SCCI Wizard
The School and Child Care Immunization Wizard is a tool for questions about immunization requirements, forms, the School and Child Care Immunization Module, roster uploads and delegation requests.
- SCCIM Training
- SCCIM Document Library
- Need Help? Contact Support.
This page is for school nurses, health staff, and administrative users who need to understand the privacy rules that govern Washington Immunization Information System (WAIIS) School and Child Care Immunization Module (SCCIM) use. It explains how HIPAA and FERPA apply to immunization data, when parent consent is required, and what counts as a medically verified immunization record.
This page outlines the legal and policy requirements that schools and child care providers must follow when entering or sharing immunization data in SCCIM. It clarifies which federal laws apply, how they interact, and what steps users must take to remain in compliance.
Schools and child care providers are responsible for protecting student information and ensuring compliance with privacy laws. Understanding HIPAA, FERPA, and consent requirements helps prevent unauthorized data entry or disclosure and ensures that immunization data entered into SCCIM is accurate, legal, and useful.
Following these rules also protects your organization and ensures continued access to WAIIS-SCCIM.
For detailed guidance, see the Guidance on HIPAA, FERPA, Parent Consent, and Medically Verified Records for SCCIM Use (PDF).
Step 1: Know Which Privacy Laws Apply
Family Educational Rights and Privacy Act (FERPA)
FERPA applies to schools and child cares that receive federal education funding (all public schools and some private schools and child cares). Once an immunization record is provided to a school, it becomes a school record protected under FERPA.
What is allowed under FERPA when it comes to use of the WAIIS-SCCIM?
- An immunization record given to a school becomes a school record. To release a school record such as entering immunization information into the WAIIS-SCCIM (immunization dates and exemption or titer information), FERPA requires the school to have written parent or guardian permission.
- FERPA has an exception that allows for the release of directory information without parent permission if the parent has been notified that the information may be released. The law also gives parents a process to opt their child out of the release. Directory information is used to create SCCIM roster.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA applies to healthcare providers (e.g., pediatricians, clinics). HIPAA is a federal Privacy Rule which addresses the use and disclosure of individuals' health information. This rule recognizes the need for public health authorities and those responsible for public health and safety to have access to protected health information to carry out their public health missions.
What is allowed under HIPAA when it comes to use of the WAIIS-SCCIM?
- HIPAA permits a covered entity, such as a healthcare provider (i.e. a student's pediatrician's office), to disclose proof of a student’s immunizations directly to a school with the parent or guardian’s written or verbal permission.
- HIPAA has an exception which allows a covered entity to disclose protected health information for public health activities and purposes. This allows a provider to enter vaccination data into the WAIIS.
- This exception does not apply to a school nurse entering vaccination dates into the WAIIS since the record containing the dates was given to the school and is therefore considered a school record covered under FERPA.
See Guidance on HIPAA, FERPA, Parent Consent, and Medically Verified Records for SCCIM Use (PDF).
Sections: Legal Framework and Considerations, Parent Consent
This document will assist schools, preschools, and child care centers in understanding the legal framework and considerations for implementing and using the School and Child Care Immunization Module (SCCIM). It covers HIPAA, FERPA, and getting parent consent to enter medical verified records into the IIS.
Step 2: Collect and Retain Parent Consent as Needed
- Parent consent is required when entering immunization dates, exemptions, or immunity into SCCIM. An immunization record given to a school becomes a school record.
- Consent is not needed if all student immunization data is already in the WAIIS.
- Schools may collect consent via the signed CIS form or through another method of their choosing. Some districts have added this consent as part of their district enrollment forms. The signature can be gathered electronically as long as it “(1) Identifies and authenticates a particular person as the source of the electronic consent; and (2) Indicates such person’s approval of the information contained in the electronic consent.”
Step 3: Use Only Medically Verified Records
SCCIM is a medical database. You may only enter records that meet DOH’s medically-verified standard. Acceptable records include:
- A CIS form signed by a provider or stamped by a clinic.
- Records from a clinic, provider, hospital, or registry with an official logo or stamp.
- Official foreign or out-of-state immunization records that include provider validation.
Do not enter immunization dates reported by parents without medically-verified records.
Refer to the Medically Verified Records section in the Guidance on HIPAA, FERPA, Parent Consent, and Medically Verified Records for SCCIM Use (PDF).
Related Resources
- Ready to begin entering data? Start with Enter Vaccinations.
- Need help with account access? Visit Create and Manage Accounts.
- To delegate data entry to a staff member, visit Understand Delegation.
- Refer to Training Guide: SCCIM for Schools (PDF) or Training Guide: SCCIM for Child Care Centers (PDF).