IIS Policy and Legislation

Overview

Immunization information systems (IISs) are maintained and managed by public health entities that are funded by CDC’s 317/Vaccines for Children (VFC) cooperative agreement and serve defined jurisdictions, which can be metropolitan areas, states, or territories. The United States currently has 64 jurisdictions, including all 50 states, a few metropolitan areas, and several current and former U.S. territories.

Each jurisdiction must follow a combination of federal, jurisdictional, and local policies. The policies reviewed on this webpage address four key areas:

  • Legal authorization to operate the IIS,
  • Vaccine recipients' consent to participate in the IIS,
  • Vaccination provider reporting to the IIS, and
  • Sharing data from the IIS with public health entities.

Legal Authorization

Authorization policies allow jurisdictions to have and maintain IISs that contain their populations' vaccine administration data.

Consent to Participate

Jurisdictional consent policies address whether the jurisdiction needs to obtain an individual’s permission to collect and share their vaccine administration data via the IIS. Consent policies may differ for children and adults, or they may be the same. These policies may require:

  • Implicit consent, meaning that vaccine recipients are included in the IIS unless they choose to opt out;
  • Explicit consent, meaning that vaccine recipients must give consent, or opt in, to be included in the IIS; or
  • Mandatory inclusion, meaning that vaccine recipients are included in the IIS with no possibility to opt out

Provider Reporting

Jurisdictional reporting policies address whether vaccination providers are required to submit vaccine administration data to the IIS. Vaccination providers can include physicians, pharmacists, or any licensed healthcare professional authorized to administer vaccines within a jurisdiction. Reporting policies may:

  • Mandate reporting of all immunizations for all vaccine recipients;
  • Mandate reporting of all immunizations for only a subset of vaccine recipients (e.g., children age 18 or younger);
  • Mandate reporting of immunizations by only certain providers (e.g., pharmacists, registered nurses);
  • Mandate reporting of only specific immunizations (e.g., COVID-19, influenza);
  • Mandate reporting of immunizations only under certain circumstances (e.g., a declared disaster); and/or
  • Not mandate reporting but allow providers to report immunizations voluntarily.

Data Sharing

Data sharing policies define requirements and/or restrictions for sharing immunization data from the jurisdiction’s IIS with other public health entities, such as CDC and other IISs. Data sharing helps to consolidate immunization records for an individual (e.g., an adult who receives a vaccine outside of the jurisdiction in which they live) and to facilitate management of public health emergencies while fully complying with privacy and confidentiality laws and regulations. 

Data sharing policies may include aspects such as:

  • Requiring a data use agreement (DUA) or memorandum of understanding (MOU);
  • Requiring that the data are only used for public health or other specific purposes (e.g., disease surveillance, IIS management);
  • Protecting the data's confidentiality;
  • Data sharing upon request or with approval or authorization;
  • Allowing only deidentified data or nonidentifying summary statistics to be shared;
  • Allowing vaccine recipients to request to limit sharing their data that are stored in the IIS; and/or
  • Allowing data to be shared only during a declared state of emergency.

CDC completed its most recent review of jurisdictional IIS policies in 2024. Personnel and contractors working with CDC’s Informatics and Data Analytics Branch (IDAB) engaged with all 64 jurisdictions by email to obtain and/or confirm their current IIS consent, provider reporting, and data sharing policies. Going forward, IDAB will conduct an annual review of jurisdictional IIS policies to ensure timely updates to the data.

Privacy, confidentiality, and information security are important components of all IISs. To better understand how jurisdictional IISs and their policies address these areas, review the IIS Functional Standards. The following links and documents provide information on the Health Insurance Portability and Accountability Act (HIPAA), a federal law that protects the privacy and confidentiality of patient health information.

IIS States and Jurisdictions