REGULATIONS
Vol. 31 Iss. 22 - June 29, 2015

TITLE 12. HEALTH
STATE BOARD OF HEALTH
Chapter 115
Final Regulation

Title of Regulation: 12VAC5-115. Virginia Immunization Information System (adding 12VAC5-115-10 through 12VAC5-115-80).

Statutory Authority: § 32.1-46.01 of the Code of Virginia.

Effective Date: July 31, 2015.

Agency Contact: James Farrell, Department of Health, 109 Governor Street, Richmond, VA 23219, telephone (804) 864-8055, or email james.farrell@vdh.virginia.gov.

Summary:

The regulations implement the Virginia Immunization Information System (VIIS). VIIS is a voluntary, statewide immunization registry that consolidates patient immunization histories from birth to death into a complete, accurate, and definitive record that is available to Virginia's participating health care providers. The regulations (i) define who is allowed access to VIIS; (ii) specify access requirements; (iii) ensure compatibility with current state and federal guidelines in the areas of patient data confidentiality and system security; (iv) address the security features of the application; (v) define the data to be collected; (vi) state the mechanisms for populating and capturing data; (vii) define the approved use of data, the authorized recipients of data, and the procedure for obtaining the data; and (viii) address the use of VIIS in a public health emergency.

Summary of Public Comments and Agency's Response: A summary of comments made by the public and the agency's response may be obtained from the promulgating agency or viewed at the office of the Registrar of Regulations.

CHAPTER 115
VIRGINIA IMMUNIZATION INFORMATION SYSTEM

12VAC5-115-10. Definitions.

The following words and terms when used in this chapter shall have the following meanings unless the context clearly indicates otherwise:

"Commissioner" means the State Health Commissioner or his designee.

"Data exchange" means electronically sending immunization information from an existing information system to VIIS and being able to retrieve information from VIIS.

"De-duplication" means the process in information systems that matches incoming data with existing client records and merges those identified as the same client.

"Health care entity" means any health care provider, health plan, or health care clearinghouse.

"Health care provider" means those entities listed in § 8.01-581.1 of the Code of Virginia, except that state-operated facilities shall also be considered health care providers for the purposes of this section. Health care provider shall also include all persons who are licensed, certified, registered, or permitted or who hold a multistate licensure privilege issued by any of the health regulatory boards within the Department of Health Professions, except persons regulated by the Board of Funeral Directors and Embalmers or the Board of Veterinary Medicine.

"Health plan" means an individual or group plan that provides or pays the cost of medical care and shall include any entity included in such definition as set out in 45 CFR 160.103.

"Participant" means a person or organization with a VIIS account.

"Patient" means the client who is receiving health services [ or his parent or guardian ].

"Public health emergency" means any (i) public health event caused by an act of bio-terrorism or vaccine-preventable disease outbreak or (ii) other public health event resulting from natural or human cause.

"Security role" means the level of security assigned to a participant that determines what information the individual may access in the application and what system functions may be performed.

"VDH" or "Department of Health" means the [ Division of Immunization within the ] Virginia Department of Health.

"Virginia Immunization Information System" or "VIIS" means the statewide immunization registry.

"VITA" means the Virginia Information Technologies Agency.

12VAC5-115-20. Authorized participants.

A. Health care providers, including but not necessarily limited to any physician, physician assistant, nurse practitioner, registered nurse, school nurse, pharmacist, or any entity listed in the definition of "health care provider" in § 8.01-581.1 of the Code of Virginia, are authorized to participate in VIIS.

B. Any health care entity may participate as long as it is licensed or certified in Virginia to deliver or support health care services or public health, requires immunization data to perform the health service function, and uses VIIS only for exchanging information on persons for whom it provides services.

C. Other state or regional immunization registries may exchange data with VIIS. They may share data and have access to data by contacting the VIIS program manager and complying with the registration procedure discussed in 12VAC5-115-30.

D. VDH shall give access to VIIS under the condition that having access to immunization information is required to perform the job function of the participant. The VIIS program manager or designee shall assign the security role of the participant based on his needs and job responsibilities.

E. Access to VIIS requires only Internet access and is free to participants.

12VAC5-115-30. Registration procedures.

A. Participation in VIIS is voluntary.

B. Completed registration forms from authorized participants must be processed and approved by VDH before access to the system is allowed. Registration will require the participant to assure compliance with necessary confidentiality and security access provisions that specify security procedures to ensure that VIIS data are protected from unauthorized view and access. The participant shall update and submit the forms to VDH every year.

C. Once the participant is approved, [ the participant shall sign a participant registration agreement with VDH. ] VDH will [ then ] provide training and activate the participant in the VIIS system.

D. Qualifying participant organizations shall designate an administrator for their organization. The administrator may then allow VIIS access by an employee in his organization and, in doing so, shall assume responsibility for registering that person, obtaining the most recent security forms that specify VITA or VDH security requirements, retaining all completed user forms, assigning the security role of the user, accepting legal responsibility for his proper use of VIIS, and terminating access to VIIS if the employee is noncompliant with VIIS requirements or no longer requires access.

E. An administrator may terminate his organization's participation at any time by notifying VDH in writing. All data entered by that organization shall remain in the system.

12VAC5-115-40. Patient confidentiality.

A. Access to VIIS information is authorized only under the condition that access to individual immunization information is required to perform the participant's job function.

B. Participants shall not conduct any activity that jeopardizes the proper function or security of VIIS. They shall use patient data only as authorized by law and this chapter and must immediately notify the patient and VDH of any breach of personal privacy or confidentiality.

C. Patients shall have the opportunity to opt-out of VIIS by doing one of the following:

1. Contacting their [ healthcare health care ] provider to allow the viewing of their immunizations only by that provider who administered them; or

2. Contacting VDH in writing requesting to be taken out of VIIS and have their record no longer viewable.

D. Patient immunization records shall not be copied except for authorized use. These copies shall not be left where they are visible by unauthorized personnel and shall be shredded before disposal.

E. VIIS records shall be treated with the same confidentiality and privacy as any other [ patient health ] record. Any inappropriate use of VIIS records shall result in immediate suspension of participant privileges and an investigation conducted by VDH. Additional actions may be taken pursuant to § 32.1-27 of the Code of Virginia. The VIIS program manager may reinstate privileges.

F. Nothing in this chapter alters the provision in 45 CFR Part 164 that permits covered [ healthcare health care ] entities to disclose protected health information to a public health authority without individual authorization.

12VAC5-115-50. Security.

A. After VDH gives access to a VIIS participant, a secure connection is established between his browser and VIIS. The system is password protected.

B. Participants [ must shall ] ensure that employees with authorized access do not disclose their user identification code or password to anyone, have physical security and password-enabled screen savers on computers accessing VIIS, make every effort to protect VIIS screens from unauthorized view, and log off the system whenever leaving the VIIS workstation.

C. The VIIS system, which is maintained on a secure website, [ shall ] automatically inactivate a user session after a predetermined period of inactivity. The inactivation period is determined by VITA security policy.

D. The VIIS system [ inactivates shall ] inactivate user accounts, denying access to the system when participants have not logged into the system after a predetermined period of time. This inactivation period is determined by VITA security policy. The administrator must reactivate the account.

E. There shall be a secure encrypted connection between VIIS and the participating organization sending or receiving data if data exchange is performed. The encryption process will be determined by VITA or VDH or both.

12VAC5-115-60. Population of VIIS.

A. The VDH Divisions of Immunization and Vital Records have an agreement to populate demographic information in VIIS with birth certificate data. Death certificate data are used to make the VIIS record no longer viewable. Data exchange shall be performed on a periodic basis, but at least monthly.

B. Each participant shall make every effort to ensure the accuracy of all immunization and demographic information and shall include enough identifying information to allow for de-duplication of [ clients patients ].

C. Data shall be reported in VIIS either by online data entry or by data exchange of files from other information systems. The [ health care participating ] provider or the [ designated ] health plan billed for the immunization shall report. Reporting shall occur within seven days of vaccine administration for online data entry participants. For data exchange participants, reporting shall occur within seven days of receipt of the information.

D. Both demographic and immunization data shall be reported by the participant.

1. Patient demographic information shall include, but is not limited to, patient's name, date of birth, gender, telephone number, home address, birth place, and mother's maiden name. The social security number, if provided, [is shall be ] encrypted by the application, [ appears appear ] as asterisks, and [ does shall ] not print out on reports for that [ client patient ]. The application [ allows shall allow ] only exact matches when the social security number is used for search purposes.

2. Patient immunization information shall include, but is not limited to, the type of immunization administered using industry standards such as vaccine groups, Health Level 7 codes, or Current Procedural Terminology codes; date the immunization was administered; identity of the health care provider who administered the vaccine; manufacturer; trade name; lot number; and, if present, any contraindications or religious or medical exemptions.

E. Participants in data exchange shall provide an acceptable level of data quality, such as correct data fields, data accuracy, and enough information to correctly merge with existing [ clients patients ]. Upon initial data delivery, and periodically thereafter, data shall be reviewed to determine data quality. Any rejected records shall be resolved by the participant in a timely way. VDH may suspend system privileges and [ refer to § 32.1-27 of the Code of Virginia for take ] additional action [ in accordance with § 32.1-27 of the Code of Virginia ] for any organization that submits inaccurate data.

F. If insufficient information is reported to allow de-duplication of [ clients patients ], incoming data will be placed in a pending file and must be manually merged, if appropriate. All participants shall identify a contact to work with VDH on pending files.

G. VDH shall incorporate immunization data pursuant to subsection E of § 32.1-46 of the Code of Virginia into VIIS by data exchange from other immunization systems, patient care management billing systems, or information systems to the extent possible.

12VAC5-115-70. Release of VIIS data.

A. Specific patient data shall [ not ] be disclosed [ except ] to the extent required or permitted by state and federal law or regulations, after contacting VDH [ who. VDH ] will verify the source of the request.

B. Specific patient data may be disclosed to health care entities to the extent required or permitted by state and federal law or regulations. See [ subsection E of § 32.1-46 and ] § 32.1-127.1:03 of the Code of Virginia.

C. Patient data shall be erased when no longer needed [ or due to the replacement of the computer or the resignation, retirement, or dismissal of the participant, when the computer is being terminated [ , or in accordance with a data sharing agreement or a participant registration agreement with VDH ].

D. Aggregate data from which personal identifying data has been removed or redacted may be released for the purposes of statistical analysis, research, or reporting only after approval by VDH.

E. Any inappropriate use of VIIS data shall result in immediate suspension of user privileges and result in an investigation conducted by VDH. Additional actions may be taken in accordance with § 32.1-27 of the Code of Virginia. The VIIS program manager may reinstate privileges upon satisfactory completion of required remedial actions and guarantee of proper use of VIIS in the future.

12VAC5-115-80. Data access in public health emergency.

A. [ In the event of an epidemic or an outbreak of a vaccine-preventable disease or any disease of public health significance or threat, the commissioner may access VIIS in accordance with § 32.1-40 of the Code of Virginia by contacting the Division of Immunization. ] The commissioner may [ access and ] release VIIS data in accordance with [ § §§ 32.1-40 and ] 32.1-41 of the Code of Virginia.

B. The commissioner may designate additional persons to view VIIS information during a public health emergency. VDH shall contact designated authorized users, provide instruction for those who are not current participants, and activate an account.

C. The commissioner [ , by notifying the Division of Immunization, ] may include public health emergency announcements and notices or guidelines on the main screen that may be viewed immediately by the VIIS participants.

NOTICE: The following forms used in administering the regulation were filed by the agency. The forms are not being published; however, online users of this issue of the Virginia Register of Regulations may click on the name to access a form. The forms are also available from the agency contact or may be viewed at the Office of the Registrar of Regulations, General Assembly Building, 2nd Floor, Richmond, Virginia 23219.

FORMS (12VAC5-115)

Administrator Information, VIISADM (eff. 10/12)

Electronic Data Exchange With VIIS (eff. 10/12)

Information Systems Security Access Agreement (eff. 10/12)

Organization Information, VIISORG (eff. 10/12)

VIIS Security Policy and User Confidentiality Agreement

Memorandum of Agreement between Virginia Department of Health/Division of Immunization (VDH/DOI) and VIIS Organization Interested in Data Exchange (8/11)

[ Virginia Immunization Information System (VIIS Opt Out-Opt In form)

Virginia Immunization Information System (VIIS) Opt-In of VIIS (reviewed 6/15)

Virginia Immunization Information System (VIIS) Opt-Out of VIIS (reviewed 6/15) ]

VIIS User Acknowledgement Page

VIIS User Signature Page

VA.R. Doc. No. R09-1776; Filed May 29, 2015, 11:12 a.m.