Recently, the U.S. Food and Drug Administration approved the use of updated COVID-19 vaccines formulated to target variants of the virus that are currently circulating. Included in the Emergency Use Authorization are mRNA vaccines for 2023-2024 from ModernaTX Inc. and Pfizer Inc., as well as the Novavax COVID-19 Vaccine, Adjuvanted. These updated vaccine formulations provide better protection against newer strains of the virus than previous formulations and help prevent serious consequences of COVID-19 infections, such as hospitalization and death.

How are vaccines tested?

All vaccines are required to go through three phases of clinical development before FDA approval. Phase 1 involves small groups of people (20-100 individuals) receiving the trial vaccine while researchers gather information about the vaccine’s efficacy and any side effects. Phase 2 expands the clinical trial to hundreds of trial participants of varying demographic backgrounds, which provides additional safety information on side effects and risks. Phase 3 includes thousands of trial participants. This phase allows researchers to confirm the efficacy of the vaccine and to monitor side effects and their varying levels of commonality. After all three phases have been completed, the FDA reviews the data and approves the vaccine for use in the general population if they determine that the benefits of the vaccine outweigh the potential risks of contracting the disease that it helps prevent or mitigate. A fourth phase takes place after approval, which evaluates the vaccine’s safety and effectiveness over a longer period of time.

What is an Emergency Use Authorization?

Vaccines approved under an Emergency Use Authorization (EUA), like COVID-19 vaccines, go through the same testing process as any other vaccine. An EUA is used to speed up the clinical development process. All three phases are still completed before the FDA approves the vaccine for use, but the trial phases may be overlapped. According to data from the CDC and other sources, all available COVID-19 vaccines are safe for use and the risk of any possible side effects has been shown to be less severe than the potential risks of contracting COVID-19 without prior vaccination. The CDC recommends that children and adults ages 6 months and older receive an updated vaccine.

It’s that time of year again when millions of students head back to school and questions arise about disclosures of protected health information (PHI) to schools. The Department of Health and Human Services has published the following Q & As regarding immunization records and medication disclosures to schools that will help clarify what is permitted to be disclosed, to whom and whether authorization is required. If a question comes up that is not answered below, please feel free to contact us for assistance.

Is a health care provider permitted to disclose proof of a child’s immunizations directly to a school without a HIPAA authorization?

Yes, provided the school is required by law to have proof of immunizations in order to admit the child, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure.  Where the individual who is a student or prospective student is an adult or emancipated minor, the provider may make the disclosure with the agreement of the student herself.  In either case, the agreement may be obtained orally or in writing, but must be documented (e.g., by placing in the medical record a copy of a written request, or notation of an oral request). See 45 CFR 164.512(b)(1)(vi).

If a state law requires a covered health care provider to disclose proof of a student’s immunizations directly to a school without the affirmative permission of a parent or guardian, must the health care provider also obtain the agreement of a parent or guardian in accordance with 45 CFR 164.512(b)(1)(vi) of the Privacy Rule prior to making the disclosure?

No.  The Privacy Rule permits a covered entity to use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of that law.  See 45 CFR 164.512(a).  In such cases, the covered entity is not required to also meet the conditions of 45 CFR 164.512(b)(1)(vi) in making the required by law disclosure.

Does the HIPAA Privacy Rule allow a health care provider to disclose protected health information (PHI) about a student to a school nurse or physician?

Yes.  The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent.  For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school. In addition, a covered health care provider may disclose proof of a student’s immunizations directly to a school nurse or other person designated by the school to receive immunization records if the school is required by State or other law to have such proof prior to admitting the student, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure.  See 45 CFR 164.512(b)(1)(vi).

Where a parent requests that a health care provider disclose proof of his child’s immunizations to a school so the school can legally admit the child, does the Privacy Rule limit to whom at the school the provider may send the records?

No.  It is expected that in most cases a school has designated an administrative official or employee, such as a school nurse, to receive and maintain proof of student immunizations to comply with applicable law. Given the designated person may vary from school to school, the Privacy Rule permits the health care provider to make the disclosure to whoever at the school is identified in the parent’s request or school’s instructions to the parent.

HHS warns that it does not certify any persons or products as HIPAA-compliant

Eagle Associates receives many questions about requirements for HIPAA certification. This usually occurs after a practice has received marketing materials from a consulting or educational group purporting to provide “HIPAA certification.” Such companies may claim that your practice is “non-compliant” and must immediately schedule a consultation or other service with their company, often using urgent language and alluding to potential fines. It is important to know that there is no such requirement for entities to obtain HIPAA “certification”, and these companies are using dubious marketing tactics to sell their services.

The following information from the U.S. Department of Health & Human Services (HHS) website explains the regulator’s position and adds a word of caution.

“We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as “HIPAA compliant.” The Privacy Rule does not require attendance at any specific seminars. All of OCR’s materials are available free on this web site.

If you believe anyone is making false or misleading representations about HHS or OCR in regard to HIPAA training and compliance, please notify us via email at ocrcomplaint@hhs.gov or by postal mail at Office for Civil Rights, 200 Independence Ave, S.W., Room 509F, Washington, D.C. 20201.”

See also the following Q & A from the HHS web site:

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

At Eagle Associates, we know that compliance is an ongoing process and not a designated status. Receiving additional compliance training or assistance with implementation of policies can lead to improved compliance. However, HHS encourages caution when engaging with companies who claim to provide HIPAA certification. Eagle Associates’ compliance programs provide training and ongoing support to help practices understand and maintain compliance without making false or misleading representations. If you are unsure about your compliance programs, please do not hesitate to contact us.