Immunization information systems: a decade of progress in law and policy.

This article reports on a study of laws, regulations, and policies governing Immunization Information Systems (IIS, also known as "immunization registries") in states and selected urban areas of the United States. The study included a search of relevant statutes, administrative codes and published attorney general opinions/findings, an online questionnaire completed by immunization program managers and/or their staff, and follow-up telephone interviews.The legal/regulatory framework for IIS has changed considerably since 2000, largely in ways that improve IIS' ability to perform their public health functions while continuing to maintain strict confidentiality and privacy controls. Nevertheless, the exchange of immunization data and other health information between care providers and public health and between entities in different jurisdictions remains difficult due in part to ongoing regulatory diversity.To continue to be leaders in health information exchange and facilitate immunization of children and adults, IIS will need to address the challenges presented by the interplay of federal and state legislation, regulations, and policies and continue to move toward standardized data collection and sharing necessary for interoperable systems.

Electronic exchange of patient health information is a major component of the United States national strategy to improve health care quality, improve population health outcomes, and reduce costs.[1] Making health information on a patient available to clinicians when and where needed allows both the clinician and the patient to be supported in making the right decision.[2] Consolidating information from multiple sources enables public health authorities to better monitor, assess, and respond to changing needs in the population.

Immunization Information Systems (IIS), also known as “Immunization Registries,” have made patients’ health information available to growing numbers of immunization providers for more than 20 years.[3,4] Using secure database technology, IIS consolidate the fragmented immunization records of patients who seek care from multiple providers[5-7] and provide clear clinical guidance in the context of increasingly complex immunization recommendations.[8,9] Many IIS now receive a growing proportion of their data through interfaces with Electronic Health Record (EHR) systems rather than through direct-entry or paper record submission. Both the Medicare and Medicaid EHR Incentive Programs (which incentivize the adoption and “Meaningful Use” of EHR systems in clinical practice)[10] and Centers for Disease Control and Prevention (CDC) assistance of more than $40 million nationwide (CDC, unpublished data, 2012) have supported this trend.

Since the early 1990s, states have enhanced legal and policy support for IIS. A survey of states that examined state laws, regulations, and policies in 2000 found that 36% of states had laws or rules specifically addressing IIS for children.[11] A more recent study in 2010/2011 found an increased number of states (66%) with laws specifically authorizing the operation of an IIS.[12]

The legal framework goes beyond simply authorization of registry operations. A variety of laws and regulations define the balance between public health authority and individuals’ rights to privacy and consent with regard to their own data. These include not only state and local law but also the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.[13-15] This complex patchwork of federal, state, and local laws and policies presents challenges for both intra- and interstate exchange of immunization information.

Complicating this patchwork of laws even more are new entities created to facilitate health information exchange, alternatively called Health Information Organizations, Health Information Exchanges (HIE), or Health Information Service Providers (collectively referred to in this paper as “HIEs”). HIEs often have specific statutory authorities and duties, including requirements for patient consent, which may or may not be consistent with those governing IIS. For example, a state may have a law that mandates provider reporting of pediatric immunizations to an IIS without need for parental consent, but the laws for HIE require written patient consent for participation. Such a situation effectively means that the provider cannot fulfill a mandate to report immunizations without either violating the HIE consent requirement or bypassing the HIE for nonconsented patients.

Objective

The objective of this study was to obtain information relating to legislation, regulations, rules, and policies (collectively referred to as “laws”) that enable, support, or constrain the ability of an IIS to receive or disclose immunization information for both children and adults and to assess trends with regard to these laws.

Participants

The initial target population included all domestic recipients of federal Section 317 immunization grant funding administered by the CDC: 50 states, 5 municipalities, and the District of Columbia. Houston discontinued operation of its IIS in 2010 and Chicago does not operate an IIS. Both municipalities were excluded from this study. At the time of this study, New Hampshire did not operate an IIS and was excluded. The final study population was 49 states, 3 municipalities (New York City, Philadelphia, and San Antonio, each of which operates an IIS independent of its respective state), and the District of Columbia, for a total of 53 participants.

Design

Online survey

A self-reported, online survey was pilot tested by 3 state immunization program manager volunteers. Prior to administration, this survey was reviewed by the CDC National Center for Immunization and Respiratory Diseases Human Subjects Advisor and determined not to involve human subjects and, therefore, exempt from institutional review board monitoring. After the pilot, all participant programs were asked to complete the final 36-question survey on SurveyMonkey during February and March 2012. Respondents were directed to refer to state statutes and laws, municipal ordinances if applicable, state and local rules and regulations, state and local written policies, and written findings/opinions of attorney general or general counsel. The immunization program manager was asked to provide answers in consultation with other appropriate individuals, including IIS managers or other program/IT staff. The response rate was 100%.

Legal research

In October and November 2011, the study team conducted a WestLaw search of relevant statutes, administrative codes, and published attorney general opinions/findings.[16] Results of the legal research were examined by members of the study team who are attorneys to restrict the scope to citations addressing IIS, as opposed to laws regulating non-IIS issues such as clinical practice, outbreak control, health officer emergency powers, and school attendance.

Follow-up telephone interviews

In March and April 2012, 1 member of the study team conducted a 30-minute telephone follow-up interview with every program in the study. Interviews addressed any inconsistent or unclear answers and allowed participants to elaborate on any of their responses to the online survey, including any apparent discrepancies between survey responses and the study team’s legal research. Participants on the follow-up calls varied and included immunization program managers, IIS managers, CDC Public Health Advisors, legal counsel, and IIS vendors.

Validation

Modifications of the original online responses were made as a result of the follow-up telephone interviews; the modified responses and the study team’s reclassification of “Other” responses were validated with the respondents through a second round of e-mail and telephone communication in February 2013.

Comparative data for trends

When possible, data gathered in this study were compared with Horlick’s[11] review of IIS-related legislation. The data in Horlick were gathered in 2000, so this is the year used for reference in any comparisons made. The study by Horlick in 2000 did not address the details of adult versus childhood records in IIS, nor did it include municipal IIS, so not all data were comparable.

Results

A complete line-listing of data is summarized in Supplemental Digital Content Survey Data, available at http://links.lww.com/JPHMP/A72.

Lifelong or childhood IIS

Fifty-one (96.2%) of the 53 IIS programs were authorized to collect immunization records for all age groups (also known as a lifelong IIS). For 2 (3.8%) programs, the IIS was limited to immunization records for children only.

Type of authority to operate an IIS for children

Thirty-six (68%) of the IIS programs studied collected immunization data for children (age ranges vary by state) on the basis of laws specifically authorizing IIS, another 6 (11%) on the basis of immunization information-sharing laws (which did not mention an IIS), and 1 (2%) on the basis of laws allowing the sharing of general health information. The remaining 10 (18.9%) programs relied on general public health authority rather than explicit authorization to operate an IIS for children (Figure 1).

FIGURE 1

Legal Basis for IIS Operation, United States, 2012

Taken together, these findings represent a total of 43 of 53 (81%) jurisdictions that directly provided legal authority for public health to operate an IIS. These numbers contrast with the legal authority for IIS reported in 2000: 24 (47%) IIS-specific, 9 (18%) immunization-information, and 3 (6%) general public health authority[11] (see Supplemental Digital Content Figure 1A, available at http://links.lww.com/JPHMP/A69), or the only 9 (18%) states with any IIS authorization reported in 1995.[3]

Type of authority to operate an IIS for adults

Of the 51 IIS programs that were authorized to operate an IIS for adults, 27 (52.9%) had laws that specifically authorized operation of IIS, 8 (15.7%) had laws that authorized sharing of immunization information, but did not specifically authorize the operation of IIS, 3 (5.9%) had laws allowing the sharing of health care information, but did not refer to immunization information explicitly, and 13 (25.5%) relied on general public health statutes or regulations to operate IIS for adults.

Mandate to report immunizations

Thirty-one (58.5%) jurisdictions mandated at least 1 type of provider or entity to report immunizations and 22 (41.5%) had no mandate to report immunizations (Figure 2). By contrast, in 2000[11] only 12 states had mandated reporting (see Supplemental Digital Content Figure 2A, available at http://links.lww.com/JPHMP/A70).

FIGURE 2

IIS Reporting Mandate, United States, 2012

A mandate to report may be limited to certain age groups or certain vaccines (eg, publicly funded vaccines). Of the 31 IIS programs with some type of mandate to report immunizations, 21 (67.7%) mandated all immunization providers to report, 27 (87.1%) mandated public health providers to report, 23 (74.2%) mandated Vaccines for Children (a federal vaccine-purchase program) providers to report, 21 (67.7%) mandated private providers to report, and 22 (71%) mandated pharmacies/pharmacists to report.

Among the 31 IIS programs with some type of mandate to report immunizations, 12 (38.7%) mandated that immunizations for all age groups be reported and 17 (54.8%) mandated that immunizations for children/adolescents/young adults (with upper age limits ranging from 18 to 26 years of age) be reported but not immunizations for adults. Only 2 (6.3%) programs mandated reporting of immunizations for only young children (with upper age limits of 6 or 7 years of age). Among the 31 programs with some type of mandate to report immunizations, 26 (83.9%) mandated that the report be to the IIS, 3 (9.7%) mandated that the report be to local public health, and 2 (6.3%) mandated that the report be to both local public health and the IIS. For San Antonio, the mandate was to report to either the San Antonio IIS or the state of Texas IIS.

Of the 31 IIS programs with some type of mandate to report immunizations, 21 (67.7%; 39.6% of total participants) had a mechanism to enforce the mandate. The authorized enforcement mechanism was a penalty or fine in 4 (12.9%) locations. Fourteen (45.2%) programs had authority to enforce a mandate by limiting the amount of public vaccine a provider can order if that provider fails to report immunizations. Four (12.9%) programs were authorized to enforce a mandate to report immunizations both through a penalty/fine and by restricting orders of public vaccine.

Of the 21 IIS programs with a mechanism to enforce the reporting mandate, 4 (19%) reported that they enforced it through feedback to the noncompliant provider and did not use penalties, fines, or limitation of vaccine orders. Eleven (52.3%) enforced reporting by limiting the amount of public vaccine a nonreporting provider could order. One (4.8%) program used both limitation on the amount of public vaccine and feedback to noncompliant providers. Five (23.8%) did not enforce the mechanism.

Consent for vital records

Forty-six IIS (86.8%) received information on births in their jurisdiction from vital records or from birthing hospitals. Of those 46, 21 (45.7%) imported the birth record into the IIS on the basis of implied consent; 5 (10.9%) had no consent requirement, but the parent or guardian had the right to opt out of having his or her child’s information in the IIS; 15 (32.6%) imported the birth record without consent and there was no right to opt out; and in the remaining 5 (10.9%), written consent was required to share birth record information with the IIS.

Consent to share childhood immunization information

For 36 (67.9%) IIS programs, childhood immunization information could be included in and shared by the IIS on the basis of implied consent, with a right to exclude or remove immunization information from the IIS (“opt out”). In 14 (26.4%) programs, childhood immunization information could be shared with the IIS without any consent, with no right to opt out in 12 jurisdictions and with a right to opt out in 2 (Figure 3). In Oregon and Florida, the right to opt out was very restricted. In Oregon, the parent had to prove that disclosure of immunizations would disclose a medical condition or provide an affidavit that disclosure would present a potential safety issue such as domestic abuse. (Because of the restriction, Oregon was classified as “no right to opt out” in this study). In Florida, the parent could restrict the sharing of information by the IIS but could not prevent inclusion in the IIS. Explicit consent was required to share childhood immunization information with the IIS in 3 (7.5%) IIS programs (written consent was required in 2 of these 3). As shown in Supplemental Digital Content Figure 3A, available at http://links.lww.com/JPHMP/A71, there has been a notable reduction in jurisdictions requiring explicit consent since 2000.

FIGURE 3

IIS Consent Requirements, United States, 2012

Consent to share adult immunization information

Of the 51 programs with authority to operate an IIS for adults, 34 (66.6%) relied upon implied consent to share adult immunization information with the IIS, with a right to opt out. For 9 (17.6%) programs, adult immunization information could be shared without any consent, with no right to opt out in 8 of these programs and with a right to opt out in 1. Explicit consent was required to share adult immunization information in 8 (15.9%) jurisdictions (written consent was required in 5). In the District of Columbia, no consent was required to share information for adults immunized with publicly purchased vaccine, but consent was implied with a right to opt out for adults (older than 26 years) immunized with privately purchased vaccine. In Arizona, explicit consent was required before sharing adult vaccination information, except for immunizations administered by pharmacists for which there was implicit consent with right to opt out.

Withdrawal of consent

Consent to retain information in the IIS could not be withdrawn in 7 (13.2%) jurisdictions. In the remaining 46 (86.8%) jurisdictions, if consent to retain information in the IIS was withdrawn: all data were retained and access was limited or prohibited in 32 (69.6%), all data were removed in 7 (14.6%), and limited identifying demographic information was retained in 6 (12.5%). One program was in the process of upgrading its IIS and reported that its existing system could not adequately address withdrawal of consent.

Health Insurance Portability and Accountability Act

Twenty-four (45.3%) IIS were considered by their programs to be covered entities under HIPAA, 25 (47.2%) were considered to not be covered entities under HIPAA, and 4 (7.5%) respondents did not know whether the IIS was considered to be a covered entity under HIPAA.

Interaction with HIEs

Fifty (94.3%) IIS programs reported that sharing of immunization data between their IIS and HIEs was implemented or contemplated. Thirty-six (67.9%) programs already had authority to exchange data with HIEs in their jurisdiction. Of the 36 with authority to exchange data, in 15 (41.7%) the authority was derived from a data exchange agreement only, in 13 (36%) the authority was derived from general public health laws, and in 9 (25%) the authority was derived from a specific statute or regulation. Seven (19.4%) programs reported that they did not know whether they had authority to share immunization information with HIEs in their jurisdiction and 1 program responded that the question was not applicable because the HIE was merely a conduit for data transmission.

Authority to transmit or allow access to data across state borders

Thirty-six (67.9%) IIS programs had authority to transmit or allow access to immunization data across state borders. Of the 36 with authority to transmit or allow access across state borders, in 15 (41.7%) the authority was derived from a data exchange agreement only, in 11 (30.6%) the authority was derived from general public health laws, and in 10 (27.8%) the authority was derived from a specific statute or regulation. Two (3.8%) IIS programs responded that they did not know whether they had authority to transmit or allow access to data across state borders. New York State had legislative authority to transmit or allow access to data across state borders and also required a data-sharing agreement. Twenty-nine (54.7%) programs responded that they currently transmit or allow access to data in the IIS across state borders and 24 (45.3%) did not conduct such transmission or access.

Discussion

There is a long-standing recognition of the need for appropriate legal/regulatory support for IIS. Linkins and Feikema[8] proposed several categories of “registry-friendly” legislation addressing authorization, mandate to report, privacy/confidentiality, and the sharing of health information. Although national IIS-like systems have been discussed,[12,17] the states remain the locus of such legislation.

Notwithstanding the variability documented in this study, there is much progress to report. The fact that 43 jurisdictions have directly addressed IIS authorization through some form of law or regulation versus 36 in 2000 suggests that legislative bodies have been increasingly supportive of IIS activities.

There is a similar trend with regard to a mandate to report to IIS. The finding that 31 jurisdictions report some form of mandate today versus only 12 jurisdictions in 2000 may indicate increased recognition among legislative bodies of the utility of IIS to public health. Although another recent study[12] reported only 46% of states with a reporting mandate, the difference may be due to methodology. Hedden’s text analysis approach included only published laws and regulations. Our interview methodology included written policies, which Hedden did not analyze.

Privacy and consent

Privacy, confidentiality, and consent have been consistent themes in IIS policy from the inception of electronic immunization reporting.[3,8,11,18-20] All states report having such policies in place.[21]

There is considerable variability regarding whether inclusion of an individual’s record in IIS, and the sharing of that record with authorized users, requires the consent of the individual or his/her parent/guardian. State IIS policies and laws range from highly restrictive—that is, the record is only included on an opt-in basis—to mandatory inclusion with no opportunity to opt out of the IIS. The majority of jurisdictions either mandated reporting or used implied consent, in which the patient or parent/guardian is notified of the provider’s requirement to report and offered the opportunity to opt out. In the case of IIS with a provision to opt out, there is further variation as to whether the record of an individual who opts out is completely deleted from the system, or whether access to that individual’s record is restricted (eg, to public health and the original reporting health provider).

National public health experts recommend opt out consent policies when feasible in order to lower the barrier to comprehensive reporting to IIS.[8,18] Such policies respect an individual’s right to privacy, including the right to exclude information from public health databases, while maximizing the availability of needed data for quality care and public health. It has been suggested that switching from opt in to opt out could save more than $1 million per year in 1 state,[22] and at least 1 study has suggested that opt out policies may correlate with improved immunization coverage.[23]

Health Information Exchange

There remain important barriers to successful interoperation of HIE systems with IIS. Although the overwhelming majority (50/53, 94%) of IIS programs reported intent to exchange immunization information with HIEs, differences in consent requirements could present an impediment to successful exchange, for example, between an opt in HIE and an opt out IIS. Interstate information exchange is particularly hampered by the variation in consent laws.[9]

Immunization Information Systems have in many ways blazed the trail for HIEs, addressing issues of data quality, interoperability, and even interstate data exchange.[22] Immunization Information Systems by definition are intended to facilitate the exchange of immunization information between authorized entities such as health care providers. Such exchange can fully be realized only when other information systems, such as EHRs and other health databases, can interoperate with IIS[10] in a standardized manner.[24]

Limitations

The study is based on self-reported data and is not a comprehensive review of the law. Biases inherent in self-reported information were minimized through the collection and review of laws, regulations, and published attorney general opinions.

Conclusions

Immunization Information Systems have been in the forefront of electronic health information exchange efforts and can serve as “building blocks” to a more mature national health information exchange.[24] Over the past decade, legislation, regulation, and policies concerning immunization data have become more conducive to full participation in IIS and to sharing and using the information outside the IIS, for example, with HIEs. To continue to be leaders in health information exchange and facilitate immunization of children and adults, IIS will need to address the challenges presented by the interplay of federal, state, and local legislation, regulations, and policies and continue to move toward standardized data collection and sharing necessary for interoperable systems. While the expanded use of EHRs and HIEs will continue to facilitate the exchange of immunization information, this expansion may challenge IIS’ continuing efforts to protect privacy and confidentiality and to enhance system security in order to maintain the trust of individuals, providers, and the public.