Some IIS and health records systems have bidirectional connectivity, which helps vaccine providers make informed decisions at the point of care. For example, a bidirectional connection allows vaccine providers to query an IIS to check on vaccines given outside of their practice and ensure they aren’t duplicating vaccinations or missing needed vaccines. Approximately 62% of IIS-health records connections were bidirectional as of 2020, according to American Immunization Registry Association.
IISs also have the potential to exchange data with other jurisdictions and systems. The COVID-19 pandemic highlighted the mobility of individuals as they received vaccinations in areas other than where they live. Some IIS jurisdictions entered into memorandums of understanding to exchange data to track vaccinations received in other jurisdictions. A 2019 survey revealed that 45% of IISs also exchanged data with state Medicaid programs, a strategy that can help to identify vaccination trends or gaps in vulnerable communities.
Legislative Policy Options
During the pandemic, it’s estimated there was a 10-fold increase in submissions and queries to IISs. The increased activity placed additional demands on systems to onboard new and non-traditional vaccination providers, provide immunization records to consumers, and report aggregate state-level immunization data to drive disease mitigation efforts and identify disparities in vaccination rates. The following section highlights legislative policy options regarding the capabilities of IISs to collect and share information to inform population health policies.
Most states and other jurisdictions have laws authorizing their public health authority to operate an IIS or monitor immunizations at a population-level, or both. A 2015 study showed that the number of jurisdictions providing authority for a public health department to operate an IIS has grown from 18% in 1995 to 81% in 2015. Enabling laws can clarify the appropriate authority and procedures to operate an IIS.
Consent to Participate
Laws regarding a vaccine recipient’s consent to allow immunization records to be stored vary by IIS. Consent may be implicit (opt out) or explicit (opt in), and laws regarding consent may differ by age group.
All 61 IIS jurisdictions that provided updated consent policies to the CDC, in 2022 or early 2023, collect immunization data for children. Forty-three of those jurisdictions collect child vaccination data under implicit consent, with most allowing parents/guardians to opt out. Thirteen jurisdictions mandate reporting of child vaccinations to the IIS with no possibility to opt out (Alabama, American Samoa, California, Delaware, Massachusetts, Mississippi, New York City, New York State, North Carolina, Puerto Rico, South Carolina, South Dakota and Vermont).
For adult immunizations, at least 42 jurisdictions use implicit consent to include vaccinations in the IIS, generally with the choice to opt out. Eleven jurisdictions require reporting of adult immunizations to the IIS with no possibility to opt out (Alabama, American Samoa, California, Delaware, Massachusetts, Mississippi, North Carolina, Puerto Rico, South Carolina, South Dakota and Vermont).
The consent option chosen by an IIS jurisdiction can affect completeness of the data or population-level view. For example, when examining immunization data captured in IISs, age group differences are apparent. IISs included data on 98% of immunizations for children under 6 years of age, 86% of immunizations for adolescents ages 11-17 and 89% for those 19 and older in 2021, according to the Immunization Registry Association. A landscape analysis by the association in May 2021 found that higher levels of participation are seen in jurisdictions with implicit consent.
Vaccine Provider Reporting
Laws regarding which vaccine providers must report immunization data vary by state and age of the vaccine recipient. Of the 60 IIS jurisdictions that submitted vaccine provider reporting policies to the CDC in 2022 or early 2023, 53 have a mandate for reporting vaccinations to the IIS. Reporting of adult vaccinations is lower than it is for children. Twenty-five jurisdictions require that all providers report adult immunizations, and 28 jurisdictions have some type of reporting requirement in place based on vaccine provider, age of patient, type of vaccine or specific circumstance (e.g., a declared public health emergency).
An Immunization Registry Association report offered a perspective on barriers to increasing the capture of adult vaccination data. Lack of provider incentives to report topped the list. Such incentives may include reporting mandates and financial or performance incentives. For example, Virginia enacted legislation in 2021 that requires all health care providers in the commonwealth that administer immunizations to report to the state IIS.
Interstate Data Exchange
A report from the Office of the National Coordinator for Health Information Technology provided insights into cross-jurisdictional exchange of data between IISs. On average, a person in the U.S. changes residences 11 times over his or her lifetime, providing challenges for authorities to track immunizations and for providers and patients to identify needed vaccines.
Laws regarding interstate data exchange vary by state. At least 36 IISs have authority to transmit or allow access to immunization data across state borders; of those, 10 derive authority from law. For example, Louisiana statute includes a procedure for sharing or transferring information with other immunization registries. Virginia law specifies that the board of health shall promulgate regulations for entering into data-sharing agreements with other state and regional immunization registries.
For states who want to authorize data exchange among IISs, the CDC’s Immunization (IZ) Gateway can be a valuable tool. The gateway does not access or store IIS data but is a secure, cloud-based message-routing service enabling data exchange among jurisdictional IISs and multijurisdictional vaccine provider systems. The gateway can be used for the following scenarios:
- To enable data sharing from multijurisdictional health care providers (Veterans Health Administration, large health systems, etc.) to jurisdictional IISs.
- To facilitate data exchange between jurisdictional IISs.
- To ensure consumers have access to their immunization records housed in an IIS via a third-party application.
Data sharing between multijurisdictional health care providers became a high priority for states during the pandemic. According to the CDC, over two-thirds of all jurisdictional IIS programs now have legal agreements in place to exchange data with multijurisdictional providers. Almost all IIS programs now exchange data with at least one other jurisdiction, and 92% of IIS jurisdictions have signed agreements to exchange data with another IIS jurisdiction.
Traditionally, vaccine consumers had to request immunization records from the provider who gave the vaccine(s) or their state or local health department. IIS programs allow consumers to directly access their vaccination records, and many states are moving to facilitate such access. At least 30 states have provided consumer access to vaccine records or are planning to, according to the Immunization Registry Association. For example, people in Colorado or Mississippi can request an immunization record for themselves or their children from a public portal. Recent Indiana legislation would require the state health department to release a scannable code linking to IIS records for consumers who request it.
The collection and reporting of race and ethnicity immunization data has been highlighted as a challenge during the pandemic. For example, during the first months of the U.S. vaccination program, race/ethnicity was unknown for approximately one half of the population who received a COVID-19 immunization. More recently, an analysis of COVID-19 vaccination data by race and ethnicity revealed marked disparities throughout the U.S., particularly for Black and Hispanic populations.
Although IISs are generally able to collect the data, vaccine providers or recipients may skip the race and ethnicity category or select “unknown” during intake processes. States and other IIS jurisdictions can consider requiring or incentivizing vaccine providers to collect race and ethnicity data. For example, California recently enacted legislation that requires health care providers, schools, child care facilities and other vaccine providers to add race and ethnicity to the list of immunization information that must be disclosed.
Interested in learning more about the immunization information system in your state? Reach out to your jurisdictional IIS or state health department.
Shannon Kolman is a policy specialist in NCSL’s Health Program.
This project is supported by the Centers for Disease Control and Prevention of the U.S. Department of Health and Human Services as part of a financial assistance award totaling $300,000 with 100% funded by CDC/HHS. The contents are those of the author(s) and do not necessarily represent the official views of, nor an endorsement by, CDC/HHS or the U.S. government.