HIPAA and Access to Patient Records during IQIP & VFC Visits

Question and Answer image

These questions and answers are intended to provide guidance to health care providers and public health agencies about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and its relationship to access to patient records during Immunization Quality Improvement for Providers (IQIP) and Vaccines for Children (VFC) site visits. It is not intended to provide legal advice to you or your organization.

Q: Can patient records be reviewed by health department staff, or their contractual agents such as the American Academy of Pediatrics (AAP) or the Visiting Nurses Association (VNA), for the purpose of conducting IQIP site visits?

A: Under 45 CFR § 164.512(b), for disclosures not required by law, covered entities may disclose, without authorization, to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, the minimum necessary information to accomplish the intended public health purpose of the disclosure. IQIP, authorized to be undertaken by CDC under section 317 of the Public Health Service Act, is a public health strategy to promote and support the implementation of provider-level immunization quality improvement strategies. VFC providers, as covered entities, may share patient records with public health authorities or their contractors because public health authorities are permitted by law to review patient records for IQIP purposes, or because public health contractors are acting under a grant of authority from a public health authority. In addition, public health authorities may have permission under applicable state law to collect this information.

Q: Can patient records be reviewed by health officials or their agents for the purpose of conducting VFC provider site visits?

A: As explained in the answer to question 1 above, under 45 CFR § 164.512(b), for disclosures not required by law, covered entities may disclose, without authorization, to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, the minimum necessary information to accomplish the intended public health purpose of the disclosure. VFC is a public health program that provides vaccines for children in certain eligibility groups. The VFC program was authorized under Section 1928 of the Social Security Act and has been delegated to CDC to administer. VFC providers, as covered entities, may share patient records with public health officials or their agents because public health authorities are permitted by law to review patient records for VFC purposes, or because contractors are acting under a grant of authority from a public health authority.

Q: Are VFC providers required to allow health officials access to the immunization and billing records of children in their practice to determine compliance with VFC requirements?

A: The HIPAA Privacy Rule permits providers to share immunization records with public health officials for public health purposes as otherwise authorized by law. Under the VFC statute, at 42 U.S.C. 1396s(c)(2), as a condition of participation in the VFC program providers must share immunization records with health officials to verify compliance with VFC program requirements, including:

  1. screening of all children in their practice to determine VFC eligibility;
  2. to determine provider compliance with the VFC immunization schedule regarding the appropriate periodicity, dosage and contraindications applicable to the vaccines;
  3. to determine provider compliance with applicable State law, including any such law relating to any religious or other exemption;
  4. to verify that VFC vaccine-eligible children are not being charged for the cost of the vaccine;
  5. to verify that any administration fees being charged do not exceed the caps established by CMS;
  6. to verify that the provider does not deny administration of vaccine to vaccine-eligible children due to the inability of the child’s parent to pay an administration fee;
  7. to verify that only a single bill for the administration fee is sent to parents within 90 days of the date of the visit; and
  8. to verify that any unpaid balances for VFC-eligible children are not turned over to collections.

Q: Can health care providers, daycare operators, Head Start and school officials share immunization information with another provider or school to update missing immunization history or bring children into compliance with daycare, Head Start and school requirements?

A: Health care providers (or other covered entities) may share immunization information with other health care providers as needed to make treatment decisions, such as to give further immunizations. Providers may also disclose immunization information to schools, without authorization, if permitted or required by State law. These State laws would not be preempted by the Privacy Rule. (45 CFR 160.203(c)). In the absence of such a State law, it appears that such disclosures to schools will require individual authorization. Immunization records held by day care centers and schools are not protected health information under the Privacy Rule. Disclosures of immunization information by schools is covered by the Family Educational Rights and Privacy Act (FERPA). (45 CFR 164.501).

Q: Can patient identifiers, including name and birthdate, be collected and stored electronically, incidental to IQIP or VFC visits?

A: Under 45 CFR § 164.512(b) of the HIPAA Privacy Rule, covered entities may disclose protected health information–including name, birthdate, and other individually identifiable health information–to public health authorities that are authorized by law to collect such information for public health purposes. However, other requirements of the Privacy Rule (including minimum necessary, verification of identity, and accounting requirements) may apply to covered entities making these disclosures. For a full explanation of these requirements, see the web site of the Office for Civil Rightsexternal icon (responsible for enforcing the Privacy Rule), or CDC/DHHS guidance on the Privacy Rule and Public Health, in the MMWR, HIPAA Privacy Rule and Public Health also available as printable version pdf icon[24 pages].

Once protected health information has been disclosed to a public health authority for a public health activity pursuant to section 164.512(b) of the Privacy Rule, the information may be stored in whatever way is reasonable for conducting the public health activity, including electronically, so long as the storage is consistent with other applicable state and federal law.

Links to additional sources of information may be found on the CDC IIS web site or by returning to the HIPAA Overview.

Page last reviewed: September 30, 2016