A mother called the Health Information Management Department to request a copy of her child’s immunization records for the school he was about to enter. She requested that the records be released based on her telephone request as it was her understanding that written authorization was no longer required.
Here are my thoughts…
According to the Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules, that became effective March 26, 2013, a covered entity is permitted to disclose proof of immunization to a school where state or other law requires it prior to admitting a student. The caller was correct in stating that she did not need to send in a full authorization, given that the state of Massachusetts requires students to produce proof of specific immunizations prior to admission, however, an agreement must still be obtained.
- The final rule allows the facility to decide what information needs to be captured regarding the agreement to determine what is needed for their purposes.
- The documentation must make clear that the agreement was obtained, as permitted under this provision.
- Written or e-mail requests suffice as documentation of the agreement.
- Although an agreement obtained under this provision is considered effective until revoked by the parent, guardian or other person acting in loco parentis, or by the individual himself (adult or emancipated minor), the agreement is not to be treated the same as a HIPAA-compliant authorization.
What are your thoughts?