HIPAA and CIIS

 
We're a public health authority and are authorized by the Colorado Immunization Registry Act (Section 25-4-2403, CRS) to collect and receive immunization information for the purpose of preventing or controlling disease and/or implementing public health interventions. These require the patient’s name and other identifying information, such as:
  • Address
  • Vaccine type
  • Vaccine manufacturer
  • Vaccine lot number
  • Date of vaccine administration
  • Medicaid eligibility
 
The reporting of immunization data to the Colorado Immunization Information System is exempt from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule because it's considered a public health activity.
  • HIPAA allows public health authorities to collect immunization information without an authorization.
    • The requirement to track disclosures of information still applies, however, and CIIS provides a feature that complies with this HIPAA disclosure tracking requirement.
  • The HIPAA Privacy Rule applies to Covered Entities.
    • A Covered Entity (CE) is a health plan, a health care clearinghouse or a health care provider that transmits certain health claims information electronically.
    • In brief, a CE is allowed to disclose the immunization information requested by CIIS, including patient identifiers, to CIIS without authorization.
      • The CE should include this disclosure in its notice of privacy practices and minimum necessary policies and procedures.
    • The CE must keep track of all immunization information disclosures.
    • CIIS can provide a report of disclosures made to the registry if the CE doesn't have another system to track disclosures.

Full explanation of HIPAA and CIIS