Page 3 of 8
If you have a disability and need this document in another format, please call 1-800-525-0127 (711-TTY relay).
DOH 348-576 November 2018
5. USE OF DATA
a. Provider/Plan may use individually identifiable IIS Immunization Data solely to assist Provider/Plan
in providing direct patient health care. This includes linking immunization to patient’s other health
care information and disclosing patient information to the patient or, as applicable, the patient’s
parent or guardian.
b. Provider/Plan shall not access any Provider/Plan employee’s IIS Immunization Data for
employment purposes without written authorization of the employee.
c. DOH may use both individually identifiable and de-identified immunization data for public health
purposes, which includes, but is not limited to, disclosing patient information to (1) the patient or,
as applicable, the patient’s parent or guardian; (2) other health care providers who need the
information for direct patient health care and have entered into an Information Sharing Agreement
with DOH; (3) a health plan if the purpose is for treatment and the health plan has entered into an
Information Sharing Agreement with DOH; and (4) research, if the release conforms to the
requirements of Chapter 42.48 RCW.
6. DISCLOSURE OF DATA
a. Provider/Plan shall not disclose in any manner any part of the IIS Immunization Data except as the
law requires or this Agreement permits.
b. Either Party may release or disclose an individual’s immunization record received from the other
Party if such release or disclosure is authorized in writing by the individual and the authorization
conforms to applicable law.
c. If Provider/Plan receives a third-party request for disclosure of IIS Immunization Data and
determines the law requires such disclosure, Provider/Plan shall notify DOH at least ten (10) days
in advance of the disclosure. DOH may seek an injunction to prevent disclosure.
7. SECURITY OF DATA
a. This Agreement shall be construed to provide maximum protection to IIS Immunization Data.
b. The obligations set forth in this Paragraph 7 shall survive completion, cancellation, expiration, or
termination of this Agreement.
c. The Parties shall strictly limit use of IIS Immunization Data to uses specified by the Agreement.
Provider/Plan shall not link IIS Immunization Data with any other information or use IIS
Immunization Data to identify or contact individuals except as authorized under this Agreement.
d. The permission to access IIS Immunization Data is limited to Provider/Plan’s principals or
employees for whom Provider/plan:
i. Authorized such access;
ii. Trained in the disclosure and security requirements under this Agreement;
iii. Maintains on file a confidentiality agreement signed by the principal or employee,
Provider/Plan may use its own confidentiality agreement but it must contain substantially
the same information as the confidentiality agreement in Attachment B; and
e. Secured a user account with IIS login and password. Provider/Plan shall specify one or more
principals or employees as IIS System Administrators using Attachment C. The System
Administrator(s) shall work with the IIS Help Desk to establish and manage user accounts for
authorized individuals in their organization. Provider/plan shall:
i. Assure that no one assigned an IIS user account shares their login ID or password with
others or allows others to access IIS using their login ID.
ii. Limit access and use of IIS Immunization Data in order that the fewest number of people
see only the smallest amount of data for the least amount of time necessary to complete
required work.
iii. Assure that all people with access to IIS Immunization Data understand their
responsibilities regarding it.
iv. Retain a copy of all confidentiality agreements specified in Paragraph 7.d.iii for at least six
(6) years following termination of this Agreement.