Immunization records are confidential, personal medical information. The Colorado Immunization Information System is a lifelong immunization record tracking system under the Colorado Immunization Registry Act of 2007. CIIS has signed agreements with all participating sites that are authorized to provide information to or access information from the immunization registry.
CIIS and all persons and entities that access immunization records are required to maintain the confidentiality of those records.
The CIIS Confidentiality Policy applies to all individually identifiable information in all formats, including paper-based and electronic records. Information in CIIS can only be released to:
Authorized individuals can access immunization information in CIIS only for clinical (including data entry), quality assurance, public health or school entry law purposes. All individuals accessing CIIS are required to treat all information in CIIS as confidential. Any person who releases or makes confidential immunization records public in any unauthorized manner commits a class 1 misdemeanor and upon conviction thereof, shall be punished by 6-18 months in jail or a fine of $500 to $5000, or both. The unauthorized release of each record shall constitute a separate offense.
Great care and consideration are put into assuring the security of the Colorado Immunization Information System. The CIIS Security Policies and Procedures comply with the security standards defined by the following agencies: Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information, International Organization for Standardization, American National Standards Institute, National Institute of Standards and Technology, National Infrastructure Protection Center, and Crisis Emergency Response Team.
CIIS security measures include: user authentication, individual passwords changed every 90 days, and extensive audit trail records. CIIS revises its Security Policy and Procedures as the industry standards are updated.
The Colorado Department of Public Health and Environment is a public health authority and is authorized by the Colorado Immunization Registry Act (Section 25-4-2403, C.R.S.) to collect and receive immunization information for the purpose of preventing or controlling disease and/or implementing public health interventions. Preventing communicable disease and public health interventions require the patient’s name and other identifying information such as address, vaccine type, manufacturer, lot number, date of vaccine administration and Medicaid eligibility.
The reporting of immunization data to the Colorado Immunization Information System is exempt from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule since it is considered a public health activity. HIPAA allows public health authorities to collect immunization information without an authorization. The requirement to track disclosures of information still applies, however, and CIIS provides a feature that complies with this HIPAA disclosure tracking requirement.
The HIPAA Privacy Rule applies to Covered Entities. A Covered Entity (CE) is a health plan, a healthcare clearinghouse or a healthcare provider who transmits certain health claims information electronically. In brief, a CE is allowed to disclose the immunization information requested by CIIS, including patient identifiers, to CIIS without authorization. The CE should include this disclosure in its notice of privacy practices and minimum necessary policies and procedures. The CE must keep track of all immunization information disclosures. CIIS can provide a report of disclosures made to the registry if the CE does not have another system to track disclosures.
How does the Health Insurance Portability and Accountability Act of 1996 (HIPAA) affect the release of immunization data to schools and child care centers?
A school acts as a “public health authority” when it is statutorily required to track the immunization status of its enrolled children. HIPAA allows protected health information – in this case, an individual’s immunization information – to be disclosed to public health authorities for such purposes. While signed authorizations are not required for these public health disclosures, they are permitted by HIPAA. Any release made without a signed authorization needs to be recorded so that there is a record should an individual request an “accounting of disclosures” at a later date.
What qualifies as a “school?”
Under Colorado statue, a “school” is a public, private, or parochial nursery school, licensed day care center, child care facility, family child care home, Head Start program, kindergarten, or elementary or secondary school through grade twelve, or a college or university. “School” does not include a public services short-term child care facility as defined in section 26-6-102 (6.7), C.R.S., a guest child care facility as defined in section 26-6-102 (5), C.R.S., a ski school as defined in section 26-6-103.5 (6), C.R.S., or college or university courses which are offered off-campus; or are offered to non-traditional adult students, as defined by the governing board of the institution; or are offered at colleges or universities which do not have residence hall facilities.
As a healthcare provider participating in the Colorado Immunization Information System, you must provide notification of the right of a patient to opt-out of CIIS. You can choose to notify individuals in several ways:
If you choose to post the CIIS Opt-Out Notification Poster in your office, you must also have the CIIS FAQ sheets available for your patients:
CIIS Frequently Asked Questions Sheets
The poster by itself is not sufficient. You can order both the CIIS Opt-Out Notification Poster and the CIIS FAQ Sheet by downloading and completing the Immunization Order Materials Form. These notification materials are provided free of charge to you as a CIIS User.
Under Colorado law you have the option to exclude your/your child’s immunization information from the Colorado Immunization Information System at any time. If you change your mind, you can always have your healthcare provider re-enter your/your child’s immunization record into CIIS at a later time. If you choose not to participate in CIIS, you are responsible for keeping track of your/your child’s shot record.
Upon your request to exclude immunization information from CIIS, your healthcare provider must:
CIIS Opt-Out Forms
To complete the opt-out procedure, it is your responsibility to:
Rescind Opt-Out Procedure
Upon your request to have your/your child’s immunization information re-entered into CIIS, your healthcare provider must:
To complete the rescind opt-out procedure and ensure that your/your child’s shot record gets put back into CIIS, it is your responsibility to:
CIIS Rescind Opt-Out Forms