Immunization Gateway Overview

The Immunization Gateway (IZ Gateway) is a portfolio of components that share a common IT infrastructure. These components support the exchange of immunization data between immunization information systems (IISs), provider organizations, and consumer applications. The IZ Gateway can streamline time- and resource-intensive data exchange onboarding. It also replaces multiple one-to-one connections with centralized routing. This document includes an overview of each component, including the requirements and benefits of participating in each one.

Acronyms

  • AIRA – American Immunization Registry Association
  • ASTHO – Association of State and Territorial Health Officials
  • APHL – Association of Public Health Laboratories
  • AWS – Amazon Web Services
  • BAA – Business Associate Agreement
  • CDC – Centers for Disease Control and Prevention
  • DUA – Data Use Agreement
  • FISMA – Federal Information Security Modernization Act
  • HIPAA – Health Insurance Portability and Accountability Act
  • HL7 – Health Level Seven International
  • IIS – Immunization Information System
  • MOU – Memorandum of Understanding
  • WSDL – Web Services Description Language

Legal Agreements

Each component of the IZ Gateway has different legal requirements for participation. Regulatory and legal changes might be necessary in some jurisdictions to use the IZ Gateway. Participating jurisdictions should begin reviewing their current agreements and these requirements now to determine what may need to be added.

Data Use Agreement – Jurisdiction IIS and APHL

  • Allows data to flow through the IZ Gateway, which is hosted by APHL
  • Addresses security, responsibilities, parties’ relationship, amendment, and incident response
  • No renewal required
  • APHL holds the signed DUAs

Interjurisdictional MOU – Jurisdiction IIS and Jurisdiction IIS

  • Public Health Interjurisdictional MOU (updated August 2019)
  • Signed among public health jurisdictions
  • Allows data exchange to occur through the IZ Gateway or an alternative mechanism with any state or jurisdiction that has signed the MOU
  • Not a federal agreement, only between signatories
  • No renewal required
  • AIRA holds the signed MOUs

Business Associate Agreement – Provider Organization and APHL

  • Recognizes that the IZ Gateway sends and receives data on behalf of the provider organization
  • Addresses disclosure and use of protected health information, security, privacy, incident response, and other clauses
  • No renewal required
  • Required by HIPAA
  • APHL holds the signed BAAs

Jurisdiction-Specific Policy Agreement(s) (e.g., provider site agreements, confidentiality agreements, etc.) – Jurisdiction IIS and Provider Organization

  • Specific to each jurisdiction
  • Signed by provider organization

CDC is determining if an additional legal agreement will be needed to allow U.S. government authorized users to access deidentified data.

Page last reviewed: December 4, 2020