Skip to main content

Lawmakers Turn to Data Systems to Guide Vaccine Decision-Making

By Shannon Kolman  |  March 28, 2023

As the nation continues to execute the largest immunization campaign in history with COVID-19 vaccines, states have relied on their immunization information systems more than ever to identify trends and inform resource allocation and immunization policies. Immunization information systems, known as IISs and sometimes referred to as immunization registries, are confidential, secure computer databases that record all immunization doses administered by participating health care providers. State policymakers have options for increasing the ability of their IISs to provide more comprehensive information more quickly regarding population health decisions.

There are currently 64 immunization registries in the U.S., including in all 50 states, the District of Columbia, five cities, five territories and three freely associated states (the Federated States of Micronesia, the Republic of the Marshall Islands and the Republic of Palau). IISs are primarily operated under laws and regulations at the state, local, territorial and tribal level and are typically housed in public health departments. The Centers for Disease Control and Prevention supports these systems through cooperative agreement funding, technical assistance and the development and promotion of IIS standards.

At the point of care, an IIS helps health care providers identify the vaccines recommended for individual patients. At the population level, an IIS provides aggregate immunization data that helps guide public health decisions. For example, the CDC is developing a national surveillance system of de-identified IIS data to analyze immunization trends.

IISs allow states and other jurisdictions to streamline immunization functions by:

  • Creating comprehensive immunization records for individuals given that vaccines are often received in several locations.
  • Generating patient/client reminder and recall systems to ensure on-time vaccinations.
  • Facilitating vaccine ordering, tracking and inventory management.
  • Assisting health care providers, public health officials, schools and child care and other facilities with disease surveillance and outbreak responses.
  • Identifying areas at risk for vaccine-preventable diseases and targeting interventions and resources.
  • Informing assessments of vaccination coverage and disparities in vaccination coverage.

Increased Data Exchange Improves IIS Functionality

The functionality of IISs has increased over time to respond to modern demands for information. IISs that have a high level of interoperability offer greater potential for collecting and supplying comprehensive and actionable information. Interoperability refers to the exchange and use of data across systems, organizations and boundaries. In earlier years, staff had to manually enter immunization data into an IIS. The systems can now receive automated immunization data from vaccine providers through electronic health records. Real-time data exchange between immunization and health records systems increases the efficiency and accuracy of data coming into and out of IISs.

Electronic data exchange also allows immunization data from various vaccine providers to be more effectively consolidated to provide comprehensive immunization records. Consolidating immunization data from multiple sources can help clinicians, public health authorities and policymakers to better monitor, assess and respond to changing needs in the population.

role of immunization information systems in data consolidation and sharing chartSome IIS and health records systems have bidirectional connectivity, which helps vaccine providers make informed decisions at the point of care. For example, a bidirectional connection allows vaccine providers to query an IIS to check on vaccines given outside of their practice and ensure they aren’t duplicating vaccinations or missing needed vaccines. About 62% of IIS-health records connections were bidirectional as of 2020, according to the American Immunization Registry Association.

IISs also have the potential to exchange data with other jurisdictions and systems. The COVID-19 pandemic highlighted the mobility of individuals as they received vaccinations in areas other than where they live. Some IIS jurisdictions entered into memorandums of understanding to exchange data to track vaccinations received in other jurisdictions. A 2019 survey revealed that 45% of IISs also exchanged data with state Medicaid programs, a strategy that can help to identify vaccination trends or gaps in vulnerable communities.

Legislative Policy Options

During the pandemic, it’s estimated there was a 10-fold increase in submissions and queries to IISs. The increased activity placed additional demands on the systems to onboard new and nontraditional vaccination providers, provide immunization records to consumers, and report aggregate state-level immunization data to drive disease mitigation efforts and identify disparities in vaccination rates. The following section highlights legislative policy options regarding the capabilities of IISs to collect and share information to inform population health policies.

Enabling Laws

Most states and other jurisdictions have laws authorizing their public health authority to operate an IIS or monitor immunizations at a population-level, or both. A 2015 study showed that the number of jurisdictions providing authority for a public health department to operate an IIS has grown from 18% in 1995 to 81% in 2015. Enabling laws can clarify the appropriate authority and procedures to operate an IIS.

Consent to Participate

Laws regarding a vaccine recipient’s consent to allow immunization records to be stored vary by IIS. Consent may be implicit (opt out) or explicit (opt in), and laws regarding consent may differ by age group.

All 61 IIS jurisdictions that provided updated consent policies to the CDC in 2022 or early 2023 collect immunization data for children. Forty-three of those jurisdictions collect child vaccination data under implicit consent, with most allowing parents/guardians to opt out. Thirteen jurisdictions mandate reporting of child vaccinations to the IIS with no possibility to opt out (Alabama, American Samoa, California, Delaware, Massachusetts, Mississippi, New York City, New York State, North Carolina, Puerto Rico, South Carolina, South Dakota and Vermont).

For adult immunizations, at least 42 jurisdictions use implicit consent to include vaccinations in the IIS, generally with the choice to opt out. Eleven jurisdictions require reporting of adult immunizations to the IIS with no possibility to opt out (Alabama, American Samoa, California, Delaware, Massachusetts, Mississippi, North Carolina, Puerto Rico, South Carolina, South Dakota and Vermont).

The consent option chosen by an IIS jurisdiction can affect completeness of the data or population-level view. For example, when examining immunization data captured in IISs, age group differences are apparent. IISs included data on 98% of immunizations for children under 6, 86% of immunizations for adolescents from 11-17, and 89% for those 19 and older in 2021, according to the Immunization Registry Association. A landscape analysis by the association in May 2021 found that higher levels of participation are seen in jurisdictions with implicit consent.

Vaccine Provider Reporting

Laws regarding which vaccine providers must report immunization data vary by state and age of the vaccine recipient. Of the 60 IIS jurisdictions that submitted vaccine provider reporting policies to the CDC in 2022 or early 2023, 53 have a mandate for reporting vaccinations to the IIS. Reporting of adult vaccinations is lower than it is for children. Twenty-five jurisdictions require that all providers report adult immunizations, and 28 jurisdictions have some type of reporting requirement in place based on vaccine provider, age of patient, type of vaccine or specific circumstance (e.g., a declared public health emergency).

An Immunization Registry Association report offered a perspective on barriers to increasing the capture of adult vaccination data. Lack of provider incentives to report topped the list. Such incentives may include reporting mandates and financial or performance incentives. For example, Virginia enacted legislation in 2021 that requires all health care providers in the commonwealth that administer immunizations to report to the state IIS.

Interstate Data Exchange

A report from the Office of the National Coordinator for Health Information Technology provided insights into cross-jurisdictional exchange of data between IISs. On average, a person in the U.S. changes residences 11 times over his or her lifetime, providing challenges for authorities to track immunizations and for providers and patients to identify needed vaccines.

Laws regarding interstate data exchange vary by state. At least 36 IISs have authority to transmit or allow access to immunization data across state borders; of those, 10 derive authority from law. For example, Louisiana statute includes a procedure for sharing or transferring information with other immunization registries. Virginia law specifies that the board of health shall promulgate regulations for entering into data-sharing agreements with other state and regional immunization registries.

For states wanting to authorize data exchange among IISs, the CDC’s Immunization (IZ) Gateway can be a valuable tool. The gateway does not access or store IIS data but is a secure, cloud-based message-routing service enabling data exchange among jurisdictional IISs and multijurisdictional vaccine provider systems. The gateway can be used for the following scenarios:

  • To enable data sharing from multijurisdictional health care providers (Veterans Health Administration, large health systems, etc.) to jurisdictional IISs.
  • To facilitate data exchange between jurisdictional IISs.
  • To ensure consumers have access to their immunization records housed in an IIS via a third-party application.

Data sharing between multijurisdictional health care providers became a high priority for states during the pandemic. According to the CDC, over two-thirds of all jurisdictional IIS programs now have legal agreements in place to exchange data with multijurisdictional providers. Almost all IIS programs now exchange data with at least one other jurisdiction, and 92% of IIS jurisdictions have signed agreements to exchange data with another IIS jurisdiction.

Consumer Access

Traditionally, vaccine consumers had to request immunization records from the provider who gave the vaccine(s) or their state or local health department. IIS programs allow consumers to directly access their vaccination records, and many states are moving to facilitate such access. At least 30 states have provided consumer access to vaccine records or are planning to, according to the Immunization Registry Association. For example, people in Colorado or Mississippi can request an immunization record for themselves or their children from a public portal. Recent Indiana legislation would require the state health department to release a scannable code linking to IIS records for consumers who request it.

Race/Ethnicity Data

The collection and reporting of race and ethnicity immunization data has been highlighted as a challenge during the pandemic. For example, during the first months of the U.S. vaccination program, race/ethnicity was unknown for approximately one half of the population who received a COVID-19 immunization. More recently, an analysis of COVID-19 vaccination data by race and ethnicity revealed marked disparities throughout the U.S., particularly for Black and Hispanic populations.

Although IISs are generally able to collect the data, vaccine providers or recipients may skip race and ethnicity category or select “unknown” during intake processes. States and other IIS jurisdictions can consider requiring or incentivizing vaccine providers to collect race and ethnicity data. For example, California recently enacted legislation that requires health care providers, schools, child care facilities and other vaccine providers to add race and ethnicity to the list of immunization information that must be disclosed.

Interested in learning more about the immunization information system in your state? Reach out to your jurisdictional IIS or state health department.

Shannon Kolman is a policy specialist in NCSL’s Health Program.

Source for chart: How ready was the US vaccination infrastructure and network of IIS for COVID-19 vaccination campaigns, July 7, 2022.

This project is supported by the Centers for Disease Control and Prevention of the U.S. Department of Health and Human Services as part of a financial assistance award totaling $300,000 with 100% funded by CDC/HHS. The contents are those of the author(s) and do not necessarily represent the official views of, nor an endorsement by, CDC/HHS or the U.S. government.

  • Contact NCSL

  • For more information on this topic, use this form to reach NCSL staff.