Registry links

  • American Immunization Registry Association
  • The website provides abundant research and a forum where interested organizations and individuals share knowledge that promotes registry activities
  • CDC Immunization Information Systems Webpage
  • General information on immunization registries. Detailed information on topics such as Privacy, Confidentiality, Security, Legislation, Technical Development and Guidance, Funding, and Registry Participation.
  • Survey of State Immunization Registry Legislation
  • This document contains a table summarizing the results from a survey of state immunization registry-related legislation conducted by the Centers for Disease Control and Prevention's National Immunization Program (CDC/NIP). It is regularly updated by CDC.

ECBT Immunization Registry Resources:

 


ecbt

Ensuring Confidentiality of Data

HIPAA/ Privacy and Confidentiality

Registries are guided by government issued standards designed to protect the privacy of all users, including children, families, and providers. According to the standards all registries must have a written privacy policy that clearly defines the following:

  • Notification – parents must be notified of the existence of the registry, what information will be contained in it, and how the information will be used.
  • Choice – Parents must have the right to choose if they wish to have their children participate, or not participate.
  • Use of registry information – IIS information must only be used for its intended purpose and not be used in a punitive manner.
  • Access to and Disclosure of registry information – Policies must clearly define who has access to registry information, what constitutes a breach of confidentiality, and what the associated penalties are.
  • Data Retention the period of time that registry information will be kept.

The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) actually has two sections, Title I and Title II.

Title I deals with the protection of health insurance coverage for those people who lose or change jobs.

Title II deals with the standardization of healthcare-related information systems. It requires medical providers to ensure that they protect the privacy and security of their patients' medical information and also that they use a standard format when submitting electronic transactions, such as submitting claims to payers.

HIPAA seeks to establish standardized mechanisms for electronic data interchange, security, and confidentiality of all healthcare-related data. The Act mandates: standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual.

The compliance date for HIPAA’s Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule, was April 2003.  The Privacy Rule governs the use and disclosure of protected health information by “covered entities”.  Health care providers, health plans and health care clearinghouses are covered entities.  Since most registries (IIS) do not perform covered functions (e.g. direct service payments), they are not required to comply with HIPAA.  However, maintaining the privacy and security of immunization data has been and continues to be a major priority of registry developers and public health personnel nationwide.
 
For very detailed information on HIPAA please go to the Health and Human Services website page at http://www.hhs.gov/ocr/hipaa/

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools that receive federal funds under an applicable program of the U.S. Department of Education and gives parents certain rights with respect to their children's education records.   The rights include:

  • The right to inspect and review the student's education records maintained by the school. Schools are only required to provide a copy of the record when it is impossible for the recipient to review the records as in cases where they are a great distance from the school. The school may charge a fee for copies they provide.
  • The right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth their opinion regarding the contested information.
  • Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to certain parties or under certain conditions:
    • They may release to school officials with legitimate educational interest;
    • They may release to other schools to which a student is transferring;
    • They may release to specified officials for audit or evaluation purposes;
    • They may release to appropriate parties in connection with financial aid to a student;
    • They may release to organizations conducting certain studies for or on behalf of the school;
    • They may release to accrediting organizations;
    • They may release in order to comply with a judicial order or lawfully issued subpoena;
    • They may release to appropriate officials in cases of health and safety emergencies; and
    • They may release to state and local authorities, within a juvenile justice system, pursuant to specific State law.

Schools may disclose, without consent, information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance but they must tell the parents, guardians and/or eligible students about the directory information and allow them a reasonable amount of time to request that the school not disclose this information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

HIPAA/FERPA Issues

Under HIPAA, Covered Entities (including health departments and immunization registries) are subject to other federal laws and regulations but HIPAA excludes any records that are covered by FERPA.  That means the information contained in an education record is exempt from HIPAA requirements and only subject to FERPA requirements.  A problem arises with regard to immunization registries, public health practice and FERPA.  Most states have mandatory student immunization laws, along with requirements for schools to monitor student compliance with these laws.  Immunization registries provide a very efficient way to monitor student compliance with these laws.  Immunization data flowing into the schools from the immunization registry is not restricted by FERPA and is therefore a great tool to determine if students are in compliance with immunization regulations for school entry.  The schools collect important immunization data that would be very beneficial to include in registries (from shots given at school clinics and student compliance documentation provided to the schools by parents and providers).  FERPA requires written parental consent for this data to be provided to the registry.   Ideally, FERPA should contain provisions similar to those made under HIPAA laws allowing disclosure to public health where it is mandated or permitted by law.  Unfortunately, this is not currently the case and so the flow of information from the schools into the immunization registry is severely, if not totally limited.