Frequently Asked Questions about CRA


What is the CRA system and what does it do?

The CRA system is an emergency preparedness and response information system. It is useful during any public health event where administered vaccine doses are tracked and pharmaceuticals and medical materials are dispensed. CRA is a flexible all-hazards system that reduces the need for development of new applications for tracking doses of vaccines, drugs, and other materials dispensed each time there is a new event requiring a public health response.


How do I get started with CRA?

If you are interested in using the CDC CRA application, the CRA team can provide you with the steps necessary to get started. For assistance, e-mail

What security measures are in place to protect the data that is submitted to CDC?

As a government agency, CDC is bound by federal law that dictates specific information security rules and processes that must be followed. To comply with these rules, CRA uses the CDC Secure Access Management Services (SAMS) portal for electronic authentication. SAMS provides secure access to applications within the CDC environment and functions as the authentication gateway to CRA as well as the other CTS applications. SAMS is the next-generation replacement for CDC’s legacy Secure Data Network (SDN) portal and does not use digital certificates.

What if I have my own system to track countermeasures dispensed; how does it relate to CDC’s CRA application?

CDC is supportive of partners using their own tracking systems. If planning to use your own system, please note that CDC may request that partners report specific data in the event of a declared public health emergency.

Top of Page


How can I use CRA to report aggregate data to CDC during a public health event where countermeasures are administered?

CRA offers three options for submitting aggregate counts to CDC:

  • OPTION 1: For project areas collecting data via an existing immunization information system (IIS), aggregate counts may be submitted via three standard data exchange formats (pipe-delimited, XML, and HL7). During a public health event where doses administered aggregate data are reported to CDC for monitoring and tracking purposes, this information will be reported via the CDC CRA system.
  • OPTION 2: For project areas collecting data manually, data may be entered directly via the CRA aggregate reporting screen by using a Web browser.
  • OPTION 3: For project areas using the CDC CRA application to collect patient-level information, selected data elements will be automatically calculated and aggregated.

Top of Page


How can I account for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) policy requirements for personal information privacy and ensure compliance?

The HIPAA privacy rule permits disclosure to public health authorities without further authorization. Covered entities are permitted to disclose Protected Health Information to public health authorities without patients’ authorization as defined at 45 C.F.R § 164.501 and as used in 45 C.F.R. § 164.512(b), Standards for Privacy of Individuality Identifiable Health Information, promulgated under HIPAA.

CRA supports collection of unidentified individual/patient information. During data entry, a unique identifier is assigned to each individual/patient record, allowing capture and retrieval of information without using identifying information. Project areas may use this feature and are not required to capture personally identifiable information (PII).

For more information, e-mail

Top of Page


Page last reviewed: December 2, 2019