Confidentiality/Security

HIPAA and CIIS

The Colorado Department of Public Health and Environment is a public health authority and is authorized by the Colorado Immunization Registry Act (Section 25-4-2403, C.R.S.) to collect and receive immunization information for the purpose of preventing or controlling disease and/or implementing public health interventions. Preventing communicable disease and public health interventions require the patient’s name and other identifying information such as address, vaccine type, manufacturer, lot number, date of vaccine administration and Medicaid eligibility.

The reporting of immunization data to the Colorado Immunization Information System is exempt from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule since it is considered a public health activity. HIPAA allows public health authorities to collect immunization information without an authorization. The requirement to track disclosures of information still applies, however, and CIIS provides a feature that complies with this HIPAA disclosure tracking requirement.

The HIPAA Privacy Rule applies to Covered Entities. A Covered Entity (CE) is a health plan, a healthcare clearinghouse or a healthcare provider who transmits certain health claims information electronically. In brief, a CE is allowed to disclose the immunization information requested by CIIS, including patient identifiers, to CIIS without authorization. The CE should include this disclosure in its notice of privacy practices and minimum necessary policies and procedures. The CE must keep track of all immunization information disclosures. CIIS can provide a report of disclosures made to the registry if the CE does not have another system to track disclosures. For more details about the application of HIPAA to CIIS, please click here.