SSG Blog

How Is Information in the IIS Kept Confidential?

Posted on October 9th, 2023   |   SSG

State immunization information systems contain sensitive information about which individuals are immunized against various diseases, but it is used to do more than just administer vaccines. The data helps public health officials and epidemiologists protect the population from the spread of disease by giving them greater insight into which parts of the community face the most risk. However, this information must be kept confidential and only used for public health purposes although it isn’t protected under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. 

Public health departments, including IIS managers and users, manage this information while including it in their analysis. This includes limiting access to the IIS database and the use of personally identifiable information to what’s required to track the spread of disease. The rules regarding protecting this information vary by state, and each organization may use a different encryption method, but they are all designed to protect patient data. Learn about the best practices for storing and sharing state IIS information.

IIS Confidentiality FAQs:

How is information in the IIS kept confidential? 

The IIS must protect the identities of their patients, including adults and children who have received their vaccines. The data should only be accessible to the patient, the public health agency, and the patient’s healthcare provider(s).

The agency must outline its privacy policy in a confidentiality statement and make it available to patients and providers. The statement should include the terms and conditions of IIS inclusion and information about the agency’s opt-out policy. It should also include guidelines regarding access, use, and disclosure of IIS data and how long data is retained. Research the privacy laws for IIS information in your state for more information.

Data confidentiality requirements vary from state to state. The Centers for Disease Control and Prevention (CDC) has outlined standards to ensure state immunization information systems keep this data secure. 

What encryption protocols does the IIS use? 

The connection between the user’s internet browser and the IIS database is encrypted to prevent outside players from accessing this information online. Many systems use 128-bit encryption, which is considered typically unbreakable. The application is also kept behind a secure firewall.

Are there access controls in place to safeguard information in the IIS?

Immunization information systems (IIS) are stored electronically on secure databases that exist on application servers. The IIS system is designed to be HIPAA compliant so that all information stored on the system is protected. 

Access to the public health software program is username and password protected. Users must sign a confidentiality agreement with the organization to create an IIS account. The program automatically prevents users from having the same password or username. The login information should be unique and difficult to guess. The system may also automatically require users to create a new password every three months. 

The agency and organizations with access to the IIS must report any suspicious activity or data breaches to patients and users within two days of discovery. 

The server infrastructure that powers the IIS network is kept in a secure location.

When sharing this information, access is limited to the fewest number of people needed to analyze it for public health purposes. Administrators should remove employees and inactive users from the IIS when they leave. 

The IIS allows providers and administrators to communicate with one another in the application so their correspondence is protected. If a provider needs to contact a patient about their records, it should be done over the phone. Information sent over email requires encryption, and an IIS username or identifying number must replace the patient’s name to limit the use of personally identifiable information. 

Less is more. The amount of information shared should always be limited to what’s needed to keep the public safe from the spread of disease. 

Getting vaccinated is a personal decision. IIS privacy standards build trust within the community by giving residents more insight into how their immunization information is stored and used at the state and local levels. Public health officials must ensure this information doesn’t fall into the wrong hands, so individual health decisions remain private. Contact SSG to learn more about our secure records solutions for public health.