Immunization Information Systems: Overview and Current Issues

Immunization Information Systems: Overview February 1, 2022
and Current Issues
Kavya Sekar
As defined by the Centers for Disease Control and Prevention (CDC), Immunization Information
Analyst in Health Policy
Systems (IIS) are “confidential, population-based, computerized databases that record all

immunization doses administered by participating providers to persons residing within a given
geopolitical area.” This CRS report provides background on IISs, an overview of the role of IISs

in the Coronavirus Disease 2019 (COVID-19) pandemic, an overview of data and technology
challenges faced by IISs, a summary of legislative developments related to IISs, and a discussion of further selected policy
considerations.
What Are Immunization Information Systems?
There are currently 63 IISs in the United States, including in all 50 states, the District of Columbia, four localities, five
territories, and three freely associated states. IISs, commonly referred to as immunization registries, are primarily governed
by and operated under laws and policies at the state, local, territorial, and tribal (SLTT) level. IISs are typically housed in
SLTT public health departments. The federal government, primarily though the CDC (which is based in the Department of
Health and Human Services HHS), supports these systems through grant funding, by developing and promoting common IIS
standards, and other activities.
IISs enable authorized users—such as patients and providers—to access consolidated immunization history records
containing information on all vaccinations an individual has received from providers that report to the IIS. In addition, public
health agencies use aggregate IIS data to monitor and analyze immunization trends in their jurisdictions. IISs can also aid
with infectious disease outbreak response, automated vaccine reminders, vaccine supply management, and other public health
functions. States and other jurisdictions generally share aggregate de-identified IIS data (i.e., data with personal identifiers
such as names removed) with CDC for national monitoring and analysis of immunization trends. Currently, IISs and other
data systems collect data on COVID-19 vaccinations from providers, per CDC requirements.
What Challenges Do IISs Face?
Most states and other jurisdictions established their IIS programs in the 1990s and have developed their systems separately
from one another. Therefore, IISs have operated under a patchwork of different laws, regulations, and policies at the SLTT
level, and have had different functionalities and data practices. In addition, IISs operate on different technology platforms
that are, in some cases, outdated or not fully interoperable with other IISs or the health care system. Although various CDC
and Centers for Medicare & Medicaid Services programs have encouraged IIS standardization and interoperability with the
health care sector, not all IIS programs have consistently implemented changes.
During the COVID-19 pandemic, the large volume of data collection has reportedly overwhelmed the capabilities of some
IISs and exacerbated long-standing issues with their technology, staffing, and functioning. Moreover, not all IIS programs
share data across state borders, thereby limiting the ability to reconcile information about COVID-19 vaccine doses
individuals have received in different jurisdictions. States and other jurisdictions have received CDC COVID-19 grant
funding that can be used, in part, to fund IIS technology and operations. Many states and other jurisdictions have made initial
IIS improvements for pandemic response but still rely on labor-intensive and outdated technology.
Legislative Developments
In two FY2021 COVID-19 relief laws (P.L. 116-260 and P.L. 117-2), CDC received a total of $16.25 billion for efforts to
plan, promote, distribute, administer, monitor, and track COVID-19 vaccines in addition to broader public health funds that
can support vaccination efforts. A portion of this funding is designated for SLTT grants. CDC and funded jurisdictions have
used some of these funds to support IISs.
Several legislative proposals also address IISs. On November 30, 2021, the House passed the Immunization Infrastructure
Modernization Act of 2021 (H.R. 550), which would authorize the HHS Secretary to expand, enhance, and improve IISs
administered by SLTT government agencies. H.R. 550 would authorize a grant program for SLTT agencies that would fund
myriad activities to improve and standardize IIS technology and data practices. As a condition of funding receipt, the SLTT
agencies would need to comply both with new data and technology standards required by the bill to be developed by the HHS
Congressional Research Service


Immunization Information Systems: Overview and Current Issues

Secretary and with existing federal health information technology standards. If enacted, the bill would require the HHS
Secretary to develop a strategy and implementation plan, and then to report to Congress on any implementation barriers,
among other information. H.R. 550 would authorize a one-time appropriation of $400 million, available until expended.
Selected Policy Considerations
IISs and their current challenges raise several policy considerations for Congress, including the following:
 What is the long-term strategy for funding and financing IISs?
 To what degree should the federal government support SLTT IIS programs?
 To what degree should the federal government standardize or inform SLTT IIS programs?

Congressional Research Service

link to page 5 link to page 6 link to page 8 link to page 9 link to page 10 link to page 10 link to page 11 link to page 12 link to page 12 link to page 14 link to page 16 link to page 16 link to page 17 link to page 19 link to page 20 Immunization Information Systems: Overview and Current Issues

Contents
Background: Immunization Information Systems ........................................................................... 1
Brief History.............................................................................................................................. 2
Current Status of IISs ................................................................................................................ 4
Current Federal Roles ............................................................................................................... 5
Selected IIS Laws, Regulations, and Policies ........................................................................... 6
Reporting ............................................................................................................................ 6
Privacy, Confidentiality, and Security ................................................................................. 7
Data Sharing and Consent ................................................................................................... 8
IISs in the COVID-19 Vaccination Program ................................................................................... 8
IIS Data and Technology Challenges ............................................................................................ 10
Legislative Developments ............................................................................................................. 12
COVID-19 Relief Funding ...................................................................................................... 12
Immunization Infrastructure Modernization Act of 2021 (H.R. 550) ..................................... 13
Selected Policy Considerations ..................................................................................................... 15

Contacts
Author Information ........................................................................................................................ 16

Congressional Research Service


Immunization Information Systems: Overview and Current Issues

s defined by the Centers for Disease Control and Prevention (CDC), immunization
information systems (IISs) are “confidential, population-based, computerized databases
A that record all immunization doses administered by participating providers to persons
residing within a given geopolitical area.”1 These systems—based at the state, local, and
territorial level—have long recorded information on routine vaccinations, and are now being used
for information on Coronavirus Disease 2019 (COVID-19) vaccinations. This CRS report
provides background on IISs, an overview of the role of IISs during the COVID-19 pandemic, an
overview of data and technology challenges that IISs, a summary of legislative developments,
and a discussion of further selected policy considerations.
Background: Immunization Information Systems
IISs, commonly referred to as immunization registries, are primarily governed by and operated
under laws and policies at the state, local, territorial, and tribal (SLTT) level. IISs are typically
housed in SLTT public health departments. There are currently 63 IISs in the United States,
including in all 50 states, the District of Columbia (DC), four localities, five territories, and three
freely associated states.2 The federal government, primarily though the CDC, which is based in
the Department of Health and Human Services (HHS), supports these systems through grant
funding, developing and promoting common IIS standards, and other activities.
Although they can serve many public health and policy purposes, IISs share several purposes:
Enabling consolidated immunization history records. People can get recommended vaccines
in several locations—at a hospital, pediatrician’s office, school, pharmacy, or a public health
department. An IIS consolidates their immunization history in one place. Such immunization
history records, which contain identifiable patient information, are generally accessible only to
individuals with authorized access under the respective jurisdiction’s laws and policies, such as
the patient (or patient’s parents or legal guardian) or a participating health care provider.3 The
majority of jurisdictions allow certain other institutions, such as schools, to access IIS records to
determine whether an individual has met that jurisdiction’s immunization requirements.4
Enabling public health agencies to monitor and study immunizations at a population-level.
Public health agencies can use aggregate IIS data to study immunization rates across the
population, by demographic groups (e.g., age, sex/gender, or race/ethnicity groups), geographic
location, or other variables. These aggregate data can allow public health agencies to target
vaccination efforts, such as by targeting education and awareness efforts or by implementing
community-based vaccination sites. IISs share de-identified (i.e., data with all identifiers, such as

1 Centers for Disease Control and Prevention (CDC), “About Immunization Information Systems,” June 2019,
https://www.cdc.gov/vaccines/programs/iis/about.html.
2 Department of Health and Human Services (HHS), “HHS Awards Funds to Expand Immunization Information
Sharing Collaboration,” press release, January 19, 2021, https://www.hhs.gov/about/news/2021/01/19/hhs-awards-
funds-to-expand-immunization-sharing-collaboration.html and American Immunization Registry Association (AIRA),
Literature Review: An Environmental Scan on Progress, Challenges, and Opportunities: Expanding Immunization
Information Systems for Adults in the United States
, July 2020, https://repository.immregistries.org/files/resources/
60830f3e4ce88/iis_information_session_-_final.pdf.
3AIRA, “How IIS Support a Patient’s Journey,” https://repository.immregistries.org/files/resources/5caf7b197bf77/
how_iis_support_a_patient_s_journey_infographic.pdf; and CDC, “Basics of Immunization Information Systems
(IISs),” https://www.cdc.gov/vaccines/programs/iis/downloads/basics-immun-info-sys-iis-508.pdf.
4 CDC, “Use of Immunization Information Systems for Determining Compliance with State School Entry Vaccination
Requirements,” April, 2017, https://repository.immregistries.org/files/resources/59021ca544d52/
aira_2017__6c__compliance_with_school_entry_vaccination_requirements__cdc__l__shaw.pdf.
Congressional Research Service

1

Immunization Information Systems: Overview and Current Issues

names and addresses, removed) data with CDC for national trend monitoring and studies of
immunization rates.5
Enabling public health programs. Public health agencies can use IIS data in many ways. For
example, during an outbreak of a vaccine-preventable disease, such as measles, an IIS can aid
response by helping determine the immunization status of those exposed to the disease (identified
through disease investigation and contact tracing) or by identifying geographic areas with low
vaccination rates.6 IIS data can also support immunization program activities, such as
reminder/recall programs, whereby public health agencies or health care providers use the IIS to
remind individuals (by phone, text message, or mail) of an upcoming or overdue recommended
vaccine dose.7
IISs can serve a number of additional purposes, such as supporting clinical decisionmaking and
managing vaccine supplies.8 IISs can also aid with vaccine safety monitoring.9 The authorized
uses of a given IIS are generally governed by law, regulations, and policy in the respective
jurisdiction.
The use of IISs to improve immunization rates is considered a best practice in public health. For
example, the Community Preventive Services Task Force—an independent, nonfederal panel of
public health and prevention experts that makes evidence-based recommendations for public
health programs—has recommended the use of IISs as a tool to increase vaccination rates, based
on a review of over 200 studies.10
Brief History
A U.S. measles epidemic from 1989 to 1991, where half of all cases occurred among
unvaccinated preschool children, prompted concerns about whether U.S. immunization policies
and programs effectively ensured that children received recommended immunizations on time.11
Many public and private organizations subsequently started programs to improve childhood
immunization coverage. Starting in 1991, the Robert Wood Johnson Foundation (RWJF) launched
the All Kids Count program, which funded a selected group of state and local jurisdictions to plan
and implement population-based immunization registries. This effort initiated a movement to

5 CDC, “About Immunization Information Systems,” https://www.cdc.gov/vaccines/programs/iis/about.html.
6 AIRA, “Using IIS to Support an Outbreak Response,” April 14, 2020, https://repository.immregistries.org/files/
resources/5e976b84c018b/outbreak_webinar.pdf.
7 Adult and Child Consortium for Health Outcomes, University of Colorado, Conducting Centralized Reminder/Recall
Using an Immunization Information System
, 2019, https://repository.immregistries.org/files/resources/5d43264137042/
accords_centralized_reminder-recall_toolkit.pdf.
8 Lynn Gibbs Scharf, Rebecca Coyle, Kafayat Adeniyi, et al., “Current Challenges and Future Possibilities for
Immunization Information Systems,” Academic Pediatrics, vol. 21, no. 4S (May 2021); and National Vaccine Advisory
Committee, “Protecting the Public’s Health: Critical Functions of the Section 317 Immunization Program—A Report
of the National Vaccine Advisory Committee,” Public Health Reports, vol. 128 (March 2013).
9 Association of State and Territorial Health Officials (ASTHO), “Summary: ASTHO Immunization Registries
Summit,” October 2010, https://astho.org/Programs/Immunization/Immunization-Registries-Summit-Summary/.
10 Holly Groom, David Hopkins, Laura Pabst, et al., “Immunization Information Systems to Increase Vaccination
Rates: A Community Guide Systematic Review,” Public Health Management and Practice, vol. 21, no. 3 (May 2015),
pp. 227-248.
11 “The Measles Epidemic. The Problems, Barriers, and Recommendations. The National Vaccine Advisory
Committee,” Journal of the American Medical Association, vol. 11 (September 18, 1991), pp. 1547-52, and Victoria A.
Freeman and Gordon H. DeFriese, “The Challenge and Potential of Childhood Immunization Registries,” Annual
Review of Public Health
, vol. 24 (2003), pp. 227-46.
Congressional Research Service

2

Immunization Information Systems: Overview and Current Issues

establish population-based IISs in all states—driven initially by philanthropic organizations.
These population-based registries, which involved all participating providers in specific
geographic areas, contrasted with the more prevalent member-based immunization registries
operated by Healthcare Maintenance Organizations (HMO) prior to the All Kids Count effort,
which included records on individuals enrolled in the HMO.12
Increased federal support for IISs began in 1992-1993, when CDC began awarding planning
grants to develop immunization registries in every state.13 In April 1993, President Bill Clinton
submitted the Comprehensive Childhood Immunization Initiative Act, a legislative proposal that
would have, among other things, authorized a new state grant program to support immunization
registries that fed into a national system.14 Though some provisions of the original bill were
enacted in the Omnibus Budget Reconciliation Act of 1993 (P.L. 103-66), the immunization
registry-related provisions were not.15 Still, with increases in CDC’s general immunization
cooperative agreement funding, many of the 64 jurisdictional grantees (see the text box below)
began to use the federal immunization grant funding in the 1990s to support their IISs.16 CDC
reported total allocations of $181.3 million for the development and implementation of a
nationwide network of community- and state-based immunization registries from 1993 to 2001.17
By 2005, almost all states (except New Hampshire) and the District of Columbia had an
operational population-based IIS.18 CDC immunization grant funding to support IIS programs has
continued through the George W. Bush, Obama, and Trump Administrations and to this day.19
Jurisdictions have developed their IIS programs separately from one another. This approach has
allowed IIS programs to experiment with different strategies and identify best practices. As a
result, IISs have operated under a patchwork of different laws, regulations, and policies at the
SLTT level, and have had different functionalities and data practices. In addition, IISs have
operated on different technology platforms that are, in some cases, outdated or not fully
interoperable with other IISs or the health care system.20 In the late 1990s, CDC, along with
relevant stakeholders such as RWJF, began developing recommended common functional
standards for IISs. These standards have been updated over the years and have evolved following

12 David Wood, Kristin N. Saarlas, and Moira Inkelas, “Immunization Registries in the United States: Implications for
the Practice of Public Health in a Changing Health Care System,” Annual Review of Public Health, 1999, pp. 231-55.
13 CDC, “Initiative on Immunization Registries,” Morbidity and Mortality Weekly Report, vol. 50, no. RR17 (October
5, 2001); and Public Health Informatics Institute (PHII), Funding: The Pursuit of Sustainability for IIS, July 2021,
https://phii.org/wp-content/uploads/2021/07/iis_history_spotlight-_funding.pdf.
14 Chester A. Robinson, Stephen J. Sepe, and Kimi F.Y. Lin, “The President’s Child Immunization Initiative: A
Summary of the Problem and the Response,” Public Health Report, vol. 108, no. 4 (July 1993), pp. 419-425; and H.R.
1640 and S. 732 - Comprehensive Child Immunization Act of 1993 as introduced April 1, 1993, 103rd Congress.
15 See Sections 13421 and 13422 in Title XIII of the Omnibus Budget Reconciliation Act of 1993, P.L. 103-66.
16 Chester A. Robinson, Willard B. Evans, Joan Atchinson Mahanes, et al., “Progress on the Childhood Immunization
Initiative,” Public Health Reports, vol. 109, no. 5 (September 1994), and Victoria A. Freeman and Gordon H. DeFriese,
“The Challenge and Potential of Childhood Immunization Registries.”
17 CDC, “Initiative on Immunization Registries.”
18 See progress reports on CDC, “MMWR Articles on Annual Report Data,” October 28, 2013, https://www.cdc.gov/
vaccines/programs/iis/annual-report-iisar/mmwr.html and National Vaccine Advisory Committee, Immunization
Information Systems: NVAC Progress Report
, February 2007, https://www.hhs.gov/sites/default/files/nvpo/nvac/
reports/nvaciisreport20070911.pdf.
19 For an overview of efforts funded in a given fiscal year, see the Immunization and Respiratory Diseases sections of
CDC’s Congressional Budget Justifications available at https://www.cdc.gov/budget/congressional-justifications/
index.html.
20 PHII, Balancing Autonomy and Collaboration: The Evolution of IIS Standards, December 2018, https://phii.org/
sites/default/files/iis_s_history_spotlight-_autonomy_and_community.pdf.
Congressional Research Service

3

link to page 12 Immunization Information Systems: Overview and Current Issues

major health information technology (HIT) reform pursuant to the Health Information
Technology for Economic and Clinical Health Act (HITECH) enacted in 2009.21 Standards
development efforts have generally focused on issues such as data quality and sharing, privacy
and confidentiality, clinical decision support, and immunization program operations.22 In
addition, the federal government has over the years undertaken a number of strategies, policies,
and programs related to IISs—such as efforts aimed at improving data quality or informing
programmatic uses.23
CDC’s Immunization and Vaccines for Children Cooperative Agreement
CDC’s Immunization and Vaccines for Children Cooperative Agreement program (hereinafter “Immunization
Cooperative Agreement”), which dates back to the Vaccine Assistance Act enacted in 1962, awards annual
cooperative agreements (a type of grant) to 64 awardees that include all 50 states, the District of Columbia, five
large cities, five U.S. territories, and three freely associated states. These grants support the infrastructure for
immunization programs, including by supporting public health vaccination clinics; education and awareness; vaccine
storage and delivery systems; data systems (including IISs); and provider outreach and training, among other uses
of funds. Awardees have some flexibility to expend funds based on their priorities; therefore, the amount of
annual grant funding that goes toward IIS-related activities varies by jurisdiction.
These grants fund all 63 IIS programs, though the IIS jurisdictions differ from the Immunization Cooperative
Agreement awardee jurisdictions. Sixty-one of the 64 awardees operate IISs for their jurisdictions; two localities
(San Diego and San Joaquin County) that operate IISs receive pass-through funding from their state. Three cities
(Chicago, Houston, and San Antonio) that receive Immunization Cooperative Agreements participate in their
states’ IIS programs.
The program is funded by (1) annual appropriations in the Labor, HHS, Education, and Related Agencies
Appropriations Act as authorized by PHSA Section 317 (42 U.S.C. §247b) and (2) a portion of mandatory funding
from the Vaccines for Children (VFC) program under Social Security Act Section 1928 (42 U.S.C. §1396s). VFC is
a CDC-administered and Medicaid-financed program that provides vaccines at no cost to eligible children. The
Immunization Cooperative Agreement comprises both the portion of VFC funds for program operations and
infrastructure combined with the annual grant funding pursuant to PHSA Section 317. Base annual funding levels
for each jurisdiction are determined by a population-based formula.
See “Protecting the Public’s Health: Critical Functions of the Section 317 Immunization Program—A Report of the
National Vaccine Advisory Committee,” Public Health Reports, vol. 128 (March 2013).
For the latest cooperative agreement guidance, see CDC, “Immunization and Vaccines for Children,” CDC-RFA-
IP19-1901, https://www.grants.gov/web/grants/view-opportunity.html?oppId=309317.
Current Status of IISs
IISs were originally developed for childhood immunizations; however, in many jurisdictions IIS
programs have expanded to include adolescent and adult immunizations. IISs are also being used
to record COVID-19 vaccination data (see the “IISs in the COVID-19 Vaccination Program”
section of this report). According to a CDC survey of IISs, the percentage of the population
represented in IISs at the national level (excluding territories) in 2020 by age group were24

21 The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the
American Recovery and Reinvestment Act of 2009 (P.L. 111-5) on February 17, 2009.
22 Lynn Gibbs Scharf et al., “Current Challenges and Future Possibilities for Immunization Information Systems.”
23 See, for example, CDC, “Initiative on Immunization Registries”; National Vaccine Advisory Committee,
“Evaluation of the 2010 National Vaccine Plan Mid-course Review: Recommendations From the National Vaccine
Advisory Committee: Approved by the National Vaccine Advisory Committee on February 7, 2017,” Public Health
Reports
, vol. 132, no. 4 (July 2017); and The Office of the National Coordinator for Health Information Technology
(ONC), Summary of the Public Health Immunization Data and Consumer Access Pilot Projects, September 2018,
https://www.healthit.gov/sites/default/files/page/2018-09/IISCongressionalReport.pdf.
24 CDC, “2020 IISAR Data Participation Rates,” https://www.cdc.gov/vaccines/programs/iis/annual-report-iisar/2020-
Congressional Research Service

4

link to page 6 Immunization Information Systems: Overview and Current Issues

 94% of children under the age of six with two or more immunizations recorded;
 84% of adolescents aged 11-17 with two or more adolescent immunizations
recorded; and
 68% of adults aged 18 or older with one or more adult immunization recorded.
Many IISs currently link automatically to jurisdictions’ birth records to establish and create a
consolidated immunization history record in the IIS for individuals born in that jurisdiction.’25
Current Federal Roles
In the years preceding the COVID-19 pandemic, the federal government supported IISs in the
following key ways:
Funding. Jurisdictions receive federal funds, such as through CDC’s Immunization Cooperative
Agreement (see the text box above) and other grants, to support the development and operation
of their IISs.26 According to the most recent CDC five-year cooperative agreement guidance
starting in 2019, all jurisdictions have received an annual base award to support general
immunization activities. Jurisdictions are directed to use these funds to implement CDC IIS
Functional Standards (see below) and evaluate IIS performance, among other activities. Some
jurisdictions have received additional funding under the cooperative agreement to support
specific IIS projects.27 Less than 50% of jurisdictions use local or state funding for IIS
maintenance, operations, and enhancements, according to the American Immunization Registry
Association (AIRA).28
Standards development and promotion. CDC has played a key role in developing operational
and technical standards for IISs (see the “Brief History” section of this report). The Immunization
Information System (IIS) Functional Standards
(version 4.1, 2019), identify key IIS functions,
operations, and practices to ensure consistency and quality across jurisdictions.29 The CDC
immunization cooperative agreement guidance directs grantees to conduct activities that meet the
functional standards, but it does not require them to meet all the standards as a condition of
funding.30 In addition, CDC helps develop and disseminate best practices for specific IIS
operations and functions.31

data.html.
25 Daniel W. Martin, Elaine N. Lowery, Bill Brand, et al., “Immunization Information Systems: A Decade of Progress
in Law and Policy,” Public Health Management and Practice, vol. 21, no. 3 (May 2015); and CDC, “Immunization
Information System (IIS) Functional Standards, v4.1,” https://www.cdc.gov/vaccines/programs/iis/functional-
standards/func-stds-v4-1.html.
26 For a list of current funding sources, see National Academy for State Health Policy, Fact Sheet: Using New and
Existing Federal Funds to Modernize Immunization Information Systems
, November 22, 2021, https://www.nashp.org/
using-new-and-existing-federal-funds-to-modernize-immunization-information-systems/#toggle-id-3.
27 See CDC, “Immunization and Vaccines for Children,” CDC-RFA-IP19-1901, https://www.grants.gov/web/grants/
view-opportunity.html?oppId=309317.
28 AIRA, Immunization Information System (IIS): Information Session, April 15, 2021,
https://repository.immregistries.org/files/resources/60830f3e4ce88/iis_information_session_-_final.pdf.
29 CDC, “Immunization Information System (IIS) Functional Standards, v4.1,” https://www.cdc.gov/vaccines/
programs/iis/functional-standards/func-stds-v4-1.html; and Lynn Gibbs Scharf et al., “Current Challenges and Future
Possibilities for Immunization Information Systems.”
30 CDC, “Immunization and Vaccines for Children,” CDC-RFA-IP19-1901.
31 See, for example, CDC, “MIROW: Modeling of Immunization Registry Operations Workgroup,” June 7, 2019,
https://www.cdc.gov/vaccines/programs/iis/activities/mirow.html.
Congressional Research Service

5

Immunization Information Systems: Overview and Current Issues

Health IT and electronic health record (EHR)-related efforts. Following enactment of the
HITECH Act, several Centers for Medicare & Medicaid Services (CMS) programs have
incentivized health care providers and states to adopt EHR systems and IISs that enable
interoperability (i.e., automated and secure electronic data sharing) between IISs and health care
providers.32 In addition, CDC, with the Office of the National Coordinator for Health Information
Technology (ONC) and other HHS operating divisions, has sought, through various efforts, to
improve interoperability between IISs in different jurisdictions and with health care providers. IIS
program participation is voluntary.33
CDC can receive de-identified, aggregate data from IISs and use that information to analyze and
study national immunization trends. CDC also regularly surveys and evaluates the IISs.34 In
addition, various CDC and National Vaccine Program Office efforts have set overall strategies
and goals related to IISs.35
Selected IIS Laws, Regulations, and Policies
This section provides an overview of selected characteristics of SLTT IIS laws, regulations, and
policies, as well as certain federal laws, regulations, and policies that affect IISs. Laws and
policies regarding IISs vary widely across jurisdictions and change over time. Moreover,
jurisdictions can change IIS data reporting and sharing requirements under emergency authorities
and declarations.36
Reporting
All jurisdictions that operate IISs have laws, regulations, and policies regarding which
immunizations must be reported by providers to the respective IIS and what data are to be
reported for each of these immunizations. Jurisdiction-level reporting requirements differ in many
ways, including37
 whether reporting is mandatory or encouraged;
 which types of providers must report;
 whether vaccinations administered to only certain age groups (e.g., children,
adults) must be reported; and

32 For an overview of related efforts see “Data Modernization-Background” section in CRS Report R46588, Tracking
COVID-19: U.S. Public Health Surveillance and Data
. See also ASTHO, Medicaid 75/25 Funding Fact Sheet for
Immunization Information Systems
, 2018, https://www.astho.org/Immunization/Documents/Medicaid-75-25-Funding-
Fact-Sheet-for-Immunization-Information-Systems/.
33 Lynn Gibbs Scharf et al., “Current Challenges and Future Possibilities for Immunization Information Systems.”
34 Lynn Gibbs Scharf et al., “Current Challenges and Future Possibilities for Immunization Information Systems.”
35 See, for example, CDC, “2018-2020 Immunization Information System (IIS) Strategic Plan,” https://www.cdc.gov/
vaccines/programs/iis/strategic-plan/iis-2018-2020.html; and National Vaccine Program Office (NVPO), “Vaccines,
National Strategic Plan for the United States, 2021-2025,” https://www.hhs.gov/sites/default/files/HHS-Vaccines-
Report.pdf.
36 The Network for Public Health Law, Legal Issues Related to Cross-Jurisdictional Sharing of State Immunization
Information System Data
, December 1, 2014, https://www.astho.org/Public-Policy/Public-Health-Law/Cross-
Jurisdictional-Sharing-IIS-Data/.
37 Daniel W. Martin, Elaine N. Lowery, Bill Brand, et al., “Immunization Information Systems: A Decade of Progress
in Law and Policy,” Public Health Management and Practice, vol. 21, no. 3 (May 2015).
Congressional Research Service

6

Immunization Information Systems: Overview and Current Issues

 whether all or only certain types of vaccines (e.g., publicly funded vaccines)
must be reported.
Furthermore, jurisdictions have different enforcement authorities and approaches for failures to
report.
Privacy, Confidentiality, and Security
A complex regime of laws, regulations, and policies at the federal, state, and local levels governs
the privacy and confidentiality of data in IISs. These privacy and confidentiality protections can
vary by IIS program and jurisdiction. Most states have health privacy laws and IIS-specific laws.
These laws generally inform which information may be collected by a given IIS program, how
the information must be stored, who may access the information, authorized uses of the
information, and how the information can be disclosed. The privacy and confidentiality
frameworks for IISs generally reflect a balance between protecting the privacy of patients’
personal health information and allowing IISs to function in ways that improve immunization
coverage.38
The primary federal regulation that governs the privacy of protected health information (PHI)—
the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule39—
describes the circumstances under which HIPAA-covered entities, such as health care facilities,
are permitted to use or disclose PHI. The Privacy Rule permits covered entities to disclose,
without individual authorization, PHI to a public health authority (such as a state health
department) authorized by law to collect or receive such information for the purpose of
preventing or controlling disease.40 In addition, covered entities are permitted to disclose PHI
without individual authorization pursuant to a requirement in law.41 In some cases, the
interactions of privacy laws at different levels of government and their application to different
entities can create confusion and affect IIS activities. For example, in some instances,
misinterpretations of the Privacy Rule have the effect of limiting the data that providers are
willing to share with IISs.42
CDC’s current functional standards direct IIS programs to “implement written and approved
confidentiality policies that protect the privacy of individuals whose data are contained in the
system,” and ensure that the IIS is “physically and digitally secured in accordance with industry
standards for protected health information, security, encryption, uptime, and disaster recovery.”43
Nonfederal organizations, such as the American Immunization Registry Association (AIRA),
publish more detailed guidance on recommended practices for ensuring IIS privacy,
confidentiality, and security.44 Currently, adherence to such standards and guidance is up to each
IIS program, though adherence is encouraged by CDC immunization cooperative agreements.

38 American Immunization Registry Association (AIRA), Confidentiality and Privacy: Considerations for
Immunization Information Systems
, September 2016.
39 45 C.F.R. Part 164, Subpart E.
40 45 C.F.R. §164.512.
41 45 C.F.R. §164.512(a).
42 Lynn Gibbs Scharf et al., “Current Challenges and Future Possibilities for Immunization Information Systems.”
43 CDC, “Immunization Information System (IIS) Functional Standards, v4.1.”
44 See AIRA, Confidentiality and Privacy: Considerations for Immunization Information Systems, September 2016, and
AIRA, Security Guidance: Considerations for Immunization Information Systems, June 2017,
https://repository.immregistries.org/files/resources/595e4e25ab1b1/aira_security_guidance_-_final_new_logo.pdf.
Congressional Research Service

7

Immunization Information Systems: Overview and Current Issues

Data Sharing and Consent
Laws, regulations, and policies at the jurisdictional level inform both how data are shared to IISs
and under what permissions, and how IISs can share data with other systems.
Consent to Share Immunization Information
Patient consent models for sharing information vary by jurisdiction. In many jurisdictions,
immunization data are shared to an IIS on the basis of implied patient consent, often with a right
to opt-out (i.e., to exclude or remove immunization information from the IIS). Some jurisdictions
do not allow for or restrict a patient’s option to opt-out. A few jurisdictions require explicit patient
consent (“opt in”) to share data.45
Data Sharing Between IISs in Different Jurisdictions
As of 2012, a portion of jurisdictions (36 of 52)46 had authority to transmit or allow access to IIS
data across state borders. For some jurisdictions (15), this authority derived from data-sharing
agreements only (rather than from statute or regulation). Of the programs surveyed at that time,
24 did not share data across state borders.
IISs in the COVID-19 Vaccination Program
The COVID-19 vaccination program is an unprecedented effort to rapidly vaccinate a large
number of eligible people across the country. As such, the program required planning by public
health agencies at different levels of government well before vaccines were authorized for use.
IISs are being leveraged to consolidate multidose COVID-19 vaccination records for specific
individuals (available only to authorized users), to remind individuals of follow-up doses, and to
monitor vaccination rates across the population using aggregate data.47 IISs played similar roles
during the 2009 H1N1 influenza pandemic.48
Starting as early as fall 2020, CDC began working with jurisdictions to prepare and improve their
IIS programs for COVID-19-related data collection, funded by COVID-19 supplemental funding
awards. COVID-19 vaccine providers are generally required to report specified data to their
respective jurisdictional IIS (see the text box below). One priority for this vaccination campaign
has been to ensure that providers that had not typically administered vaccines or reported to IISs
prior to the pandemic—such as pharmacies, long-term care facilities, and mass vaccination
sites—were trained and capable of doing so.49 Also, as part of the Trump Administration’s
Operation Warp Speed, several federal efforts through CDC and the Department of Defense

45 Daniel W. Martin, Elaine N. Lowery, Bill Brand, et al., “Immunization Information Systems: A Decade of Progress
in Law and Policy,” Public Health Management and Practice, vol. 21, no. 3 (May 2015); and Lynn Gibbs Scharf et al.,
“Current Challenges and Future Possibilities for Immunization Information Systems.”
46 The study included 49 state and three local jurisdictions. See Daniel W. Martin et al., “Immunization Information
Systems: A Decade of Progress in Law and Policy.”
47 CDC, “Section 11: COVID-19 Requirements for Immunization Information Systems or Other External Systems,”
Interim Playbook for Jurisdiction Operations, October 2021, pp. 38-41, https://www.cdc.gov/vaccines/imz-managers/
downloads/COVID-19-Vaccination-Program-Interim_Playbook.pdf.
48 Association of State and Territorial Health Officials (ASTHO), “Summary: ASTHO Immunization Registries
Summit,” October 2010, https://astho.org/Programs/Immunization/Immunization-Registries-Summit-Summary/.
49 CDC, “Preparing IISs for COVID-19 Response,” September 21, 2020, https://www.cdc.gov/vaccines/covid-19/
reporting/downloads/Master-Awardee-Work-Plan.pdf.
Congressional Research Service

8

Immunization Information Systems: Overview and Current Issues

created new data platforms and sharing systems to (1) enable new providers and mass vaccination
sites to report vaccination data; (2) facilitate data sharing between federal health care programs
(e.g., the Veterans Health Administration), providers, and IISs in different jurisdictions; and (3)
create new data analytic functionalities and tools that could aid in monitoring and analyzing
vaccination coverage.50
Some of these efforts generated controversy. In late 2020, CDC requested that jurisdictions
submit certain personally identifiable information (PII) on vaccine recipients to CDC’s data
clearinghouse (DCH; see the text box below). The PII was to be automatically secured and
encrypted. According to CDC, the identifiable data submission would allow the agency “to assess
and verify second-dose vaccination, to assess vaccine safety, and to allow for critical vaccine
effectiveness monitoring.”51 CDC and HHS generally would not have access to the PII in the
system, but they would have access to de-identified aggregate vaccination data generated from
the system.52 Several state officials questioned or criticized this data request.53 State associations,
such as National Governors Association and the Association of State and Territorial Health
Officials, questioned why the federal government needed PII.54 In addition, some states asserted
that their laws did not allow them to share PII from IISs with the federal government.55
Accordingly, CDC signed data-sharing agreements specific to each jurisdiction, many of which
have limited the PII that jurisdictions share with CDC’s DCH.56
Despite efforts to prepare, improve, and invest in IISs for the COVID-19 response, the large
volume of data collected during the pandemic has reportedly overwhelmed the capabilities of
some IISs and exacerbated long-standing problems with their technology, staffing, and
functioning, as explained in the next section.57


50 Operation Warp Speed, “From the Factory to the Front Lines: The Operation Warp Speed Strategy for Distributing a
COVID-19 Vaccine,” https://www.hhs.gov/sites/default/files/strategy-for-distributing-covid-19-vaccine.pdf, and
information provided by CDC to CRS in December, 2020. For an overview of the data systems developed, see CRS
Insight IN11584, Tracking COVID-19 Vaccines: U.S. Data Systems and Related Issues.
51 CDC, “Data Use and Sharing Agreement to Support the United States Government’s COVID-19 Emergency
Response Jurisdiction Immunization and Vaccine Administration Data Agreement,” p. 2, https://www.cdc.gov/
vaccines/covid-19/reporting/downloads/vaccine-administration-data-agreement.pdf.
52 CDC, “Data Use and Sharing Agreement to Support the United States Government’s COVID-19 Emergency
Response Jurisdiction Immunization and Vaccine Administration Data Agreement,” https://www.cdc.gov/vaccines/
covid-19/reporting/downloads/vaccine-administration-data-agreement.pdf.
53 Sheryl Gay Stolberg, “Some States Balk after C.D.C. Asks for Personal Data of Those Vaccinated,” The New York
Times
, December 8, 2020, https://www.nytimes.com/2020/12/08/us/politics/cdc-vaccine-data-privacy.html.
54 HHS, “Answers to National Governors Association Questions on Vaccine Distribution and Planning,”
https://www.hhs.gov/sites/default/files/national-governors-association-questions-on-vaccine-distribution-planning.pdf;
and the Association of State and Territorial Health Officials (ASTHO), “COVID-19 Immunization Data Reporting and
Technology,” February 2021, https://www.astho.org/COVID-19/Data-Reporting-and-Technology-Brief/.
55 ASTHO, “COVID-19 Immunization Data Reporting and Technology,” and Sheryl Gay Stolberg, “Some States Balk
after C.D.C. Asks for Personal Data of Those Vaccinated.”
56 CRS communication with CDC in January 2021. For versions of the data-sharing agreements obtained by nonprofit
groups under state public records laws, see Documenting COVID-19, “The CDC Data Project,”
https://documentingcovid19.io/cdc. CRS cannot verify the validity of these documents.
57 Duke Margolis Center for Health Policy, National Governors Association, and NASHP, Modernizing Immunization
Information Systems: Priorities and Considerations for Governors
, September 2021, https://healthpolicy.duke.edu/
sites/default/files/2021-09/Modernizing%20Immunization%20Information%20Systems.pdf.
Congressional Research Service

9

Immunization Information Systems: Overview and Current Issues

COVID-19 Vaccination Reporting Requirements
Per the CDC COVID-19 Vaccination Program Provider Agreement, providers that administer COVID-19 vaccines
must document specified vaccine administration data in their medical record systems within 24 hours of
administration and use their best efforts to report vaccine administration data to the relevant system for the
jurisdiction (i.e., the IIS) as soon as practicable and no later than 72 hours after administration. (Information
current as of December 28, 2021; requirements are subject to change.) These IISs then report vaccine
administration data to CDC. Some jurisdictions have their own requirements for reporting COVID-19 vaccination
data to an IIS.
CDC encourages providers to submit data directly to the respective IIS whenever possible. However, in some
instances, providers such as national retail pharmacies (e.g., CVS) submit data to CDC’s Immunization Data
Clearinghouse (DCH), which encrypts and preserves the privacy of submitted data to enable a secure data
exchange between IISs and providers. (CDC and HHS generally do not have access to PII in the system.) For such
multistate organizations, submitting to one system can be easier than establishing many connections with each
jurisdictional IIS.
IIS Data and Technology Challenges
Given that many IISs were established in the 1990s, some IISs still rely on legacy software and
technology. In addition, because these systems are jurisdiction-based, their technology varies and
they are not based on any one platform.58 No policy is in place to require that IISs programs
adhere to common technical or operational standards, though CDC encourages IIS programs to
meet its functional standards. States and other jurisdictions have implemented different functional
standards according to their priorities, and many IISs have not achieved all of CDC’s functional
standards.59 This may have contributed to the following data and technology challenges,
reportedly exacerbated during the COVID-19 pandemic:
Technology. Because IISs have been developed separately at the jurisdictional level, different
systems rely on different technology and staffing, with different functionalities and scalability.
Not all IISs use up-to-date IT standards to ensure secure and scalable data sharing and storage.60
One 2019 analysis found that a quarter of all IISs were out-of-date and in need of major changes
to meet current IT standards. The analysis also found that the other IISs would face increased
costs in ensuing years associated with ongoing IT modernization. The analysis noted increasing
costs associated with servers, technical support, user onboarding, quality control, and
compensation for skilled software developers.61
Connections with health care providers. As noted, many health departments worked to enroll
new providers to report to their respective IIS as a part of the COVID-19 vaccination program.
Prior to the pandemic, not all vaccine providers were connected to their respective IIS and

58 Lynn Gibbs Scharf et al., “Current Challenges and Future Possibilities for Immunization Information Systems.” and
PHII, “IIS Technology Over Time: Impact and Changing Role,” https://phii.org/wp-content/uploads/2021/07/
iis_history_spotlight-_technology.pdf
59 Duke Margolis Center for Health Policy, National Governors Association, and NASHP, Modernizing Immunization
Information Systems: Priorities and Considerations for Governors
, September 2021, https://healthpolicy.duke.edu/
sites/default/files/2021-09/Modernizing%20Immunization%20Information%20Systems.pdf.
60 PHII, “IIS Technology Over Time: Impact and Changing Role,” https://phii.org/wp-content/uploads/2021/07/
iis_history_spotlight-_technology.pdf; CDC, “COVID-19 Vaccine IT Overview,” https://www.cdc.gov/vaccines/covid-
19/reporting/overview/IT-systems.html; and Lynn Gibbs Scharf et al., “Current Challenges and Future Possibilities for
Immunization Information Systems.”
61 Michael Popovich, Todd Watkins, and Belinda Baker, “A Model for Sustaining and Investing in Immunization
Information Systems,” Online Journal of Public Health Informatics, vol. 11, no. 2 (September 19, 2019).
Congressional Research Service

10

Immunization Information Systems: Overview and Current Issues

reporting requirements were not consistently enforced.62 In some cases, providers relied on
manual paper-based or online forms to report to their IIS—adding an administrative burden.63 In
recent years, with CMS programs that support health IT interoperability efforts and incentives,
much of the IIS reporting has been automated through electronic health records (EHRs), though
not all.64 Connections between IISs and EHRs also have not been uniformly “bidirectional,”
meaning that health care providers cannot always readily access complete and accurate records
for their patients in their EHR system.65
Data sharing between jurisdictions and federal health care providers (e.g., Veterans Health
Administration, VA). Because people may get vaccinated in more than one state, the IIS record
on one person in any one state may be incomplete. The COVID-19 pandemic has highlighted this
issue, as it has proven difficult in some instances to consolidate and reconcile information on
doses received in different jurisdictions. (This issue may have contributed to discrepancies in
CDC national vaccine data reported in December 2021.)66 Challenges with sharing IIS data across
state lines was an issue before the pandemic. For example, a 2015 measles outbreak in California,
linked to exposures at Disneyland, involved over 100 cases in 14 different states, challenging
health departments and health care providers in determining the immunization status of all
potentially exposed and infected individuals. Following this incident, the National Vaccine
Advisory Committee recommended that HHS address technical and legal barriers to
interjurisdictional data exchange.67
IIS data sharing with federal health care systems, such as with VA and Department of Defense
(DOD) facilities, has also been an issue. Although HHS has sought to facilitate interjurisdictional
data exchange in recent years, not all IIS programs have participated in these efforts, especially
prior to the pandemic.68 (These efforts have focused on facilitating data exchange between
different jurisdictions, and between jurisdictions and federal or multistate health care providers,
but not with CDC or HHS. For example, the cross-jurisdictional data-sharing system, the IZ
Gateway, is housed on a nonfederal platform).69
Data quality and completeness. Even when IISs collect data, the immunization history and other
information collected for an individual may not be complete or may contain errors that affect data

62 Lynn Gibbs Scharf et al., “Current Challenges and Future Possibilities for Immunization Information Systems.”
63 Rebecca Cooper, Ariella Levinsohn, and Jill Rosenthal, “States Race to Create COVID-19 Vaccination Distribution
Plans” National Academy for State Health Policy, October 12, 2021, https://www.nashp.org/states-race-to-create-
covid-19-vaccination-distribution-plans/.
64 PHII, “IIS Technology Over Time: Impact and Changing Role,” https://phii.org/wp-content/uploads/2021/07/
iis_history_spotlight-_technology.pdf.
65 AIRA, “EHR and IIS: Their Differences and How They Work Together,” https://repository.immregistries.org/files/
resources/5caf7b197bf77/ehr_and_iis_infographic-0.pdf, and Lynn Gibbs Scharf et al., “Current Challenges and Future
Possibilities for Immunization Information Systems.”
66 Cecelia Smith-Schoenwalder and Sharon Lurye, “Uneven Reporting Raises Doubts About CDC Vaccination
Numbers,” U.S. News and World Report, December 21, 2021, and CDC, “Reporting COVID-19 Vaccinations in the
United States,” https://www.cdc.gov/coronavirus/2019-ncov/vaccines/reporting-vaccinations.html.
67 National Vaccine Advisory Committee, “NVAC Statement of Support Regarding Efforts to Better Implement IIS-to-
IIS Data Exchange Across Jurisdictions,” vol. 130, no. 4 (July 2015), pp. 332-335.
68 HHS Office of the Chief Technology Officer (CTO), “The Immunization Gateway,” August 11, 2020,
https://repository.immregistries.org/files/resources/5f3478b27ffc4/iz_gateway_aira_august_2020_final.pdf; and Lynn
Gibbs Scharf et al., “Current Challenges and Future Possibilities for Immunization Information Systems.”
69 CDC, “Immunization Gateway Overview,” https://www.cdc.gov/vaccines/covid-19/reporting/iz-gateway/
overview.html.
Congressional Research Service

11

Immunization Information Systems: Overview and Current Issues

quality.70 In addition, not all IIS programs collect or report the same data elements. For example,
during the COVID-19 pandemic, not all states have collected data about the race/ethnicity of
vaccine recipients or shared such data with CDC. Some stakeholders have argued that this data
limitation has affected the ability to understand disparities and equity in vaccination at a national
level.71
Legislative Developments
Although several enacted laws have mentioned IISs, no enacted federal legislation has focused
specifically on IISs.72 CDC and other HHS operating divisions have conducted activities related
to IISs under general public health authorities, primarily in the Public Health Service Act
(PHSA)—the compilation of statutes that authorize many of the activities of the U.S. Public
Health Service Agencies in HHS (of which CDC is a component).73
There have been several legislative developments related to IISs in recent years. Several
appropriations in the COVID-19 relief laws can support IIS activities of CDC and SLTT agencies,
as summarized below.
In the 117th Congress, there are many bills related to IISs and vaccination data more generally.74
Some bills seek to improve data collection and sharing or otherwise strengthen IISs, such as the
COVID-19 Delivery Act (H.R. 330/H.R. 936), Section 104 of the Cures 2.0 Act (H.R. 6000), and
the Health STATISTICS Act of 2021 (H.R. 831). Other proposals seek to limit the collection and
use of identifiable vaccination data and strengthen related federal privacy protections, such as
H.R. 449 and the No Vaccine Passports for Americans Act (H.R. 3868 and S. 1932, similar to
H.R. 2384). The section below provides more information on the Immunization Infrastructure
Modernization Act of 2021 (H.R. 550)—an IIS-related bill that passed the House on November
30, 2021.
COVID-19 Relief Funding
Several COVID-19 appropriations can support COVID-19 vaccination program efforts, including
IIS-related activities. Earlier in the pandemic, before vaccines were available, CDC had received
broad supplemental appropriations for its pandemic-related activities in March 2020 and used

70 Rebecca L. Weintraub, Laura Subramanian, Ami Karlage, et al., “COVID-19 Vaccine To Vaccination: Why Leaders
Must Invest In Delivery Strategies Now,” Health Affairs, vol. 40, no. 1 (November 19, 2020), and Lynn Gibbs Scharf
et al., “Current Challenges and Future Possibilities for Immunization Information Systems.”
71 Caitlin Antonios, Mohar Chaterjee, Georgia Gee, et al., “Why Some States Won’t Share Race and Ethnicity Data on
Vaccinations with the CDC—and Why That’s a Problem,” The COVID Tracking Project, February 16, 2021.
72 Specifically, the Patient Protection and Affordable Care Act (P.L. 111-148, as amended) in Section 4204 amended
PHSA Section 317 to authorize a demonstration program for grants to states to improve immunization coverage;
supporting IISs is mentioned as a possible use of the funds. In addition, the Pandemic and All-Hazards Preparedness
and Advancing Innovation Act of 2019 (P.L. 116-22) amended PHSA Section 319D, the authorization for CDC/HHS’s
integrated biosurveillance network, to add “immunization information systems” as among the systems to be included in
the network.
73 42 U.S.C. §201 et seq.
74 In a related development, The National Defense Authorization Act for Fiscal Year 2022 (P.L. 117-81) authorized a
DOD system for tracking and recording information on vaccines administered by DOD health providers in Section 716.
See CRS Insight IN11842, FY2022 NDAA: COVID-19 Vaccination-related Provisions.
Congressional Research Service

12

Immunization Information Systems: Overview and Current Issues

some of this funding for vaccination program grants and planning. Since then, CDC has received
several appropriations specifically for vaccine-related activities.75
For efforts to “plan, promote, distribute, administer, monitor, and track COVID-19 vaccines,”
CDC received a total of $16.25 billion in FY2021, including $8.75 billion in the Coronavirus
Response and Relief Supplemental Appropriations Act, 2021 (CRRSA), enacted in December,
2020 (P.L. 116-260, Division M), available until September 30, 2024, and $7.5 billion in the
American Rescue Plan Act (ARPA; P.L. 117-2), Section 2301, enacted in March 2021, available
until expended. ARPA Section 2301 specifies that CDC must use funds to support SLTT agencies,
including for “information technology, standards-based data, and reporting enhancements,
including improvements necessary to support standards-based sharing of data related to vaccine
distribution and vaccinations and systems that enhance vaccine safety, effectiveness, and uptake,
particularly among underserved populations,” among other things.
Of the $8.75 billion in CRRSA, at least $4.5 billion is designated for SLTT grants (or cooperative
agreements), of which $210 million must be transferred to the Indian Health Service, and a
separate amount of not less than $300 million is designated for “high-risk and underserved
populations, including racial and ethnic minority populations and rural communities.” The ARPA
provision directs CDC to award supplemental funding to eligible awardees that received grants
under CRRSA based on a specified alternative formula.
Using these funds, CDC has awarded grants to jurisdictions that can be used to support IIS
programs and operations.76 For example, under the $3 billion CDC funding allocation in January
2021, funded by CRRSA (P.L. 116-260, Division M), activities to “use immunization information
systems to support efficient COVID-19 vaccination” are included among required activities by
the grant. Allowable IIS-related activities under the grant include to “develop and enhance health
information infrastructure and IIS upgrades to improve data quality and ensure robust reporting at
the jurisdiction and federal level,” among others.77 Additional related grants may be awarded to
jurisdictions in the future with remaining unobligated funds.78
Immunization Infrastructure Modernization Act of 2021 (H.R. 550)
The Immunization Infrastructure Modernization Act of 2021 (H.R. 550) was introduced in the
House on January 28, 2021. The bill was subsequently discussed in a House Energy and
Commerce Committee hearing on June 15, 2021; marked up and ordered to be reported during a
committee meeting on July 21, 2021; and reported to and passed by the House on November 30,
2021.79 The Senate has not considered a similar measure.

75 For an overview of public health funding in the COVID-19 relief laws, see CRS Report R46711, U.S. Public Health
Service: COVID-19 Supplemental Appropriations in the 116th Congress
, and CRS Report R46834, American Rescue
Plan Act of 2021 (P.L. 117-2): Public Health, Medical Supply Chain, Health Services, and Related Provisions
.
76 NASHP, Fact Sheet: Using New and Existing Federal Funds to Modernize Immunization Information Systems,
November 22, 2021, https://www.nashp.org/using-new-and-existing-federal-funds-to-modernize-immunization-
information-systems/#toggle-id-3.
77 CDC, “COVID-19 Vaccination Supplemental Funding: Funding for the Implementation and Expansion of the
COVID-19 Vaccination Program,” https://www.cdc.gov/vaccines/covid-19/downloads/vaccination-supplemental-
funding.pdf.
78 CRS In Focus IF11951, Domestic Funding for COVID-19 Vaccines: An Overview.
79 See “All Actions” under Congress.gov, “H.R.550 - Immunization Infrastructure Modernization Act of 2021,”
accessed December 30, 2021, at https://www.congress.gov/bill/117th-congress/house-bill/550/all-actions; and House
Energy and Commerce Committee, “Hearing on Booster Shot: Enhancing Public Health Through Vaccine Legislation,”
June 15, 2021, https://energycommerce.house.gov/committee-activity/hearings/hearing-on-booster-shot-enhancing-
Congressional Research Service

13

Immunization Information Systems: Overview and Current Issues

As passed by the House on November 30, 2021, H.R. 550 would amend PHSA Title XXVIII,
National All-Hazards Preparedness for Public Health Emergencies,80 to add a new Section 2824
to the end of Subtitle C entitled “Immunization Information System Data Modernization and
Expansion.” H.R. 550 defines an immunization information system as “a confidential,
population-based, computerized database that records immunization doses administered by any
health care provider to persons within the geographic area covered by that database.”81
The language in H.R. 550 is similar to legislation enacted in December, 2020 (P.L. 116-260,
Division BB, Title III, Section 314), that similarly authorizes an HHS grant program for public
health data modernization as PHSA Section 2823.82 In contrast to the enacted PHSA Section
2823, which addresses public health data modernization broadly, H.R. 550 focuses specifically on
modernization of IISs.
The proposed new PHSA Section 2824 would direct the HHS Secretary to83
Expand, enhance, and improve IISs administered by health departments or other SLTT
agencies and used by health care providers. Given that HHS agencies, such as CDC, already
conduct activities related to IISs under general authorities, this authorization may serve to codify
some existing activities.
Award grants or cooperative agreements to the health departments or other SLTT agencies that
administer IISs, subject to the data and technology standards below. Among other things, the
grants may be used to support IIS programs to (1) assess their technology and data infrastructure
gaps; (2) enroll and train health care providers in an IIS; (3) improve secure data collection,
exchange, maintenance, and analysis, including by improving data exchange across jurisdictions
and simplifying reporting by health care providers; (4) ensure IISs are interoperable according to
federal health IT standards; (5) support adoption of CDC functional standards and security
standards; (6) procure updated software and technology; and (7) improve IIS functionalities such
as outbreak response capabilities, clinical decision support, and vaccine supply management.
Designate data and technology standards that must be followed as a condition of receiving a
funding award. The Secretary is required to prioritize standards that are developed by consensus-
based organizations with input from the public and voluntary consensus-based standards bodies.
The Secretary is also required to support a means of independent verification of the standards. In
addition, the awardee must adhere to federal health IT standards reviewed and adopted under
PHSA Section 3004 regarding standards for health information. This requirement to adhere to
federal health IT standards may be waived if the Secretary determines that grant activities cannot
otherwise be carried out within the applicable jurisdiction.
Provide technical assistance, as well as certification and training, related to IIS information
exchange across jurisdictions and health care providers. The Secretary may use public-private
partnerships for these efforts.
Report to Congress (1) a strategy and implementation plan within 90 days of enactment and (2)
a follow-up report not later than a year after enactment. The strategy and implementation plan

public-health-through-vaccine.
80 Originally added by the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-
188).
81 Subsection (f) of the proposed PHSA Section 2824 that would be established by H.R. 550.
82 P.L. 116-260, Division BB, Title III, Section 314, amended the same PHSA subtitle that H.R. 550 would, adding
PHSA Section 2823; 42 U.S.C. §300hh-33.
83 The header for 2824(a) is “Expanding CDC and Public Health Department Capabilities,” but all the provisions of
H.R. 550 are directed to the HHS Secretary and do not reference the CDC Director.
Congressional Research Service

14

Immunization Information Systems: Overview and Current Issues

must identify the measures that the Secretary intends to take to update and improve IISs
supported by CDC, and to carry out the activities supporting the expansion, enhancement, and
improvement of SLTT IISs. In developing the plan, the Secretary is required to consult with
stakeholders, such as health departments, professional medical and health associations, health
information technology experts, other health care entities, and other public or private entities, as
appropriate. For the follow-up report, the Secretary is required to describe any barriers to (1)
reporting, interoperability, and information exchange, or (2) the effective establishment of a
network to support immunization reporting and monitoring, and to make recommendations to
address such barriers. The follow-up report must also include an assessment of immunization
coverage and access to immunizations services, and any disparities and gaps in such coverage and
access for medically underserved, rural, and frontier areas.
The section also authorizes a one-time, no-year appropriation of $400 million, to remain available
until expended.
Selected Policy Considerations
In considering legislation related to IISs, Congress may consider the following policy
considerations:
What is the long term strategy for funding and financing IISs? As described above, CDC and
other HHS operating divisions fund and support IISs in many ways, especially through annual
Immunization Cooperative Agreement funding to 64 jurisdictions. Although jurisdictions can use
these grants in part to support IIS-related activities, these flexible funds may be used for other
competing priorities. One 2019 analysis found that IIS programs reported tighter federal and state
budgets, which affected their ability to fund system upgrades and maintenance.84
As noted, funded jurisdictions can use some CDC supplemental COVID-19 grants, in part, to
support IIS modernization and improvements. According to AIRA, many jurisdictions are using
COVID-19 relief funds primarily to meet immediate programmatic needs during the pandemic.85
Different COVID-19 public health grants are available for different time periods; however, much
of the relevant grant funding is available through 2024.86 Comprehensive, publicly available
information on how states and other jurisdictions are spending their CDC COVID-19 grants is
unavailable at this time. According to AIRA, IIS programs may be reluctant to spend the
temporary supplemental funding on long-term investments, such as major software and
technology upgrades, without assurance that future funding can sustain such investments.87
If the Immunization Infrastructure Modernization Act of 2021 (H.R. 550) is enacted and the
authorized grant funding is later appropriated, jurisdictions may receive additional funding for IIS
standardization and modernization under the one-time appropriation. Still, the long-term funding
challenges may remain. One of CDC’s recent IIS-related strategies is to “Sustain the IIS
Community,” which includes “diversifying mechanisms of financial support for IISs,” and

84 Michael Popovich, Todd Watkins, and Belinda Baker, “A Model for Sustaining and Investing in Immunization
Information Systems,” Online Journal of Public Health Informatics, vol. 11, no. 2 (September 19, 2019).
85 CRS communication with AIRA representatives in January 2022.
86 NASHP, Fact Sheet: Using New and Existing Federal Funds to Modernize Immunization Information Systems,
November 22, 2021, https://www.nashp.org/using-new-and-existing-federal-funds-to-modernize-immunization-
information-systems/#toggle-id-3.
87 CRS communication with AIRA representatives in January 2022.
Congressional Research Service

15

Immunization Information Systems: Overview and Current Issues

“identifying new ways to reduce costs and use existing resources effectively.”88 Congress might
consider its role in IIS sustainability. Could Congress consider dedicated annual funding for IISs?
Can Congress encourage or incentivize state or private funding for IISs?
To what degree should the federal government support SLTT IIS programs? As noted
earlier, fewer than 50% of jurisdictions have local or state funding for their IIS programs,
according to AIRA.89 Given that IISs are primarily state- and local-based, to what extent should
the federal government support these systems? Congress may consider whether grants under
existing or new program authorizations should include a matching funds requirement in which
jurisdictions invest in their own systems, and whether such a requirement could deter
participation.
To what degree should the federal government standardize or inform SLTT IIS programs?
Several legislative proposals, especially the Immunization Infrastructure Modernization Act of
2021 (H.R. 550), seek to standardize IIS programs to enable data quality and sharing. As
currently written, H.R. 550 would give the HHS Secretary discretion to determine the required
data and technology standards. If enacted, how does Congress provide oversight to ensure that the
standards meet intended policy goals?
Separately from H.R. 550, what role should Congress play in informing the policies and activities
of SLTT IIS programs? Some current legislative proposals seek to limit their ability to collect or
use identifiable data (e.g., H.R. 3868 and S. 1932). Others seek to impose requirements on SLTT
vaccination data collection and reporting (e.g., H.R. 330/H.R. 936 and S. 302). In considering any
such proposal, Congress may weigh any benefits of national requirements and standards with any
benefits of allowing SLTT governments autonomy over their own laws, policies and programs.

Author Information

Kavya Sekar

Analyst in Health Policy


88 CDC, “2018-2020 Immunization Information System (IIS) Strategic Plan,” https://www.cdc.gov/vaccines/programs/
iis/strategic-plan/iis-2018-2020.html#goal3.
89 AIRA, Immunization Information System (IIS): Information Session, April 15, 2021,
https://repository.immregistries.org/files/resources/60830f3e4ce88/iis_information_session_-_final.pdf.
Congressional Research Service

16

Immunization Information Systems: Overview and Current Issues



Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.

Congressional Research Service
R47024 · VERSION 1 · NEW
17