SSG Blog

Considerations for Consumer Access in Immunization Information Systems | SSG

Posted on September 9th, 2021   |   SSG

Over the past year, immunizations and vaccines have been a hot topic for public health and the general population. At the beginning of 2021, vaccines were poised as the solution to get us out of the pandemic and help us recover some sense of normalcy. Now, as more of the population is vaccinated, attention has turned to vaccine records access and privacy implications.

We wanted to share the top considerations that we’ve seen for consumer access to vaccination records and immunization information systems (IIS), and how we’ve addressed them in our system.

Consideration #1: Privacy and security

When people hear “consumer access,” their attention immediately jumps to privacy and security. SSG’s consumer access application does not hold any patient data or information, it simply queries data and pulls it in from the state’s existing Immunization Information System (IIS), and this is intentional due to privacy and security concerns. However, we recognize that consumers are still worried about how user identities can be authenticated to ensure data is only accessible by the individual. 

This is managed with our customers and applications through a multi-step process. First, the user must enter basic information about themselves, including first name, last name, date of birth, gender, phone number, and email. This input is validated against the data that exists in the IIS. To validate the information, we send an HL7 QBP request to the IIS and use an algorithm to determine if a match can be found based on the information provided. If a match is found, we send a one-time code to the phone number provided, which expires in a day. We also send an email with a link to complete the registration process using the one-time code. Users are able to add children and other dependents where authentication follows the same process.

We also work with the state security department to ensure that any state-specific security requirements are followed.

Consideration #2: Data quality and deduplication

The next important consideration when implementing a consumer access application is the data quality and deduplication that may already be in place within your IIS. How many possible matches do you have in your queue? If a user is requesting consumer access and partial records are sent back to them, a process is needed for record update requests. Often, the user is directed to contact their provider to update their information and, in the event of any duplicate records, a decision is made by the program.

With consumer access, the requestor is asking about their own personal information. Because of this, we have updated our QBP response so that all known records are returned to the patient. 

Consideration #3: Flexibility and adaptability

The past 18 months have taught us several lessons: one of the most important ones is to be adaptable based on the current environment and needs. When we were establishing our authentication method, we wanted to ensure that the burden was not placed on the providers. As we know, providers are already busy and don’t have time to take on authentication for the consumer access portal. We decided to implement an optional process whereby, if a user is unable to authenticate themselves based on the information in the IIS, there is a mechanism where a provider can confirm a user’s access.

In the future, we hope to add forecasting functionality, where upcoming vaccine reminders are sent to users. We also anticipate adding clinical comments, which would indicate any history of disease, or any medical or religious exemptions found in the individual’s IIS record.

Consideration #4: Equity

We want to make sure that all of the individuals within each state have the same access capabilities, regardless of their situation. That’s why we include access in multiple languages. When considering which ones to support, you need to look at your population and the languages they use. Although the shot information itself is not translated, all of the instructional texts, any of the field labels, or any of our print templates would reflect the individual’s preferred language.

The other factor we’ve considered is that not everyone has access to a cell phone; or if they do, phone numbers can change. We improved this process by implementing the ability to authenticate a user based on email address alone, with the one-time code and link going to the user’s email. 

Consideration #5: Adoption and messaging

Finally, public health units need to consider the adoption and messaging of the consumer access portal. How will you make this information available to the public? Do you want to run a pilot program first or roll it out statewide? How access to consumers is rolled out is often determined by the state. 

Considering the overall look and feel of the passports and vaccine records is also important, as it helps to make the platform feel authentic for consumers who are accessing it. For vaccine records and certifications that are available through consumer access platforms, it’s important that state certificates look consistent with government data, and official. Certification also needs to be mobile friendly, as many end-users will be accessing this via tablet or mobile phone for tracking and vaccine passports. 

The biggest and newest discussion is around the ability to scan a QR code to produce immunization information, which some states are referring to as a “vaccine passport”. Some countries are now requiring this information in order to travel. Our consumer access application is capable of doing this; however, we are waiting for further guidance from the CDC. We are also making school certificates available on the consumer access portal, so instead of having to rely on a provider site, users can print out any school certificates for their dependents from the consumer access portal.

Implementing Consumer Access Within Your State’s IIS

Since our consumer access portal is separate from the actual IIS, it can be integrated into existing IIS systems and implemented rapidly. This allows for the functionality of a consumer access system, without having to dramatically upend existing IIS systems. State requirements must still be considered in regards to domains, security and privacy, and testing. 

With COVID-19 still an active topic of concern for public health departments and citizens, consumer access to vaccination records will be increasingly important. As more information from the CDC is released, the SSG Consumer Access Solution will reflect best practices and follow updated guidelines. If you’re interested in learning more about incorporating consumer access into your IIS, watch our latest webinar.