Administering the Annual Flu Shot? Here is What You Need to Know about HIPAA’s Privacy Rule

Do you know where and how the personal health information of your patients is being stored?

While the seasonal flu can fluctuate year round, the CDC states that flu season can begin as early as October and continue into as late as May.  With flu season underway, many are headed to receive their annual flu shot.  Getting the flu shot is a lot easier than before, as the availability of this vaccine is more widespread; pharmacies now offer various immunizations, which are administered by trained healthcare providers.  Pharmacists in all 50 states can, and do, immunize patients.  Do you know where and how the patients’ personal health information (PHI) is being stored when you administer the vaccine this year?

Protecting PHI requires diligence under HIPAA’s Privacy Rule.  The Privacy Rule protects a subset of individually identifiable health information, known as PHI, that is held or maintained by covered entities or their business associates acting for the covered entity.


  • Billing information
  • Vaccination history
  • Blood test results
  • Phone records

Protecting sensitive information is important, particularly in the healthcare industry.  Medical records are full of data that would be an identity thief’s dream come true; names, addresses, social security numbers, health plan information, and so much more.  When you administer an annual flu shot, a lot of this information is stored.

The Health Insurance Portability and Accountability Act (HIPAA), which was passed by Congress in 1996 contains provisions designed to protect patient privacy.  This is especially important for pharmacies who administer the yearly flu vaccine, as they are also a storefront that deals with customers in addition to patients.  The easiest way to maintain HIPAA compliance when it comes to patient privacy is achieved by keeping protected health information (PHI) secure and private, setting up office policy, and limiting access of patient information to businesses outside the practice.

Covered entities that collect PHI must adhere to HIPAA rules.


  • Doctor offices, dental offices, clinics, psychologists
  • Nursing home, pharmacy, hospital or home healthcare agency
  • Health plans, insurance companies, HMOs

HIPAA’s privacy rule does not include medical record retention requirements, choosing instead to defer to state laws to generally govern how long medical records are to be retained.

Secure paper shredding and hard drive destruction under the confines of HIPAA is the best and most effective way to destroy PHI when it is no longer relevant.  More than 40 Federal laws mandate that all business, healthcare, and financial institutions protect the confidential information of their clientele. In addition to shredding PHI as it relates to the annual flu vaccine, administrators must have a sharps disposal plan in place.

Once a flu shot is administered to a patient, the provider must dispose of the sharp in accordance with all applicable laws and regulations. According to the FDA, sharps disposal guidelines state:

  • Used sharps can only be disposed of in a sharps container
  • Sharps containers may be supplied by companies such as Red Bags
  • Sharps containers must be rigid, puncture-proof, and have lids that seal securely

These laws apply to any facility that uses sharps and administers the yearly flu vaccine, including pharmacies.

Keep your compliance in check this flu season by destroying old records when necessary and maintaining a stringent sharps disposal plan.

Want to learn more? Follow Red Bags’ blog to be up to date on the latest happenings in the medical waste industry.

You Might Also Like:


Hipaa's privacy rule


Service Areas: Long Island Medical Waste; New York City Medical Waste; Westchester Medical Waste and more!