WA IIS Information Sharing Agreement Exchange Of Immunization

Every age. Every vaccination.

DOH 348-576 November 2018

N22402 -

Washington State Immunization Information System

Information Sharing Agreement for

EXCHANGE OF IMMUNIZATION DATA

This agreement (“Agreement”) is between the Washington State Department of Health (“DOH”) and

__________________________________________ (“Provider/Plan”) for the exchange of immunization records.

BACKGROUND

 DOH is the public health agency that maintains the Washington State Immunization Information System

(“IIS”). IIS serves as a communications link, repository, and retrieval tool for data on the immunization

status of individuals (“immunization data”). IIS allows health care providers and health plans to exchange

immunization data with other health care providers and health plans as authorized under Chapter 70.02

RCW.

 Provider/Plan is: (check one):

[ ] A public agency, corporation, or other entity with individual shareholders, members, officers,

employees, contractors, or other personnel who are authorized under Washington law to provide health

care or public health services to individuals.

[ ] A healthcare service contractor authorized by the Washington Insurance Commissioner to sell health

insurance to, and/or administer health insurance plans in Washington State.

[ ] A school, school district, Head Start organization, and/or ECEAP grantee authorized to provide or

coordinate healthcare services for students through personnel who are authorized under Washington law

to provide such services.

[ ] An individual authorized under Washington law to provide health care services to individuals.

 Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Chapter 70.02 RCW, the uniform

health care information act require healthcare providers to keep personal health care information

confidential. Immunization records are personal health care data. Healthcare providers may disclose

immunization records to DOH under 45 Code of Federal Regulations (CFR) § 164.512(b)(1)(i) and RCW

70.02.050(2) because DOH is a public health agency authorized to collect immunization data.

 Chapter 42.48 RCW governs the release for research of confidential personal records obtained or

maintained by a Washington state agency. Individually identifiable immunization records obtained by IIS

are as such personal records. Therefore, release of IIS individually identifiable immunization data for

research is subject to the requirements of Chapter 42.48 RCW.

 Subject to the terms and conditions of this agreement, Provider/Plan and DOH may exchange

immunization records for patients cared for by Provider/Plan. The purpose of the data exchange is to

improve patient care and public health.

Page 2 of 8

If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).

DOH 348-576 November 2018

THEREFORE, the Parties agree,

1. DEFINITIONS

“Agreement” means this Agreement.

“CDC” means the Centers for Disease Control and Prevention.

“De-identified immunization data” means any immunization data that does not identify nor provide a

reasonable or ready basis to identify an individual.

“llS Immunization Data” means demographics and immunization status of individual persons collected by

IIS regardless of whether in the form of raw data or appearing in other IIS features and functions as

described in Paragraph 7. Once an immunization record is entered into IIS, the record stored in the IIS

database is IIS Immunization Data.

“IIS patient record” means the IIS Immunization Data for an individual.

“Immunization record” means any record regardless of source documenting the status of individual

persons.

“Party” or “Parties” means either or both DOH and Provider/Plan.

“Provider-verified immunization record” means a valid record produced or verified by a health care

professional or facility documenting the immunization status of an individual. To be valid, the record

must be in writing, dated, and indicate the name of the health care provider responsible for

administering or reviewing each immunization, or a unique stamp of the provider or facility at which the

provider practices.

2. DATA TRANSMISSION

a. Provider/Plan shall transmit to DOH all immunization records for patients who obtain health care

services from Provider/Plan. Provider/Plan shall fill all IIS data fields for which Provider/Plan has

data.

b. DOH shall transmit or make available to Provider/Plan all IIS Immunization Data for patients

receiving health care services from Provider/Plan.

3. DATA FORMAT. The Parties shall exchange the immunization records using any of the following formats:

a. Current version of the CDC’s HL7 “Implementation Guide for Immunization Messaging.”

b. Web-based access, which is direct entry of data into IIS.

c. Flat file exchange through secure file transfer protocol (SFTP).

4. DATA QUALITY

a. Both Parties shall make best efforts to provide true, accurate, and complete information including

initiating entries for new patients, updating data for existing patients, and editing records that are

incorrect or inaccurate.

b. Provider/Plan shall not enter immunization records that Provider/Plan did not provide, except that

Provider/Plan may enter (1) Provider-verified immunization records and (2) a patient’s self-report of

influenza vaccine and pneumococcal polysaccharide vaccine (PPSV) as necessary to complete IIS

patient records.

c. If at any time either Party has reason to believe that the data transmitted is not true, accurate, or

complete, that Party shall promptly notify the other Party.

d. DOH does not warrant the accuracy of information DOH receives from other Providers/Plans.

e. Knowingly or intentionally providing false, materially inaccurate, or materially incomplete

immunization data is a material breach of this Agreement subject to termination for cause under

Paragraph 10.

Page 3 of 8

If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).

DOH 348-576 November 2018

5. USE OF DATA

a. Provider/Plan may use individually identifiable IIS Immunization Data solely to assist Provider/Plan

in providing direct patient health care. This includes linking immunization to patient’s other health

care information and disclosing patient information to the patient or, as applicable, the patient’s

parent or guardian.

b. Provider/Plan shall not access any Provider/Plan employee’s IIS Immunization Data for

employment purposes without written authorization of the employee.

c. DOH may use both individually identifiable and de-identified immunization data for public health

purposes, which includes, but is not limited to, disclosing patient information to (1) the patient or,

as applicable, the patient’s parent or guardian; (2) other health care providers who need the

information for direct patient health care and have entered into an Information Sharing Agreement

with DOH; (3) a health plan if the purpose is for treatment and the health plan has entered into an

Information Sharing Agreement with DOH; and (4) research, if the release conforms to the

requirements of Chapter 42.48 RCW.

6. DISCLOSURE OF DATA

a. Provider/Plan shall not disclose in any manner any part of the IIS Immunization Data except as the

law requires or this Agreement permits.

b. Either Party may release or disclose an individual’s immunization record received from the other

Party if such release or disclosure is authorized in writing by the individual and the authorization

conforms to applicable law.

c. If Provider/Plan receives a third-party request for disclosure of IIS Immunization Data and

determines the law requires such disclosure, Provider/Plan shall notify DOH at least ten (10) days

in advance of the disclosure. DOH may seek an injunction to prevent disclosure.

7. SECURITY OF DATA

a. This Agreement shall be construed to provide maximum protection to IIS Immunization Data.

b. The obligations set forth in this Paragraph 7 shall survive completion, cancellation, expiration, or

termination of this Agreement.

c. The Parties shall strictly limit use of IIS Immunization Data to uses specified by the Agreement.

Provider/Plan shall not link IIS Immunization Data with any other information or use IIS

Immunization Data to identify or contact individuals except as authorized under this Agreement.

d. The permission to access IIS Immunization Data is limited to Provider/Plan’s principals or

employees for whom Provider/plan:

i. Authorized such access;

ii. Trained in the disclosure and security requirements under this Agreement;

iii. Maintains on file a confidentiality agreement signed by the principal or employee,

Provider/Plan may use its own confidentiality agreement but it must contain substantially

the same information as the confidentiality agreement in Attachment B; and

e. Secured a user account with IIS login and password. Provider/Plan shall specify one or more

principals or employees as IIS System Administrators using Attachment C. The System

Administrator(s) shall work with the IIS Help Desk to establish and manage user accounts for

authorized individuals in their organization. Provider/plan shall:

i. Assure that no one assigned an IIS user account shares their login ID or password with

others or allows others to access IIS using their login ID.

ii. Limit access and use of IIS Immunization Data in order that the fewest number of people

see only the smallest amount of data for the least amount of time necessary to complete

required work.

iii. Assure that all people with access to IIS Immunization Data understand their

responsibilities regarding it.

iv. Retain a copy of all confidentiality agreements specified in Paragraph 7.d.iii for at least six

(6) years following termination of this Agreement.

Page 4 of 8

If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).

DOH 348-576 November 2018

f. Provider shall ensure that Provider’s privacy and security practices meet or exceed the standards

set by state and federal law for the security of protected health information and as commensurate

with Provider’s obligations under the law.

g. Provider/Plan shall take all steps necessary to prevent unauthorized access, use, or modifications

of IIS Immunization Data.

h. Provider/Plan shall notify DOH at DOHPrivacy[email protected]a.gov of any suspected or actual

security breach of IIS Immunization Data within two (2) business days of discovery.

8. OTHER FUNCTIONS AVAILABLE IN IIS. Plan/Provider may utilize without charge such other IIS

functions as DOH specifically authorizes Plan/Provider to utilize. Attachment A describes IIS features and

functions.

9. HOLD HARMLESS. DOH is not liable for any general, special, consequential, or other damages that may

arise or claim to arise from any use of IIS Immunization Data by Provider/Plan, its employees, contractors,

officers, agents, or affiliated persons. Provider/Plan shall indemnify and hold DOH harmless from any

claim for damages that may arise or be claimed to arise from Provider/Plan’s transmission to IIS of

immunization data that is knowingly or intentionally false, materially inaccurate, or materially incomplete.

10. PERIOD OF PERFORMANCE. The Period of Performance is 5 Years from Date of Execution unless

earlier terminated as provided by this Agreement.

11. TERMINATION.

a. Either Party may terminate this Agreement effective as of the end of any calendar quarter,

provided the terminating Party gives written notice of termination to the other Party at least 30 days

before the end of the quarter.

b. Either Party may terminate this Agreement for cause after the other Party has failed to cure a

material breach, provided the terminating Party gives the other Party written notice of breach and

provides at least 14 days for the other Party to cure the breach.

12. SAVINGS. If funding from state, federal, or other sources is withdrawn, reduced, or limited in any way

during the Period of Performance, DOH may, in whole or in part, suspend or terminate the Agreement,

upon immediate notice, subject to renegotiation at DOH’s discretion under the new funding limitations or

conditions.

13. AMENDMENT. The Parties may amend this Agreement by mutual agreement. Such amendments are

not binding unless in writing and signed by the persons authorized to bind each of the Parties.

14. APPLICABLE LAW AND VENUE. This Agreement is governed by the laws of the State of Washington.

Venue is in the Superior Court of Thurston County.

15. CONTACT INFORMATION. The following persons are the contact for all communications about this

Agreement.

Provider/Plan:

Contact Person and Title:

Organization:

Mailing Address:

City/State/Zip:

Phone: Fax: E-mail:

Page 5 of 8

If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).

DOH 348-576 November 2018

DOH:

Mail to:

Washington State Department of Health

Office of Immunization and Child Profile

PO Box 47843

Olympia, WA 98504-7905

Phone:

360-236-3595 or 1-866-397-0337

AGREED on this _______ day of _________________, 20______.

By execution of this agreement, the parties so signing acknowledge they have full power and authority to enter

into and perform this agreement on behalf of the signatory as well as the business entity referenced within the

body of the agreement.

Agency Signatory: Washington State Department of Health:

___________________________________ ___________________________________

Signature Contracts Office Authorized Signature

___________________________________ ___________________________________

Name, Title Please Print Name, Title Please Print

Provider Signatory: (The Agency’s licensed healthcare provider, school nurse, child care health consultant,

or other authorized healthcare provider, licensed in Washington State, and responsible for the operation and

management of Agency’s healthcare services.)

___________________________________

Signature

___________________________________

Name, Title Please Print

Page 6 of 8

If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).

DOH 348-576 November 2018

ATTACHMENT A

Services Available in the IIS

DOH is solely responsible for the operation and management of IIS, which benefits patients, their care providers,

health plans, public health agencies, and other entities that are concerned with assuring the effective

immunization of Washington State’s population.

IIS is available 24 hours a day, 7 days a week, with the exception of scheduled and unexpected outages. DOH

schedules system maintenance outside of regular business hours and with prior notice if possible.

Available Functions

IIS has several role-based access levels. DOH will grant to users only those functions necessary to conduct the

user’s work. The available functions in the system include, but are not limited to, the following:

 Patient record demographic data query and update

 Patient record vaccination data query and update

 A vaccination forecast displaying vaccines due for each patient. The vaccination forecast is based on the

recommended immunization schedule published by the Centers for Disease Control and Prevention

(CDC) with the advice of the Advisory Committee on Immunization Practices. The vaccination forecast is

subject to change if/when the CDC establishes new guidelines. DOH will incorporate such changes in IIS

as soon as possible.

 Vaccine ordering by providers enrolled in the State Childhood Vaccine program

 Vaccine order status tracking

 Vaccine management and accountability including:

 Ability to complete the annual provider agreement to enroll or re-enroll in the State Childhood

Vaccine program

 Ability to complete vaccine accountability report(s) and electronically submit them to the local

health jurisdiction

 Generation of reminder/recall to contact patients due for vaccination

 Record contraindication(s) for specific vaccines for each patient with specification of the reason for the

contraindication or precaution

 Record of adverse reactions for specific vaccine for each patient

 Generation of reports including:

 Patient specific vaccination reports showing detailed vaccination history and forecast

 Detailed practice-based reports such as practice immunization coverage data, vaccines

administered data, and vaccine lot data

DOH, in its sole discretion, modify or remove available functions at any time.

Page 7 of 8

If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).

DOH 348-576 November 2018

ATTACHMENT B

IIS Confidentiality Agreement

This attachment is provided as sample language to include in Confidentiality Agreements. You do not need to

complete and return this form with your agreement.

I understand that my employer, _________________, (insert name of Employer) has entered into an

Information Sharing Agreement with the Washington Department of Health to view and/or exchange data in the

Washington State Immunization Information System (“IIS”). My employer has made a copy of the Agreement

available to me.

I understand that I am responsible for maintaining the confidentiality of any IIS Immunization Data that I have

access to during the course of my employment. IIS Immunization Data means demographics and immunization

status of individual persons collected by IIS, regardless of whether in the form of raw data or appearing in other

IIS features and functions made available to my employer.

I will not share my unique IIS login code with anyone nor allow anyone to access IIS using my login code.

I will not at any time, nor in any manner, either directly or indirectly divulge, disclose, release, or communicate

any IIS Immunization Data to any third party unless specifically necessary to perform my assigned job duties,

required by law or authorized by the person, or parent or guardian of the person, to whom the IIS Immunization

Data applies. I recognize that maintaining confidentiality includes not discussing IIS Immunization Data outside

of the workplace. I will limit my own access to person-specific data in IIS to that which is necessary to perform

my job duties.

I understand that if I discuss, release, or otherwise disclose confidential data/information outside of the scope

of this policy through any means, I may be subject to disciplinary action, which may include termination of

employment.

Employee signature: Date:

Employee name (please print):

Received on (date): By: (supervisor’s signature):

A signed copy of this form must be on file with the Employer before employee may access IIS.

Page 8 of 8

If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).

DOH 348-576 November 2018

ATTACHMENT C

Washington State Immunization Information System

Establishing IIS System Administrator Accounts

Each organization that completes an Information Sharing Agreement must designate at least one person as a

System Administrator who can set up user accounts for each principal or employee who needs access to the

IIS. The System Administrator has a permission added to their user account which allows them to authorize or

discontinue access to the IIS for others in their organization, including: creating new user accounts, inactivating

accounts when employees leave the organization, and running reports to see all users associated with the

organization.

Primary Contact Name:

Phone:

Title:

Email Address: