TITLE 12. HEALTH

STATE BOARD OF HEALTH

Fast-Track Regulation

Title of Regulation: 12VAC5-115. Virginia Immunization Information System (amending 12VAC5-115-10 through 12VAC5-115-70).

Statutory Authority: §§ 32.1-12 and 32.1-46.01 of the Code of Virginia.

Public Hearing Information: No public hearing is currently scheduled.

Public Comment Deadline: July 29, 2026.

Effective Date: August 13, 2026.

Agency Contact: Christy Gray, Director, Division of Immunizations, Virginia Department of Health, 109 Governor Street, Richmond, VA 23219, telephone (804) 864-7928, or email epi-comments@vdh.virginia.gov.

Basis: Section 32.1-12 of the Code of Virginia authorizes the State Board of Health to make, adopt, promulgate, and enforce regulations necessary to carry out the provisions of Title 32.1 of the Code of Virginia and other laws of the Commonwealth administered by the board, the State Health Commissioner, or the Virginia Department of Health. Section 32.1-46.01 of the Code of Virginia requires the board to establish the Virginia Immunization Information System (VIIS) and to promulgate regulations to implement the VIIS.

Purpose: This action is needed to clarify and update the regulation to reflect current VIIS practices and to maximize VIIS capabilities to positively impact public health. The action is essential to protect the health, safety, and welfare of citizens because it streamlines immunization data recordkeeping and provider access to comprehensive immunization records, leading to better-informed patient care and, potentially, improved patient outcomes.

Rationale for Using Fast-Track Rulemaking Process: This action is expected to be noncontroversial because the amendments are either (i) technical or clarifying in nature or (ii) intended to align the regulation with current standards of practice. No comments were received during the periodic review public comment period. Therefore, this action is appropriate for the fast-track rulemaking process.

Substance: The amendments (i) update definitions; (ii) clarify required and authorized participants in the VIIS system; (iii) update the VIIS registration, onboarding, and training processes; (iv) clarify authorized use of VIIS to protect patient confidentiality; (v) update the VIIS opt-out process; (vi) clarify the VIIS access and reactivation processes; and (vii) update the list of demographic information required to be reported and the timing of VIIS immunization data reporting, including removing social security number as a required field.

Issues: The primary advantages to the public, the agency, and the Commonwealth include (i) streamlined immunization data recordkeeping and provider access to comprehensive immunization records, leading to better-informed patient care and, potentially, improved patient outcomes; (ii) improved electronic VIIS registration, onboarding, and training processes that may reduce costs to health care providers and health care entities through increased efficiency and reduced manual paperwork; and (iii) simplified patient opt-out of VIIS through an electronic form. Another advantage to the agency and the Commonwealth is clarification of the regulation, which will improve understanding and compliance by regulants. There are no disadvantages to the public or the Commonwealth.

Department of Planning and Budget Economic Impact Analysis:

The Department of Planning and Budget (DPB) has analyzed the economic impact of this proposed regulation in accordance with § 2.2-4007.04 of the Code of Virginia and Executive Order 19. The analysis presented represents DPB's best estimate of the potential economic impacts as of the date of this analysis.¹

Summary of the Proposed Amendments to Regulation. Following a 2024 periodic review,² the State Board of Health (board) proposes to amend and update the regulation to accurately reflect the current paperless functioning of the online Virginia Immunization Information System (VIIS).

Background. The VIIS system contains the birth to death immunization histories of individuals by collecting and merging data from various sources. According to the Virginia Department of Health (VDH), this system is vital to ensuring that immunization data is readily available to providers and other health care entities so that they can provide timely and appropriate patient care in cases where immunization information is pertinent. The system also helps public health efforts to control and prevent vaccine-preventable diseases and effectively respond to public health emergencies (e.g., pandemics). The VIIS regulation sets rules for all providers and health care entities on the appropriate use of VIIS by defining protocols related to authorized participants, registration procedures, patient confidentiality, security, data entry and quality assurance, data release, data access, and forms. VDH reports that sometime in 2018 or 2019, VIIS has transitioned fully into a paperless online system. The transition has rendered paper-based forms and the regulatory language regarding paper transactions obsolete. Thus, following the periodic review, the board proposes to amend and update the regulation to accurately reflect the current paperless functioning of the VIIS system. More specifically, the amended language mainly pertains to updating definitions; provider registration, onboarding, training processes; patient opt-out process; the list of demographic information currently collected if available (e.g., email, race, and ethnicity) and no longer collected (e.g., social security number) since the transition; the time frame of data reporting as needed to reflect the current reporting timeframes (e.g., three days compared to the seven days used with the paper based system); and repealing paper based forms.

Estimated Benefits and Costs. According to VDH, the fully electronic paperless immunization information system has been in place since the 2018-2019 period. However, the regulatory language, particularly the portions addressing forms and paper-based processes, is out of date. The proposed amendments would update the language to accurately reflect how the fully electronic, paperless system processes work in practice. VDH believes that replacing or removing manual forms or processes and transitioning activities to the electronic portal likely improved the efficiency of VIIS registration, onboarding, and reporting of immunization-related data. For health care providers and health care entities required to report, electronic reporting is probably more cost effective compared to faxing or mailing paper reports because those methods cost money for postage, fax lines, and paper. There may have been also a reduction in staffing costs through more efficient processes and a reduction in labor necessary to process paper forms. However, since the new system has been in place for over six years, the proposed changes to the regulation are not expected to create any economic impact other than improving the accuracy of the text description of the processes and rules currently followed.

Businesses and Other Entities Affected. The current regulation applies to health care providers, local health departments, and other entities that provide patient immunizations. VDH reports that there are a total of 6,147 active entities using VIIS (i.e., 222 public health providers, 423 pediatricians, 864 family practices, 172 hospitals, 1,182 pharmacies, 320 school, college, or childcare entities, 216 community care entities, 1,067 other organizations, 1,665 other medical specialties, and 16 health plans). In a given year, approximately seven million vaccination reports are received through VIIS. No entities appear to be disproportionately affected. The Code of Virginia requires DPB to assess whether an adverse impact may result from the proposed regulation.³ An adverse impact is indicated if there is any increase in net cost or reduction in net benefit for any entity, even if the benefits exceed the costs for all entities combined.⁴ The proposal does not increase costs or reduce benefits for any entity. Thus, no adverse impact is indicated.

Small Businesses⁵ Affected.⁶ The proposed amendments do not appear to adversely affect small businesses.

Localities⁷ Affected.⁸ The proposed amendments do not introduce costs for localities, nor do they disproportionately affect any locality.

Projected Impact on Employment. The proposed amendments do not appear to affect total employment.

Effects on the Use and Value of Private Property. No effects on the use and value of private property nor on real estate development costs are expected.

_____________________________

¹ Section 2.2-4007.04 of the Code of Virginia requires that such economic impact analyses determine the public benefits and costs of the proposed amendments. Further the analysis should include but not be limited to: (1) the projected number of businesses or other entities to whom the proposed regulatory action would apply, (2) the identity of any localities and types of businesses or other entities particularly affected, (3) the projected number of persons and employment positions to be affected, (4) the projected costs to affected businesses or entities to implement or comply with the regulation, and (5) the impact on the use and value of private property.

² https://townhall.virginia.gov/L/ViewPReview.cfm?PRid=2470.

³ Pursuant to § 2.2-4007.04 D: In the event this economic impact analysis reveals that the proposed regulation would have an adverse economic impact on businesses or would impose a significant adverse economic impact on a locality, business, or entity particularly affected, the Department of Planning and Budget shall advise the Joint Commission on Administrative Rules, the House Committee on Appropriations, and the Senate Committee on Finance. Statute does not define "adverse impact," state whether only Virginia entities should be considered, nor indicate whether an adverse impact results from regulatory requirements mandated by legislation.

⁴ Statute does not define "adverse impact," state whether only Virginia entities should be considered, nor indicate whether an adverse impact results from regulatory requirements mandated by legislation. As a result, DPB has adopted a definition of adverse impact that assesses changes in net costs and benefits for each affected Virginia entity that directly results from discretionary changes to the regulation.

⁵ Pursuant to § 2.2-4007.04, small business is defined as "a business entity, including its affiliates, that (i) is independently owned and operated and (ii) employs fewer than 500 full-time employees or has gross annual sales of less than $6 million."

⁶ If the proposed regulatory action may have an adverse effect on small businesses, § 2.2-4007.04 requires that such economic impact analyses include: (1) an identification and estimate of the number of small businesses subject to the proposed regulation, (2) the projected reporting, recordkeeping, and other administrative costs required for small businesses to comply with the proposed regulation, including the type of professional skills necessary for preparing required reports and other documents, (3) a statement of the probable effect of the proposed regulation on affected small businesses, and (4) a description of any less intrusive or less costly alternative methods of achieving the purpose of the proposed regulation. Additionally, pursuant to § 2.2-4007.1 of the Code of Virginia, if there is a finding that a proposed regulation may have an adverse impact on small business, the Joint Commission on Administrative Rules shall be notified.

⁷ "Locality" can refer to either local governments or the locations in the Commonwealth where the activities relevant to the regulatory change are most likely to occur.

⁸ Section 2.2-4007.04 defines "particularly affected" as bearing disproportionate material impact.

Agency Response to Economic Impact Analysis: The State Board of Health concurs with the economic impact analysis prepared by the Department of Planning and Budget.

Summary:

As a result of a periodic review, the amendments (i) clarify requirements, procedures, and who is a required or an authorized participant in the VIIS system; (ii) update the VIIS registration, onboarding, and training processes; (iii) clarify authorized use of VIIS to protect patient confidentiality; (iv) update the VIIS opt-out process; (v) clarify VIIS access and reactivation processes; and (vi) update the list of demographic information required to be reported and the timing of VIIS immunization data reporting.

12VAC5-115-10. Definitions.

The following words and terms when used in this chapter shall have the following meanings unless the context clearly indicates otherwise:

"Commissioner" means the State Health Commissioner or his the State Health Commissioner's designee.

"Data exchange" means electronically sending immunization information from an existing information system to VIIS and being able to retrieve information from VIIS.

"De-duplication" means the process in information systems that matches incoming data with existing client records and merges those identified as the same client.

"Health care entity" means any health care provider, health plan, or health care clearinghouse the same as that term is defined in § 32.1-127.1:03 of the Code of Virginia.

"Health care provider" means those entities listed in § 8.01-581.1 of the Code of Virginia, except that state-operated facilities shall also be considered health care providers for the purposes of this section. Health care provider shall also include all persons who are licensed, certified, registered, or permitted or who hold a multistate licensure privilege issued by any of the health regulatory boards within the Department of Health Professions, except persons regulated by the Board of Funeral Directors and Embalmers or the Board of Veterinary Medicine the same as that term is defined in § 32.1-127.1:03 of the Code of Virginia.

"Health plan" means an individual or group plan that provides or pays the cost of medical care and shall include any entity included in such definition as set out in 45 CFR 160.103 the same as that term is defined in § 32.1-127.1:03 of the Code of Virginia.

"Participant" means a person or organization with a VIIS account.

"Patient" means the client who is receiving health services.

"Public health emergency" means any (i) public health event caused by an act of bio-terrorism or vaccine-preventable disease outbreak or (ii) other public health event resulting from natural or human cause.

"Security role" means the level of security assigned to a participant that determines what information the individual may access in the application and what system functions may be performed.

"VDH" or "Department of Health" means the Virginia Department of Health.

"Virginia Immunization Information System" or "VIIS" means the statewide immunization registry.

"VITA" means the Virginia Information Technologies Agency.

12VAC5-115-20. Authorized participants.

A. Health care providers, including but not necessarily limited to any physician, physician assistant, nurse practitioner, registered nurse, school nurse, pharmacist, or any entity listed in the definition of "health care provider" in § 8.01-581.1 of the Code of Virginia, are authorized A health care provider in the Commonwealth who administers immunizations shall report to VIIS pursuant to § 32.1-46.01 of the Code of Virginia and this chapter. No health care provider required to report patient immunization information to VIIS pursuant to § 32.1-46.01 of the Code of Virginia shall be required to pay a fee to VDH to participate in VIIS.

B. Any A health care entity may is authorized to participate as in VIIS so long as it the health care entity is licensed or certified in Virginia to deliver or support health care services or public health, and requires immunization data to perform the health service function, and uses VIIS only for exchanging information on persons for whom it provides services support a purpose listed in § 32.1-46.01 A of the Code of Virginia.

C. Other state or regional immunization registries may exchange data with VIIS. They may share data and have access to data from VIIS by contacting the VIIS program manager and complying with the registration procedure discussed in 12VAC5-115-30.

D. VDH shall give access to VIIS under the condition that having access to immunization information is required to perform the job function of the participant. The VIIS program manager or designee shall assign the security role of the participant based on his needs and job responsibilities of the VIIS program manager or designee.

E. Access to VIIS requires only Internet access and is free to participants.

12VAC5-115-30. Registration procedures.

A. Participation in To gain access to VIIS is mandatory for any health care provider, as defined in § 32.1-127.1:03 of the Code of Virginia, in the Commonwealth that administers immunizations, an authorized participant shall complete the VIIS electronic registration process. The participant shall complete the electronic registration process every year as directed by VDH. Registration shall require the participant to ensure compliance with necessary confidentiality and security access provisions that specify security procedures to ensure that VIIS data are protected from unauthorized view and access.

B. Completed registration forms from authorized participants must be processed and approved by VDH must approve the registration before granting the participant access to the system is allowed. Registration will require the participant to assure compliance with necessary confidentiality and security access provisions that specify security procedures to ensure that VIIS data are protected from unauthorized view and access. The participant shall update and submit the forms to VDH every year.

C. Once the participant is approved, the participant shall sign a participant registration agreement with VDH. VDH will then provide shall confirm the participant completed VDH-specified training and then activate the participant in the VIIS system.

D. Qualifying A qualifying participant organizations organization shall designate an administrator for their the participant's organization. The administrator may then allow VIIS access by an employee in the administrator's organization and, in doing so, shall assume responsibility for registering that person, obtaining the most recent security forms that specify VITA or ensuring the employee is trained and has reviewed the VDH security requirements for VIIS, retaining all completed user forms, assigning the security role of the user participant, accepting legal responsibility for the employee's participant's proper use of VIIS, and terminating access to VIIS if the employee participant is noncompliant with VIIS requirements or no longer requires access.

E. Terminate organizational participation by notifying VDH in writing. All If a participant’s access is terminated, the data entered by that organization the participant shall remain in the system.

12VAC5-115-40. Patient confidentiality.

A. Access to VIIS information is authorized A participant may only under the condition that access to individual immunization information within VIIS that is required to perform the participant's job function.

B. Participants shall not No participant may conduct any activity that jeopardizes the proper function or security of VIIS, including sharing of sign-on information, allowing unauthorized view of VIIS screens, or failing to log off VIIS when leaving a workstation. They shall A participant may only use patient VIIS patient-level data only as authorized by law and this chapter for a purpose listed in § 32.1-46.01 A of the Code of Virginia and must immediately notify the patient and VDH of any breach of personal privacy or confidentiality.

C. Patients shall have the opportunity to opt-out No employer may access an employee's patient-level data in VIIS for the purpose of determining if the employee is in compliance with the employer's immunization policies.

D. A patient may opt out of VIIS by doing one of the following: 1. Contacting their health care provider to allow the viewing of their immunizations only by that provider who administered them; or 2. Contacting VDH in writing requesting to be taken out of VIIS and have their record no longer viewable completing the electronic VDH Opt-Out Form specifying the patient's opt-out preferences.

D. E. Patient immunization records shall may not be copied except for authorized use. These The copies shall may not be left where they are visible by unauthorized personnel and shall be shredded, pulped, or incinerated before disposal.

E. F. VIIS records shall be treated with the same confidentiality and privacy as any other health record. Any VDH shall immediately suspend a participant's system access privileges for inappropriate use of VIIS records shall result in immediate suspension of participant privileges and shall conduct an investigation conducted by VDH. Additional VDH may take additional actions may be taken pursuant to § 32.1-27 of the Code of Virginia. The VIIS program manager may reinstate privileges.

F. G. Nothing in this chapter alters the provision in 45 CFR Part 164 that permits covered health care entities to disclose protected health information to a public health authority without individual authorization.

12VAC5-115-50. Security.

A. After VDH gives access to a VIIS participant, a secure connection is established between his browser and VIIS. The system is password protected.

B. Participants shall ensure that employees with authorized access do not disclose their user identification code or password to anyone, have physical security and password-enabled screen savers on computers accessing VIIS, make every effort to protect VIIS screens from unauthorized view, and log off the system whenever leaving the VIIS workstation.

C. A. The VIIS system, which is maintained on a secure website, shall automatically inactivate a user session after a predetermined period of inactivity. The inactivation period is as determined by VITA security policy.

D. B. The VIIS system shall inactivate user accounts a participant’s account, denying access to the system when participants have the participant has not logged into the system after a predetermined period of time. This inactivation period is, as determined by VITA security policy. The administrator must If the participant requests reactivation of the account, VDH shall review the request and may reactivate the account, granting continued access to VIIS.

E. C. There shall be a secure encrypted connection, as determined by VITA or VDH, between VIIS and the participating organization sending or receiving data if data exchange is performed. The encryption process will be determined by VITA or VDH or both.

12VAC5-115-60. Population of VIIS.

A. The VDH Divisions Division of Immunization and Office of Vital Records shall have an agreement to populate demographic information in VIIS with birth certificate data. Death certificate data are shall be used to make the VIIS record no longer viewable. Data exchange The data shall be performed on a periodic basis, but at least monthly transmitted via electronic data exchange.

B. Each A participant shall make every effort to ensure the accuracy of all immunization and demographic information and shall include enough identifying information to allow for de-duplication of patients.

C. Data shall be reported in VIIS either by online data entry or by data exchange of files from other information systems. The participating provider or the health plan billed for the immunization shall report. Reporting shall occur within seven three days of vaccine administration for online data entry participants. For data exchange participants, reporting shall occur within seven days of receipt of the information.

D. Both demographic and immunization data shall be reported by the participant for each immunization administered.

1. Patient demographic information shall include, but is not limited to, the patient's name, and date of birth, in order to be accepted by VIIS. The following information is required, if available: gender, telephone number, email, home address, race, ethnicity, birth place, and mother's maiden name. The social security number, if provided, shall be encrypted by the application, appear as asterisks, and shall not print out on reports for that patient. The application shall allow only exact matches when the social security number is used for search purposes.

2. Patient immunization information shall include, but is not limited to, the type of immunization administered using industry standards, such as vaccine groups, Health Level 7 codes, or Current Procedural Terminology codes; date the immunization was administered; identity of the health care provider who administered the vaccine; manufacturer; trade name; lot number; and, if present, any contraindications or religious or medical exemptions.

E. Participants in data exchange shall provide an acceptable level of data quality, such as correct data fields, data accuracy, and enough information to correctly merge with existing patients. Upon initial data delivery, and periodically thereafter, VDH shall review data shall be reviewed to determine data quality and shall notify a participant if the data quality is not acceptable, including notice of any rejected records. Any The participant shall resolve a rejected records shall be resolved by the participant record in a timely way manner, not to exceed 30 days after notice from VDH. VDH may suspend system privileges and take additional action in accordance with § 32.1-27 of the Code of Virginia for any organization that a participant who knowingly submits inaccurate data or repeatedly provides an unacceptable level of data quality.

F. If insufficient information is reported to allow de-duplication of patients, VDH shall place incoming data will be placed in a pending file and must be merge the data manually merged, if appropriate. All participants shall identify a contact to work with VDH on pending files.

G. VDH shall incorporate immunization data pursuant to subsection E of § 32.1-46 E of the Code of Virginia into VIIS by data exchange from other immunization systems, patient care management billing systems, or information systems to the extent possible.

12VAC5-115-70. Release of VIIS data.

A. Specific Individual patient data shall may not be disclosed except to the extent required or permitted by state and federal law or regulations, after contacting VDH. VDH will verify the source of the request.

B. Specific patient data may be disclosed to health care entities to the extent required or permitted by state and federal law or regulations. See subsection E of § 32.1-46 and § 32.1-127.1:03 of the Code of Virginia.

C. B. Patient data shall be erased when no longer needed, when the computer IT equipment is being terminated, or in accordance with a data sharing agreement or a participant registration agreement with VDH.

D. C. Aggregate data from which personal identifying data has been removed or redacted may be released for the purposes of statistical analysis, research, or reporting only after approval by VDH.

E. Any D. VDH shall immediately suspend a participant's system access privileges for inappropriate use of VIIS data shall result in immediate suspension of user privileges and result in shall conduct an investigation conducted by VDH. Additional VDH may take additional actions may be taken in accordance with § 32.1-27 of the Code of Virginia. The VIIS program manager may reinstate privileges upon satisfactory completion of required remedial actions and guarantee of proper use of VIIS in the future.

FORMS (12VAC5-115)

Administrator Information, VIISADM (eff. 10/2012)

Electronic Data Exchange with VIIS (eff. 10/2012)

Information Systems Security Access Agreement (eff. 10/2012)

Organization Information, VIISORG (eff. 10/2012)

Memorandum of Agreement between Virginia Department of Health/Division of Immunization (VDH/DOI) and VIIS Organization Interested in Data Exchange (8/2011)

Virginia Immunization Information System (VIIS) Opt-In of VIIS (reviewed 6/2015)

Virginia Immunization Information System (VIIS) Opt-Out of VIIS (reviewed 6/2015)

VIIS Security Policy and User Confidentiality Agreement (rev. 5/2019)

VIIS User Acknowledgement Page

VIIS User Signature Page

Virginia Immunization Information System (VIIS) Opt-Out of VIIS (eff. 5/2024)