The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) actually has two sections, Title I and Title II.
Title I deals with the protection of health insurance coverage for those people who lose or change jobs.
Title II deals with the standardization of healthcare-related information systems. It requires medical providers to ensure that they protect the privacy and security of their patients' medical information and also that they use a standard format when submitting electronic transactions, such as submitting claims to payers.
HIPAA seeks to establish standardized mechanisms for electronic data interchange, security, and confidentiality of all healthcare-related data. The Act mandates: standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual.
The compliance date for HIPAA’s Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule, was April 2003. The Privacy Rule governs the use and disclosure of protected health information by “covered entities”. Health care providers, health plans and health care clearinghouses are covered entities. Since most registries (IIS) do not perform covered functions (e.g. direct service payments), they are not required to comply with HIPAA. However, maintaining the privacy and security of immunization data has been and continues to be a major priority of registry developers and public health personnel nationwide.
For very detailed information on HIPAA please go to the Health and Human Services website page at http://www.hhs.gov/ocr/hipaa/
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools that receive federal funds under an applicable program of the U.S. Department of Education and gives parents certain rights with respect to their children's education records. The rights include:
Schools may disclose, without consent, information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance but they must tell the parents, guardians and/or eligible students about the directory information and allow them a reasonable amount of time to request that the school not disclose this information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
Under HIPAA, Covered Entities (including health departments and immunization registries) are subject to other federal laws and regulations but HIPAA excludes any records that are covered by FERPA. That means the information contained in an education record is exempt from HIPAA requirements and only subject to FERPA requirements. A problem arises with regard to immunization registries, public health practice and FERPA. Most states have mandatory student immunization laws, along with requirements for schools to monitor student compliance with these laws. Immunization registries provide a very efficient way to monitor student compliance with these laws. Immunization data flowing into the schools from the immunization registry is not restricted by FERPA and is therefore a great tool to determine if students are in compliance with immunization regulations for school entry. The schools collect important immunization data that would be very beneficial to include in registries (from shots given at school clinics and student compliance documentation provided to the schools by parents and providers). FERPA requires written parental consent for this data to be provided to the registry. Ideally, FERPA should contain provisions similar to those made under HIPAA laws allowing disclosure to public health where it is mandated or permitted by law. Unfortunately, this is not currently the case and so the flow of information from the schools into the immunization registry is severely, if not totally limited.