Privacy and Confidentiality

Immunization registries have fallen squarely in the middle of the debate about issues of privacy, confidentiality and security, with the protection of public health being weighed against protection of individuals' privacy rights. An immunization record includes sensitive identifying and medical information. Although privacy and confidentiality issues are not unique to computerized immunization registries (safeguards must be in place for current paper systems, too), developers of immunization registries have had to demonstrate that the privacy of individuals and confidentiality of data can be maintained. Registries accomplish this through a variety of electronic and policy safeguards that prevent inappropriate disclosure of information or inappropriate access by unauthorized users.

Data from the CDC 1999 annual report on immunization registries show that of 35 operating immunization registries (34 states and the District of Columbia), 74% now have written confidentiality policies and 63% have written security plans in place. However, all immunization registries have one or more technical means in place to protect security of data: encryption, passwords, or firewalls.

To guide developing immunization registries CDC and AKC included a chapter on confidentiality in the Community Immunization Registries Manual, approved by the National Vaccine Advisory Committee (NVAC) in 1997. The NVAC workgroup on registries identified confidentiality and privacy as one of the four key registry issues. Public hearings and parent focus groups were held across the country in 1998 debating  this issue. The resulting 1998 NVAC report on registries called for the development of minimum specifications for privacy and confidentiality. A workgroup was formed by CDC to revise the  chapter on confidentiality in the Manual to include minimum specifications for protecting privacy and guidelines for implementing the specifications. The specifications address confidentiality policies, user agreements to protect confidentiality, parent notification, parent choice on participating in the registry, use of immunization registry information, access to and disclosure of  information, penalties for unauthorized disclosures, and data retention and disposal. The revised chapter was approved by NVAC in February 2000.

All Kids Count also created frameworks for developing confidentiality policies and security plans and provides these frameworks to immunization registry projects.

No comprehensive federal statute on health information confidentiality yet exists. As a result, registries have developed under a diverse set of state laws governing data collection and sharing. Federal standards for health care information security and privacy, as required by the 1996 Health Insurance Portability and Accountability Act (HIPAA), should be issued sometime in 2000. Under this legislation, the DHHS is to develop security standards for the transmission and storage of personally identifiable health information. Once in place, registries and most health organizations have two years to bring information systems and data communications security into compliance. For more information on HIPAA, go to http://aspe.hhs.gov/admnsimp/Index.htm

Privacy Fact Sheet

^{Back to Key Issues}