Text Size
Increase text size
Increase text size
Banner

Policies & Procedures

photo of lockImmunization records are confidential, personal medical information. The Colorado Immunization Information System is a lifelong immunization record tracking system under the Colorado Immunization Registry Act of 2007. CIIS has signed agreements with all participating sites that are authorized to provide information to or access information from the immunization registry.

 

CIIS and all persons and entities that access immunization records are required to maintain the confidentiality of those records.

 

The CIIS Confidentiality Policy applies to all individually identifiable information in all formats, including paper-based and electronic records. Information in CIIS can only be released to:

 

  • The individual or parent/guardian

  • The individual’s healthcare provider

  • A school, childcare center or university where the individual is enrolled

  • A managed care organization or health insurer where the individual is enrolled

  • Hospitals

  • Persons or entities who have an agreement with the State of Colorado for immunizations

  • The Colorado Department of Health Care Policy and Financing for individuals enrolled in Medicaid

 

Authorized individuals can access immunization information in CIIS only for clinical (including data entry), quality assurance, public health or school entry law purposes. All individuals accessing CIIS are required to treat all information in CIIS as confidential. Any person who releases or makes confidential immunization records public in any unauthorized manner commits a class 1 misdemeanor and upon conviction thereof, shall be punished by 6-18 months in jail or a fine of $500 to $5000, or both. The unauthorized release of each record shall constitute a separate offense.

 

100

Great care and consideration are put into assuring the security of the Colorado Immunization Information System. The CIIS Security Policies and Procedures comply with the security standards defined by the following agencies: Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information, International Organization for Standardization, American National Standards Institute, National Institute of Standards and Technology, National Infrastructure Protection Center, and Crisis Emergency Response Team.

 

CIIS security measures include: user authentication, individual passwords changed every 90 days, and extensive audit trail records. CIIS revises its Security Policy and Procedures as the industry standards are updated.

 

CIIS Security Policy pdf file

The Colorado Department of Public Health and Environment is a public health authority and is authorized by the Colorado Immunization Registry Act (Section 25-4-2403, C.R.S.) to collect and receive immunization information for the purpose of preventing or controlling disease and/or implementing public health interventions. Preventing communicable disease and public health interventions require the patient’s name and other identifying information such as address, vaccine type, manufacturer, lot number, date of vaccine administration and Medicaid eligibility.

 

The reporting of immunization data to the Colorado Immunization Information System is exempt from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule since it is considered a public health activity. HIPAA allows public health authorities to collect immunization information without an authorization. The requirement to track disclosures of information still applies, however, and CIIS provides a feature that complies with this HIPAA disclosure tracking requirement.

 

The HIPAA Privacy Rule applies to Covered Entities. A Covered Entity (CE) is a health plan, a healthcare clearinghouse or a healthcare provider who transmits certain health claims information electronically. In brief, a CE is allowed to disclose the immunization information requested by CIIS, including patient identifiers, to CIIS without authorization. The CE should include this disclosure in its notice of privacy practices and minimum necessary policies and procedures. The CE must keep track of all immunization information disclosures. CIIS can provide a report of disclosures made to the registry if the CE does not have another system to track disclosures.

 

How does the Health Insurance Portability and Accountability Act of 1996 (HIPAA) affect the release of immunization data to schools and child care centers?

A school acts as a “public health authority” when it is statutorily required to track the immunization status of its enrolled children. HIPAA allows protected health information – in this case, an individual’s immunization information – to be disclosed to public health authorities for such purposes. While signed authorizations are not required for these public health disclosures, they are permitted by HIPAA. Any release made without a signed authorization needs to be recorded so that there is a record should an individual request an “accounting of disclosures” at a later date.

 

What qualifies as a “school?”

Under Colorado statue, a “school” is a public, private, or parochial nursery school, licensed day care center, child care facility, family child care home, Head Start program, kindergarten, or elementary or secondary school through grade twelve, or a college or university. “School” does not include a public services short-term child care facility as defined in section 26-6-102 (6.7), C.R.S., a guest child care facility as defined in section 26-6-102 (5), C.R.S., a ski school as defined in section 26-6-103.5 (6), C.R.S., or college or university courses which are offered off-campus; or are offered to non-traditional adult students, as defined by the governing board of the institution; or are offered at colleges or universities which do not have residence hall facilities.

As a healthcare provider participating in the Colorado Immunization Information System, you must provide notification of the right of a patient to opt-out of CIIS. You can choose to notify individuals in several ways:

 

  • Posting a CIIS Opt-Out Notification Poster in your lobby and/or exam rooms

  • Providing CIIS Frequently Asked Questions Sheets in your office

  • Posting a notice on your organization’s website

  • Writing about CIIS in your clinic’s newsletter

  • Mailing individual notices to your patients

 

If you choose to post the CIIS Opt-Out Notification Poster in your office, you must also have the CIIS FAQ sheets available for your patients:

 

 

CIIS Frequently Asked Questions Sheets

 

The poster by itself is not sufficient. You can order both the CIIS Opt-Out Notification Poster and the CIIS FAQ Sheet by downloading and completing the Immunization Order Materials Form. These notification materials are provided free of charge to you as a CIIS User.

 

Under Colorado law you have the option to exclude your/your child’s immunization information from the Colorado Immunization Information System at any time. If you change your mind, you can always have your healthcare provider re-enter your/your child’s immunization record into CIIS at a later time. If you choose not to participate in CIIS, you are responsible for keeping track of your/your child’s shot record.

 

 

Opt-Out Procedure
If you choose to opt out of the Colorado Immunization Information System, please read the following instructions and follow all steps to ensure that your/your child’s immunization information is excluded from CIIS.

 

Upon your request to exclude immunization information from CIIS, your healthcare provider must:

 

  • Supply you with a Colorado Immunization Information System Opt-Out Form

  • Have you complete and sign three copies of the CIIS Opt-Out Form

  • Attach one signed copy of the CIIS Opt-Out Form to your/your child’s medical record in the location usually reserved for the immunization record

  • Give the other two signed copies of the CIIS Opt-Out Form to you

 

CIIS Opt-Out Forms

 

To complete the opt-out procedure, it is your responsibility to:

 

  • Mail or fax one signed copy of the CIIS Opt-Out Form to the CIIS office at the address found on the bottom of the CIIS Opt-Out Form

  • Keep one signed copy of the CIIS Opt-Out Form for your records

 

Rescind Opt-Out Procedure
While you can choose to exclude your/your child’s immunization record from the Colorado Immunization Information System, you can also change your mind – and have your/your child’s shot record re-entered into CIIS.

 

Upon your request to have your/your child’s immunization information re-entered into CIIS, your healthcare provider must:

 

  • Supply you with a Colorado Immunization Information System Rescind Opt-Out Form

  • Have you complete and sign three copies of the CIIS Rescind Opt-Out Form

  • Attach one signed copy of the CIIS Rescind Opt-Out Form to your/your child’s medical record in the location usually reserved for the immunization record

  • Give the other two signed copies of the CIIS Rescind Opt-Out Form to you

 

To complete the rescind opt-out procedure and ensure that your/your child’s shot record gets put back into CIIS, it is your responsibility to:

 

  • Mail or fax one signed copy of the CIIS Rescind Opt-Out Form to the CIIS office at the address found on the bottom of the CIIS Rescind Opt-Out Form

  • Keep one signed copy of the CIIS Rescind Opt-Out Form for your records

 

CIIS Rescind Opt-Out Forms