Authorized Site Agreement
ALERT Immunization Information System (IIS) is a statewide registry that records vaccinations administered in Oregon. State law [ORS 433.090 to ORS 433.102] and Oregon Administrative Rules [OAR 333-049-0100 to OAR 333-049-0130] cover collection and release of information in ALERT IIS. By law, information is confidential and can only be shared with authorized users, including an individual’s health care provider, school, childcare facility, insurer, local health department, the individuals themselves or their parent if the person is a minor. Though information is confidential, the law allows providers to share this immunization information with ALERT IIS without consent. Information from ALERT IIS may not be used in any way to penalize an individual or organization.
As a condition of receiving immunization information from ALERT IIS as a provider (defined in ORS 433.090), users must agree to the following:
- Only access immunization information in ALERT IIS for individuals under their care.
- Read and abide by the ALERT IIS Confidentiality Policy.
- Abide by all security policies and procedures, including safeguarding user name(s) and password(s) against unauthorized use.
- Permit the ALERT IIS Director to monitor and audit users’ use of the system.
Each site must also designate a “SuperUser” who must agree to the following:
- Have the ability to activate users and assign standard user security within this site.
- Provide oversight to ensure that users are deactivated when no longer affiliated with this site.
- Ensure that each staff member requiring access has his or her own user name and password.
Failure to abide by this agreement may result in immediate termination, suspension or revocation of access to ALERT IIS. Misuse of ALERT IIS data will be reported to the appropriate licensing body.
ALERT Immunization Information System, Confidentiality Policy
Oregon Immunization ALERT is a statewide immunization information system. ALERT was developed to achieve complete and timely immunization of all Oregonians. A major barrier to reaching this goal is the continuing difficulty of keeping immunization records accurate and up-to-date. ALERT addresses this problem by collecting immunization information from public and private health care providers and linking individual immunization records. Even if an individual receives immunizations from more than one health care provider in Oregon, ALERT will merge the immunization information from all providers to create a complete and current record. This assists health care providers to track which immunizations are needed for individuals in their care.
II. Statement of purpose
ALERT is an immunization information system that serves the public health goal of preventing and mitigating the spread of vaccine preventable diseases in Oregon. It accomplishes this goal through providing accurate and timely immunization information for all Oregonians in order to assist providers to age-appropriately immunize patients in their care.
The success and effectiveness of ALERT in achieving its public health goal will depend on the level of participation by providers. To ensure the highest possible participation, all children will be enrolled in ALERT from birth records.
Under the ALERT law ORS 433.090-104; the purposes of ALERT are to:
- increase the immunization rates of children in Oregon in order to reach the 2010 benchmark of age-appropriately immunizing 95% of Oregon’s children;
- prevent the spread of vaccine preventable diseases;
- waive the requirement that authorized users obtain consent for release of information from, or providing information to, ALERT;
- allow authorized users to share information from the immunization record through or between immunization registries without violating confidentiality.
III. Purpose of confidentiality policy
The purpose of this policy is to address the need to provide appropriate confidentiality protection to the information in ALERT. The confidentiality of this information must be distinguished from issues of privacy. Privacy is concerned with the control individuals exert over the release of their personal information. Under ALERT’s policy, confidentiality is concerned with how the information provided to ALERT by individuals is accessed, collected, stored, used, and provided to other individuals and organizations.
In developing this confidentiality policy ALERT applied pertinent state laws, obtained comments from authorized users and other interested parties, consulted published sources on confidentiality, and applied principles of confidentiality, including the Code of Fair Information Practices.
- All terms used in this policy have the same meaning as those terms used in the state law and
administrative rules that authorize ALERT. (See attached.)
- “Authorized User” means (including, but not limited to):
- providers: including health care providers licensed to provide health care services; health care institutions; health service contractors working under the direction of the Director of ALERT; insurance carriers and the Division of Medical Assistance programs;
- parents or guardians of children under 18 years of age;
- clients 18 years of age or older;
- schools and children’s facilities;
- post-secondary education institutions;
- local health departments;
- the Oregon Department of Human Services; and
- the agents of local health departments and the Oregon Department of Human Services.
- “Confidentiality” means
- limiting the collection, access, use, storage, and release of information from authorized users to ALERT and from ALERT to authorized users in a manner that information will not be shared with non-authorized users, and
- information will only be used for the purposes permitted under the ALERT laws, rules, and policies.
- “Immunization Record” includes, but is not limited to:
- any immunization received;
- date immunization was received;
- Complication or side effect associated with immunization;
- Client’s name and date of birth.
- “Immunization tracking and recall record” includes but is not limited to:
- The client’s name;
- Address of the parent or guardian of the client;
- Telephone number;
- Insurance carrier;
- Health care provider; and
- Other information needed to send reminder cards to, place telephone calls to or personally contact the client or the parent or the guardian of a client for the purposes of informing the client, parent or guardian that the client is due or past due to receive the recommended immunizations.
Based on the ALERT law, rules, and general principles of confidentiality, the confidentiality policy for ALERT is as follows:
- Information in ALERT is confidential under Oregon law.
- Code of Fair Information Practices
The principles in the Code of Fair Information Practices will be applied to ALERT. This means:
- the existence of ALERT and its purposes will be made known to all parents;
- parents will be informed about what information is maintained in ALERT and how that information is used;
- information collected for the purposes of ALERT will not be used for other purposes without the consent of the individual or of the parent or guardian of the child (Note: additional demographic data [i.e., social security number, Medicaid number] may be collected for matching purposes only);
- parents or guardians may review records in ALERT and submit documentation to ALERT;
- ALERT will assure the reliability of the information it creates, maintains, uses, or disseminates; and
- ALERT will take reasonable precautions to prevent the misuse of the information it creates, maintains, uses, or disseminates.
- Authorized users
- Only authorized users of ALERT may provide information to or receive information from ALERT.
- Information from the immunization record may only be shared among authorized users.
- According to ORS 433.090-104, information from the immunization tracking and recall record may only be used by authorized users to contact individuals (or parents of minor children) for the purposes of informing the individual (or parent or guardian) that he/she is due or past due to receive recommended immunizations. This information may be accessible for entry and updates via the ALERT user interface for providers and their clinic staff to ensure accurate data capture; however, use of this information is restricted to the purposes outlined in statute. Information from the immunization and tracking record will not appear on any reports outside of reminder/recall.
- No information from ALERT will be made available to any party, who is not an authorized user, except as provided in Section X (Research using ALERT data).
- All authorized users are required to sign a confidentiality agreement as provided by the Director. The Director shall determine the time period that each agreement is in effect. Upon signing a Confidentiality Agreement every authorized user shall receive a copy of this confidentiality policy and a copy of the policy whenever it is updated.
- All authorized users may receive information from ALERT upon authorization by the Director.
- No information from ALERT may be provided to any other party, including law enforcement or the Immigration and Naturalization Service, except as required by law.
- The Director will maintain an audit trail for all information received from or released from ALERT.
- The Director shall seek appropriate penalties for any misuse of information in ALERT by any authorized user or any other party, including federal civil penalties as defined in HIPAA rules (Federal Register/Vol. 68, No. 74/Thursday April 17, 2003/Rules and Regulations).
- Any paper copy of information from ALERT will be shredded before disposal. Information from ALERT that identifies individual providers will not be used for quality improvement or external reporting without the prior consent of the providers.
- When information is disclosed from ALERT, or from one authorized user to another authorized user, the information will include a notice that:
- The information disclosed is from a confidential record and is protected by state law;
- any further disclosure of the information in an identifiable form may be prohibited without the written informed consent of the person who is the subject of the information or as permitted under law; and
- unauthorized disclosure of the information may result in penalties.
VI. Training of ALERT staff
The Director shall provide training to all Immunization Program staff, providers, and other authorized users regarding appropriate confidentiality procedures and HIPAA confidentiality procedures.
VII. Requests for information
- In the event that a representative of law enforcement requests information from ALERT on a specific individual, the requestor will be referred to the individual’s provider.
- All Subpoenas, requests for production, warrants, and court orders will immediately be referred to the Office of the Attorney General.
VIII. Data retention and disposal
ALERT records will be retained according to the recommendation from the State Archivist. Based on consultation with the State Archivist, ALERT is in compliance with Records Retention Schedule 99-0005 as all data is entered and maintained in electronic form for the life of the registry. Paper copies are securely stored and maintained for one year for verification and proofing purposes; thereafter, they are confidentially shredded.
IX. Voluntary Opt-Out
In any circumstance where a parent or guardian specifically requests that information on their child be removed from ALERT, the child’s record will be flagged so the parent or guardian will not receive reminders or recalls. Such a request from a parent or guardian must be in writing, and should be sent to the attention of the ALERT Director. However, under Oregon law, ALERT cannot remove the record or other information on any children from the registry.
Adults over the age of 18 may opt to have their record purged or sealed. Such a request from an individual must be in writing, and should be sent to the attention of the ALERT Director.
X. Prohibited Transfer of Data or Secondary Use of ALERT data
Authorized users are not permitted to transfer data, either in paper or electronic form, to non-authorized users. Non-authorized users include, but are not limited to, software vendors, contractors, and quality improvement organizations. Potential users should be considered non-authorized unless specifically approved in writing by the Director and the Immunization Program Manager in advance of data transfer.
XI. Research using ALERT data
- Information in ALERT is collected for the purposes noted above and may only be used for these purposes.
- The Director of ALERT must approve requests for information from ALERT for research. The research must be shown to address at least one of the purposes of ALERT. Specific uses of ALERT data include:
- Aggregate data may be used within the Oregon State Public Health Division and shared with authorized users for public health purposes. Examples include: identify under-immunized populations, track interventions to improve immunization rates, and monitor the implementation of changes in the vaccine schedule in Oregon.
- Patient-identified information may be used within the Immunization Program at the specific request of providers, health plans, and authorized users to assess immunization rates and identify areas of improvement. Only names and dates of birth and immunization histories may be used for this purpose. Addresses or other patient-specific information cannot be released.
- Data may be released for research when pre-approved by the ALERT Director and by the requesting organization’s human subjects review process. Any data used for this purpose must be de-identified of names and other patient identifiers. Addresses or other patientspecific information cannot be released. Any request for information that does not directly address one of the purposes of ALERT or above conditions will be denied.
- In order to approve a request for research utilizing information in ALERT, the Director must determine that the following criteria is met:
- The request identifies one or more of the purposes for ALERT that the research will address;
- The researcher signs an agreement to maintain the confidentiality of all information from ALERT;
- In accordance with ALERT laws, and as determined by the Director, appropriate security provisions will be maintained for all information from ALERT; and
- The information cannot be obtained from any other source.
- If the Director determines that each of these criteria are met, the information may be provided to the requestor. Upon completion of any research involving information from ALERT, the researcher will immediately delete all information bases with personal identifying information.
- Any request for information from ALERT that does not satisfy the above criteria may only be provided
to the requestor in aggregate form that does not identify an individual.
- Not withstanding the above, the Director may consider other requests for research from the Oregon State Public Health Division pursuant to OAR 333-019-0005.
The Director shall seek appropriate penalties for any misuse of information in ALERT by any authorized user or any other party, including federal civil penalties under HIPAA rules (Federal Register/Vol. 68, No. 74/Thursday April 17, 2003/Rules and Regulations).
XIII. Review of confidentiality policy
- The Director shall review and revise this policy as needed, but not less than annually.
- The review of this policy must include the participation of authorized users.
- The ALERT Advisory Council must approve any changes to this policy.