

Can a covered entity under HIPAA (for example a physician or other licensed health care provider) fax protected health information (PHI) to a school nurse?
Yes. In December of 2002 the Office of Civil Rights issued guidance stating that the HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider by fax or by other means so long as:

  • The disclosure is allowed under HIPAA and other applicable laws; and,
  • Both the disclosing and receiving entity have in place "reasonable and appropriate administrative, technical, and physical safeguards" to protect the privacy of the PHI that is disclosed.

What types of disclosures may a covered entity permissibly make to a school nurse under HIPAA?
A covered provider may permissibly disclose PHI to a school nurse including, but not limited to, the following situations:

  • Immunization records, which may be disclosed to a school nurse without individual authorization pursuant to 45 CFR § 164.512(b) and 105 CMR 300.191 (B).
  • PHI for which there is an individual authorization;
  • PHI necessary for the treatment of the child. The provider may disclose treatment information to a school nurse, regardless of whether the school nurse is also a covered entity. 45 CFR § 164.506 (c) (1) or (2).

What are examples of "reasonable and appropriate administrative, technical, and physical safeguards" to protect the privacy of the PHI that is disclosed by fax.
Although school nurses are typically not covered entities under HIPAA, they should, nonetheless, develop and follow reasonable and appropriate safeguards for receiving as well as disclosing PHI by fax. Before covered entities will fax PHI to school nurses, they may require assurances that the school nurse has appropriate safeguards in place. Such safeguards may include, for example, procedures to assure that the fax is in a secure location accessed only by staff authorized to see PHI or procedures that assure that an authorized staff member is at the fax machine to receive the faxed PHI.

Under the Privacy Rule can a covered entity honor an individual authorization form that is a faxed copy rather than the original form?
Yes. Health and Human Services (HHS) stated with respect to this question that covered entities may rely upon a faxed copy of an individual authorization form as long as it is legible. The original is not required to meet the covered entity's responsibilities under the Privacy Rule. HHS also considers a copy or electronically transmitted version of a signed authorization a valid authorization under the Privacy Rule.

 


This information is provided by the School Health Services within the Department of Public Health.