Immunization Information System (IIS) Functional Standards, v4.1
The Immunization Information System (IIS) Functional Standards describe the operations, data quality, and technology needed by IISs to support immunization programs, vaccination providers, and other immunization stakeholders. The Immunization Information Systems Support Branch (IISSB) of the Centers for Disease Control and Prevention (CDC) issued the first IIS Functional Standards in 1997 in collaboration with immunization program managers. In 2001, the National Vaccine Advisory Committee endorsed a set of IIS Functional Standards, setting the course for future development of IISs. To remain current with expanding IIS functionalities and the evolving health IT environment, IISSB and IIS stakeholders continue to collaborate to update the IIS Functional Standards as needed. The IIS Functional Standards reflect the functionality an IIS should strive to attain to fully support program and stakeholder immunization-related goals.
This document sets forth the IIS Functional Standards and Operational Guidance Statement (OGS) to guide the direction and progress of IISs over the next five years. The IIS Functional Standards and OGS help assure that all IISs attain a level of uniformity and consistency in supporting common clinical, programmatic, and public health immunization goals for both public and private stakeholders.
While the Functional Standards describe the expectations for IIS, guidance and best practices documents developed by CDC and IIS stakeholders are available to assist in implementing the standards. The IIS Functional Standards Resource Guide contains links to resources associated with the IIS Functional Standards, including IIS general resources and resources related to each Functional Standard. The resource guide is not an exhaustive list. Instead, it contains key introductory or advanced/technical resources. The resource guide also includes the American Immunization Registry Association (AIRA) Resource Repository key words to help locate additional content related to each Functional Standard in the AIRA Resource Repository.
- Regulatory Framework
All IIS functionality, policies, and operations must meet federal, state, and local laws, policies, and restrictions applicable to the jurisdiction. Although this statement will not accompany every Functional Standard or OGS in this document, the IIS Functional Standards and OGSs should always be considered in this regulatory context.
- Essential Infrastructure
During the development of version 4.1 of the IIS Functional Standards, the IIS Functional Standards workgroup identified a set of IIS functions that underpin the operation of an IIS. These functions included getting complete, accurate data into the IIS in a timely manner, assuring confidentiality and security, and providing technical support. These Functional Standards were grouped together and titled the Essential Infrastructure Functional Standards. All other Functional Standards are grouped under the immunization program goals most relevant to them. Achieving the Essential Infrastructure Functional Standards influences the ability of the IIS to be successful across all Program Goals.
- Data Quality
As an IIS matures, the importance of data quality becomes more pronounced. Data quality is the cornerstone of successfully reaching all immunization-related goals. IIS Functional Standards related to data quality are woven into the Essential Infrastructure Functional Standards and are reflected in multiple goals in this document. This underscores the importance of thinking about and applying data quality in all aspects of access and use of IIS data and functionality.
- Use of the Term IIS
Throughout this document, the term, “the IIS,” is used to represent the information system, the program, the people, and the processes associated with the systems. Each of the Functional Standards and Operational Guidance Statements in the document begins with the language, “the IIS.” The structure and usage fulfills the recommendation of the IIS Functional Standards workgroup.
The primary audiences for this document are state and local immunization program managers, IIS managers, and staff responsible for implementing and supporting IIS operations, data quality, and IIS technology. Additional audiences include staff and vendors that build and support the IIS and staff that uses the IIS for business operations.
This document organizes the IIS Functional Standards by first highlighting the Essential Infrastructure Standards, and then moving into a program goal-based framework. The document lists the IIS Functional Standards and OGS associated with each goal included in the document.
Essential Infrastructure Functional Standards
- The IIS contains complete and timely demographic and immunization data for children, adolescents, and adults residing or immunized within its jurisdiction.
1.1 The IIS establishes a record in a timely manner from sources such as vital records or birthing hospitals for each child born in its jurisdiction or that resides in its jurisdiction at the date of birth.
1.2 The IIS identifies records created from vital records.
1.3 The IIS contains a complete consolidated demographic record and vaccination history for every child, adolescent, and adult currently residing in the jurisdiction.
1.4 The IIS assures that all participating provider sites submit vaccination records and demographic information to the IIS in a timely fashion.
1.5 The IIS ensures that submitted vaccination and demographic data are processed and viewable in a timely manner.
1.6 The IIS assures the receipt, processing, and storage of demographic and vaccination data elements as endorsed by CDC.
1.7 The IIS periodically reviews the data elements endorsed by CDC and updates the IIS accordingly.
- The IIS identifies, prevents, and resolves duplicated and fragmented patient records using an automated process.
2.1 The IIS has policies, business rules, and procedures for resolving duplicate and fragmented incoming and existing patient records.
2.2 The IIS consistently identifies and resolves duplicate and fragmented patient records at the time of submission to the IIS.
2.3 The IIS consistently identifies and resolves duplicate and fragmented patient records in the IIS database on a regular basis.
2.4 The IIS evaluates its patient record deduplication processes and algorithms on a regular basis using published CDC test cases or other resources, and enhances its processes and algorithms as needed.
- The IIS identifies, prevents, and resolves duplicate vaccination events using an automated process.
3.1 The IIS has policies, business rules, and procedures for resolving duplicate and fragmented incoming and existing vaccination information.
3.2 The IIS consistently identifies and resolves duplicate and fragmented vaccination information at the time of submission to the IIS.
3.3 The IIS consistently identifies and resolves duplicate and fragmented vaccination information in the IIS database on a regular basis.
3.4 The IIS evaluates the effectiveness of its vaccination information deduplication algorithms and processes on a regular basis and enhances them as needed.
- The IIS implements written and approved confidentiality policies that protect the privacy of individuals whose data are contained in the system.
4.1 The IIS has written confidentiality policies that are reviewed and approved by the appropriate authority.
4.2 The IIS site agreements are based on the confidentiality policies and are approved by the appropriate authority.
4.3 IIS-enrolled sites must update their site agreement with the IIS regularly, based on the IIS policy.
4.4 The IIS user agreements are based on the confidentiality policies and are approved by the appropriate authority.
4.5 The IIS user must update their user agreements regularly, based on the IIS policy.
4.6 The IIS has an identified point of contact for issues related to confidentiality.
4.7 The IIS makes the IIS confidentiality policies available upon request.
- The IIS implements comprehensive account management policies consistent with industry security standards.
5.1 The IIS has a comprehensive written account management security policy (or policies) that is consistent with industry standards and reviewed and approved by the appropriate state or local authority.
5.2 The IIS requires unique log-in credentials for every IIS user who accesses the IIS through the user interface.
5.3 The IIS ensures that each authorized site or information system (e.g., health information exchange) has unique credentials for electronic data exchange.
5.4 The IIS establishes defined user roles and grants access to each individual user based on his or her role.
5.5 The IIS creates and stores audit information, including the date, time, and the IIS user or site taking the action, when individual-level data in an IIS record are created, viewed, or modified.
5.6 The IIS identifies and inactivates user and site accounts when they are no longer active or no longer authorized to access the IIS.
- The IIS is physically and digitally secured in accordance with industry standards for protected health information, security, encryption, uptime, and disaster recovery.
6.1 The IIS has a comprehensive written physical and digital security policy (or policies) that is consistent with industry standards and reviewed and approved by the appropriate state or local authority.
6.2 The IIS assures that demographic and vaccination information and authentication credentials are encrypted while in transit and at rest.
6.3 The IIS has written and implemented service-level agreements between the program, the entity providing information technology support, and other contractors as appropriate.
6.4 The IIS establishes backup and recovery plans identifying the required equipment, procedures, and the maximum allowable downtime for recovery from adverse security events and disasters.
6.5 The IIS assures data and supporting software are backed up according to written policy and schedule.
6.6 The IIS assures that the system recovery and backup processes are tested and validated regularly.
6.7 The IIS assures that the hardware and data center are physically and digitally secure.
6.8 The IIS assures that the hardware and data center have backup power.
6.9 The IIS has an identified point of contact for IIS security.
6.10 The IIS assures that employees and business associates who will be administering or accessing the IIS data or infrastructure are familiar with applicable security policies and procedures.
6.11 The IIS assures that a risk analysis is performed on a regular basis.
- The IIS supports IIS users who access and use the IIS functions and submit or access IIS data.
7.1 The IIS offers help desk support to users who submit or access IIS data or functions.
7.2 The IIS offers different types of training to meet user needs.
- The IIS exchanges data with health information systems in accordance with current interoperability standards endorsed by CDC for message content, format, and transport.
8.1 The IIS supports the Simple Object Access Protocol (SOAP) standard Interface, Web Services Definition Language (WSDL), or other transport solutions as endorsed by CDC.
8.2 The IIS receives submissions and returns acknowledgements consistent with the current CDC-endorsed HL7 Implementation Guide.
8.3 The IIS receives queries from, and sends responses to, health information systems consistent with the current CDC-endorsed HL7 Implementation Guide.
Goal One. Support health care providers in delivering age- and risk-appropriate immunization services.
- The IIS ensures and promotes user access to immunization records for clinical decision-making.
9.1 The IIS has policies and procedures for recruiting and enrolling immunization providers in the IIS.
9.2 The IIS actively engages immunization providers to recruit and enroll them in the IIS.
9.3 The IIS ensures enrolled immunization providers have access to a patient’s immunization record in the IIS at the time immunization services are delivered.
- The IIS forecasts pediatric, adolescent, and adult immunizations in a manner consistent with Advisory Committee on Immunization Practices (ACIP) recommendations.
10.1 The IIS uses Clinical Decision Support (CDS) functionality that can be updated to reflect new or revised ACIP recommendations.
10.2 The IIS displays and sends an evaluated immunization history that adheres to ACIP recommendations for each vaccination event.
10.3 The IIS displays and sends a forecast that adheres to ACIP recommendations, with status indicators for each vaccine and vaccine family.
10.4 The IIS CDS functionality is updated for the IIS in a timely fashion after new ACIP recommendations are incorporated into the CDC Clinical Decision Support for immunization (CDSi) resources published on the CDC website.
- The IIS manages patient status at the provider organization and jurisdiction levels.
11.1 The IIS maintains patient “active” or “inactive” status (PAIS) at the provider site level.
11.2 The IIS assigns patient PAIS to an individual at one or more jurisdictional levels.
11.3 The IIS user can update PAIS through the user interface or via HL7 message.
11.4 The IIS user can generate a roster of active patients from the IIS for a provider site.
11.5 The IIS assigns PAIS to a patient for a provider site based on information in the IIS.
- The IIS supports vaccine product recall activities.
12.1 The IIS creates a list of patients who received recalled vaccine.
12.2 The IIS creates a list of provider sites that received recalled vaccine.
12.3 The IIS user can generate a list of patients or provider sites that received recalled vaccine.
- The IIS supports reporting and investigation of vaccine adverse events.
13.1 The IIS has policies and procedures in place that support vaccine adverse event investigation.
13.2 The IIS provides IIS-related training, access, and support to adverse event investigators.
13.3 The IIS refers IIS users to appropriate resources for VAERS support.
Goal Two. Support the control and management of vaccine-preventable disease outbreaks.
- The IIS supports public health response during disease outbreaks.
14.1 The IIS has policies and procedures in place that support vaccine-preventable disease investigation and control.
14.2 The IIS provides training, access, and support for disease investigators.
14.3 The IIS provides access to IIS data to support vaccine-preventable disease investigation and control.
14.4 The IIS provides access to IIS data to support perinatal hepatitis B prevention efforts.
- The IIS supports immunization-related efforts in school settings.
15.1 The IIS has policies and procedures in place that support school staff access and use of IIS data to assess student compliance with school immunization requirements.
15.2 The IIS has policies and procedures in place that support the use of IIS data for state and local school reporting requirements.
15.3 The IIS has policies and procedures in place that support the use of IIS data for identifying school-aged students who are at risk during vaccine-preventable disease outbreaks.
15.4 The IIS actively engages with stakeholders to support immunization-related efforts in school settings.
- The IIS supports immunization-related efforts in childcare settings.
16.1 The IIS has policies and procedures in place that support childcare staff access and use of IIS data to assess student compliance with childcare immunization requirements.
16.2 The IIS has policies and procedures in place that support the use of IIS data for state and local childcare reporting requirements.
16.3 The IIS has policies and procedures in place that support the use of IIS data for identifying children in childcare who are at risk during vaccine-preventable disease outbreaks.
16.4 The IIS actively engages with stakeholders to support immunization-related efforts in childcare settings.
- The IIS supports immunization program activities during a public health emergency according to the jurisdiction’s public health emergency plan.
17.1 The IIS leverages existing inventory, provider, and vaccine administration functionality to support public health emergency response.
17.2 The IIS supports one or more strategies for rapid patient look-up as well as rapid data entry and submission, while maintaining data quality.
17.3 The IIS supports the use of existing IIS data elements and functionality for capturing data by CDC-defined priority groups.
17.4 The IIS supports data generation for federal reporting requirements.
17.5 The IIS supports the administration and tracking of, and reminder and recall for, adjuvanted vaccines.
Goal Three. Support and inform stakeholder efforts to improve immunization rates.
- The IIS provides predefined and ad hoc assessment and coverage reports that users can generate without assistance from IIS staff.
18.1 The IIS produces provider-level coverage assessments.
18.2 The IIS assists with identification of under-immunized populations for geographically defined areas.
18.3 The IIS enables immunization stakeholders to generate non-geographically defined vaccination coverage assessments for populations they serve (e.g., schools, health plans).
- The IIS supports reminder and recall activities.
19.1 The IIS supports the maintenance of complete and accurate contact information for individuals with records in the IIS.
19.2 The IIS identifies individuals in the IIS who have not received one or more age-appropriate vaccinations or vaccination series.
19.3 The IIS generates reminder and recall data by age, vaccine, vaccine series, reference date, IIS-defined geographic area, and provider site.
19.4 The IIS generates or supports more than one method of reminder and recall notification from the IIS or from third-party systems.
19.5 The IIS excludes individuals from reminder and recall outputs upon request.
- The IIS provides immunization records to individuals with appropriate authentication.
20.1 The IIS has policies and procedures in place and facilitates access to official immunization records for individuals, parents, or custodial guardians.
- The IIS ensures stakeholders have appropriate access to the data in the IIS for public and population health purposes.
21.1 The IIS has policies and procedures in place that support researchers, health plans, and other users that access the IIS or IIS data for purposes other than the delivery of immunization services (e.g., immunization assessment, promoting population health).
21.2 The IIS actively engages with stakeholders to support appropriate access to IIS data for public and population health purposes.
- The IIS reliably exchanges information electronically with IISs in other jurisdictions consistent with the current CDC-endorsed HL7 Implementation Guide.
22.1 The IIS has memoranda of understanding, interagency agreements, or other documented authorization to request and receive immunization information from other IISs.
22.2 The IIS can query another IIS for an immunization history.
22.3 The IIS sends patient demographic and vaccination records to IISs in other jurisdictions for patients who reside in those jurisdictions.
Goal Four. Support health care providers in meeting the requirements of the Vaccines for Children (VFC) program and state and local vaccine programs.
- The IIS supports vaccine management and quality assurance functions for VFC and state and local vaccine programs.
23.1 The IIS captures provider site Master Data in accordance with VTrckS data exchange specifications.
23.2 The IIS maintains a list of vaccines available for ordering consistent with the most current Federal Vaccines List.
23.3 The IIS supports vaccine ordering for provider sites enrolled in VFC and state and local vaccine programs.
23.4 The IIS provides the status of vaccine orders placed in the IIS to provider sites.
23.5 The IIS supports provider site enrollment in VFC and state and local vaccine programs.
23.6 The IIS supports the collection of the Provider Profile data for provider sites enrolled in VFC and state and local vaccine programs.
23.7 The IIS supports the tracking of VFC eligibility at the dose level for every administered dose of publicly purchased vaccine ordered, administered, and reported to the IIS.
- The IIS supports data exchange with the national Vaccine Tracking System (VTrckS).
24.1 The IIS exports provider Master Data, inventory data, and order data to VTrckS.
24.2 The IIS imports provider site shipment data from VTrckS.
24.3 The IIS inventory is populated automatically through receipt of vaccine shipment data from VTrckS or by provider site acknowledgement of receipt.
24.4 The IIS exports vaccine return and wastage data to VTrckS.
- The IIS supports provider site level vaccine inventory management and reconciliation according to VFC and state and local immunization program requirements.
25.1 The IIS provides access to the IIS vaccine inventory functionality for all provider sites that receive publicly purchased vaccine.
25.2 The IIS organizes and indicates vaccine inventory by any combination of NDC, lot number, expiration date, and public private indicator for vaccine inventory managed in the IIS.
25.3 The IIS allows provider sites to record information about inventory they receive (e.g., vaccine orders or incoming transfers).
25.4 The IIS automatically decrements administered doses (not historical doses) from active inventory.
25.5 The IIS supports the reconciliation of expected inventory in the IIS with the provider site’s actual physical inventory.
25.6 The IIS documents reductions in vaccine inventory (e.g., outgoing vaccine transfers, returns, wastage, and other).
25.7 The IIS supports the printing of packing slips for vaccines being returned to the distributor.
25.8 The IIS supports the management of provider site inventory by fund type.
- The IIS provides data or produces reports for VFC and state and local immunization programs.
26.1 The IIS produces reports or data that estimate, by patient age, the number of doses of publicly purchased vaccine each provider site will administer during the upcoming year.
26.2 The IIS produces reports or data that estimate, by patient age, the aggregate number of publicly purchased vaccines all providers will administer during the upcoming year.
26.3 The IIS produces reports or data that detail publicly purchased vaccine doses administered by a provider site.
26.4 The IIS produces reports or data that support vaccine inventory management and accountability for purposes other than ordering and reconciliation.
26.5 The IIS produces accountability reports or data that support the vaccine ordering process.