Administering Vaccine, Adverse Events, Recording Information, Legal Issues, FERPA, HIPAA
School-Located Vaccination (SLV): Information for Planners
Administering Vaccine and Preventing, Managing, and Reporting Possible Vaccine-related Adverse Events
View the following publications for guidance on administering vaccine and preventing/managing adverse events, including syncope, which is most common in adolescents: General Recommendations on Immunization, and Syncope After Vaccination.
Health care providers and parents are encouraged to report clinically significant adverse events after influenza vaccine or any vaccine to the Vaccine Adverse Event Reporting System (VAERS).
A report should be submitted even if the reporter is not certain that the vaccine caused the event. Reports may be filed securely online, by mail, or by fax.
Vaccine Storage and Handling
View more information on vaccine storage and handling: Cold Chain Management Processes and Procedures for all Medical Temperature Sensitive Products, and Cold Chain Management Briefing [1.8 MB, 33 pages].
Recording, Reporting, and Tracking Vaccination Information
States may use their state immunization information system (IIS), or “immunization registries,” to collect information on influenza vaccine administration. Reporting to the IIS is not a federal mandate, but may be required under state law. These systems may be an effective method to consider when electronically transmitting data to a public health department or creating a general data file to be kept by the vaccinator in case of a possible vaccine-related adverse event. Some IIS can produce a vaccination history which can be provided to the parent/guardian and subsequently shared with the child’s health care provider. Providers may also be able to access the IIS directly to determine if their patient received influenza vaccine.
SLV clinic planners should consider mechanisms for dissemination of vaccination information to the medical home of participating students. This can be done by requesting the student’s pediatrician’s information on consent forms or other documents. The physician listed can then be sent information regarding their patient’s vaccination once the SLV clinic has occurred.
Planners may also wish to consider distributing influenza vaccination record cards to vaccinees (e.g., to parents via vaccinated children). Information can be recorded on these cards about the vaccine provider, lot number, manufacturer, etc., which can be shared with the vaccinee's primary health care provider. Information can also be recorded on the card about when the second dose is needed and what to do in case of a possible adverse event.
States should consult their legal counsel for advice concerning the applicability of legal immunity, licensure, and privacy laws that may exist with respect to persons involved in vaccination programs. The paragraphs below provide general summaries of some relevant legal authorities, but the list is not intended to be exhaustive.
National Vaccine Injury Compensation Program (VICP)
Qualified persons who administer seasonal influenza vaccines are afforded the liability protections of the National Childhood Vaccine Injury Act of 1986, as amended, because trivalent influenza vaccines are covered under the National Vaccine Injury Compensation Program (VICP). The VICP was established to compensate individuals suffering adverse events found to result from covered vaccines. For more information, visit the National Vaccine Injury Compensation Program (VICP) web site. For specific information regarding the vaccine liability protections afforded to vaccine administrators, visit the Health Resources and Services Administration (HRSA) web site.
State and Local Government Immunity
Officials of state and local governments may also have “official” or “governmental” immunity under state legislation, municipal ordinances, or as otherwise provided for by common law. These laws may differ depending upon the level of government, the nature of the official function, the presence or absence of malice, and the degree of alleged negligence. In some instances, however, this immunity may only be provided to public officers while exposing their government employers to at least limited liability. Officials may wish to contact State and local legal advisors on these matters.
Family Educational Rights and Privacy Act (FERPA)
FERPA is the federal law, administered by the U.S. Department of Education, which protects the privacy of student education records, including health records, maintained by educational agencies and institutions. The law applies to all educational agencies and institutions that receive funds under a program administered by the U.S. Department of Education. FERPA generally prohibits the disclosure, without prior written consent, of education records or personally identifiable information (PII) from education records to outside entities, although there are a number of exceptions to the requirement of prior written consent. More information on the Family Educational Rights and Privacy Act (FERPA).
The applicability of FERPA will vary based on who is conducting the school-located vaccination clinic as follows:
- If a public health department, or an entity acting on its behalf (e.g., a commercial community vaccinator with whom the public health department developed a contract), conducts the clinic and maintains the student’s records, FERPA does not apply to the vaccination records because they are maintained by the public health department.
- If a school, school district, or an entity acting on its behalf (e.g., a commercial community vaccinator with whom the school or district developed a contract) conducts the clinic and maintains the student's records, FERPA applies to the vaccination records because they are maintained by the school or school district.
- If an entity, other than the public health department or the school/school district, conducts the clinic (e.g., a commercial community vaccinator not under a contract with the school or the public health department) and maintains the student's records, then FERPA does not apply to the vaccination records because they are not maintained by an educational institution or agency or a party acting for an educational institution or agency.
Under the FERPA regulations at 34 Code of Federal Regulations (C.F.R.) Part 99, many disclosures of PII from education records of students require signed and dated parental consent. However, when a student turns 18 years of age or attends an institution of postsecondary education, the signed and dated consent must be obtained from the student. 34 C.F.R .99.3 (definition of “Eligible student”) and 99.5. The FERPA regulations provide that the prior written consent must specify the records to be disclosed, the purpose of the disclosure, and the party or class of parties to whom the disclosure may be made. 34 C.F.R. 99.30. For example, in the absence of a health or safety emergency, signed and dated consent is generally needed for a school to release PII from education records to public health authorities (e.g., for entry into an immunization registry) or to the child’s health care provider (e.g., for inclusion in the child’s health care record).
Certain disclosures may be made without prior written consent. 34 C.F.R. 99.31. For example, a disclosure may be made without prior written consent to other school officials within the educational agency or institution whom the agency or institution has determined to have legitimate educational interests (e.g., school officials may be informed that a student has the influenza virus and has been advised to stay at home; the disclosure is needed so that school officials can monitor whether that student nevertheless attends school or a school-related activity). 34 C.F.R. 99.31(a)(1). Additional information regarding disclosures in a health or safety emergency may be found at 34 CFR 99.31(a)(10) and 99.36.
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. The HIPAA Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information by requiring appropriate safeguards to protect privacy, and setting limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
In most cases, the HIPAA Privacy Rule does not apply to elementary or secondary schools because the schools either: (1) are not HIPAA covered entities; or (2) are HIPAA covered entities, but maintain health information on students only in records that are by definition “education records” under FERPA and, therefore, are not subject to the HIPAA Privacy Rule. If a person or entity acting on behalf of a school subject to FERPA, such as a school nurse that provides services to students under contract with or otherwise under the direct control of the school, maintains student health records, these records are education records under FERPA, just as they would be if the school maintained the records directly.
More information on HIPAA at the HHS Health Information Privacy web site.
More information on HIPAA and the Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records [286 KB, 13 pages].