HIPAA and Privacy Rules Affecting Childcare Health Records

A childcare center knows a surprising amount about the children in its care — vaccination records, allergy diagnoses, medication schedules, physician contacts, developmental assessments. What rules govern who can see that information, who can share it, and under what circumstances? The answer is less straightforward than most parents or providers expect, because HIPAA — the Health Insurance Portability and Accountability Act — does not apply the same way to childcare programs as it does to hospitals. Understanding which privacy framework actually applies, and when HIPAA enters the picture at all, is the foundation of sound health record practice in early care settings.

Definition and scope

HIPAA, enacted by Congress in 1996 and administered by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), protects "protected health information" (PHI) held by covered entities — defined as healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses.

Most licensed childcare centers, family day care homes, and after-school programs are not HIPAA covered entities. A center that maintains a child's immunization record for enrollment purposes, but does not bill insurance or transmit health data electronically in a clinical context, falls outside HIPAA's direct reach. The HHS guidance on covered entities makes this boundary explicit.

What governs health records at the typical childcare program instead?

  1. FERPA (Family Educational Rights and Privacy Act) — administered by the U.S. Department of Education, FERPA covers educational agencies and institutions that receive federal funding. Head Start programs and public school–based pre-K programs fall here. FERPA treats health records maintained by the school as education records, protected from disclosure without parental consent.
  2. State licensing regulations — every state that licenses childcare facilities (childcare licensing requirements vary by state) imposes its own confidentiality rules on health documentation. These rules exist independent of federal law and are enforced by state child care licensing agencies.
  3. HIPAA's indirect reach — even when a childcare center itself is not a covered entity, HIPAA still governs the healthcare providers sharing information with it. A pediatrician transmitting a child's physical exam form to a center is a covered entity. The pediatrician's office must comply with HIPAA; the center receiving the fax is not bound by HIPAA rules, but is bound by whatever state law applies.

How it works

When a child with a chronic condition like asthma or Type 1 diabetes enrolls, the flow of health information typically involves at least three parties: the parent or legal guardian, the healthcare provider, and the childcare program. Each relationship carries different obligations.

Parents, as legal guardians of minor children, hold HIPAA rights on the child's behalf. Under 45 CFR §164.502(g), a parent generally has the right to access and authorize disclosure of a minor child's PHI, with narrow exceptions for situations involving abuse or when the minor has the legal authority to consent to care independently.

For programs operating under FERPA — Head Start centers, public pre-K programs, and school-age programs — the school must obtain written parental consent before disclosing education records (including health records) to a third party, except in specific exemptions such as school officials with a legitimate educational interest or health emergencies.

The practical workflow at a compliant childcare center includes:

  1. Enrollment health form — collects baseline health history, immunization status (see immunization requirements for childcare), and emergency medical contacts.
  2. Authorization for disclosure — a signed form permitting the center to share health information with designated parties (emergency contacts, substitute care providers).
  3. Medication administration records — separately documented under most state regulations; see medication administration in childcare for the access-control implications.
  4. Incident and illness documentation — records of illness events, exclusions, and re-admission clearances governed by state licensing rules.
  5. Storage and access controls — physical or digital records maintained in a restricted-access location, with access limited to staff with a direct care need.

Common scenarios

Scenario 1: A parent requests their child's health records. Under FERPA-covered programs, parents have a right to inspect and review education records within 45 days of request (20 U.S.C. § 1232g). For non-FERPA programs, state law governs — most state licensing codes grant parents access to records maintained about their child.

Scenario 2: A divorced parent asks about the child's health records. Both custodial and non-custodial parents generally retain FERPA rights unless a court order specifically removes them. The center should maintain a copy of any custody agreement that restricts access.

Scenario 3: A staff member shares a child's allergy diagnosis with another parent. This is a confidentiality breach under virtually every applicable framework — state licensing codes, FERPA where applicable, and common law privacy obligations. Allergy and diagnosis information is health information regardless of whether HIPAA technically applies.

Scenario 4: A public health agency requests immunization records during an outbreak. Public health disclosures are recognized exceptions under both HIPAA (45 CFR §164.512(b)) and FERPA. A state health department investigating a measles exposure at a childcare facility can compel disclosure without parental consent.

Decision boundaries

The central question — which framework governs? — resolves along two axes:

Program type Federal framework State overlay
Public school–based pre-K, Head Start FERPA State licensing
Private licensed childcare center State licensing only State licensing
Healthcare provider transmitting to any center HIPAA State licensing
Family day care home (licensed) State licensing only State licensing

Childcare programs supporting children with special needs or IEPs encounter a further layer: health information embedded in an Individualized Education Program is governed by IDEA (Individuals with Disabilities Education Act) and FERPA simultaneously, with FERPA generally controlling disclosure rules per 34 CFR Part 99.

A center's health and hygiene practices (see childcare health and hygiene standards) and its illness exclusion policies generate records that sit firmly under state licensing authority, regardless of whether any federal framework applies. The regulatory context for childcare spans all these overlapping systems — which is precisely what makes health record compliance one of the more document-intensive responsibilities in early care administration.

 ·   · 

References

Read Next

Childcare Licensing Requirements by State ANA › Life Services Authority › National Health › National Childcare Childcare Licensing Requirements by State Childcare licensing is... Head Start and Early Head Start: Program Overview ANA › Life Services Authority › National Health › National Childcare Head Start and Early Head Start: Program Overview Head Start and... Immunization Requirements for Childcare Enrollment ANA › Life Services Authority › National Health › National Childcare Immunization Requirements for Childcare Enrollment Vaccines and...