CDC IIS All Awardee Forum: IZ Gateway Deep Dive Q&As

This document provides responses to questions submitted during the Immunization Information Systems (IIS) All Awardee Forum on August 19, 2020, about the Immunization Gateway (IZ Gateway) and CDC legal agreements. Questions about the Vaccine Administration Management System (VAMS)1 are not included in this document. More in-depth information on VAMS was provided during the demonstrations on September 1 and September 2, 2020 and will be included in forthcoming training resources.

IZ Gateway Background

Does CDC anticipate keeping the IZ Gateway after the COVID-19 response, or is it intended only for this effort?

The IZ Gateway is expected to be in place beyond the COVID-19 response and will be used to support future immunization tracking efforts.

Is participation in the IZ Gateway required?

Immunization program awardees are not required to participate in the IZ Gateway. However, the IZ Gateway will serve as an important tool for exchanging vaccine administration data for COVID-19 response and beyond. Connecting to the IZ Gateway will enable IISs to receive data from VAMS and from national providers, such as the Federal Bureau of Prisons and Department of Defense (DoD), as well as share data with CDC. CDC strongly encourages each jurisdiction to onboard to the IZ Gateway to experience its benefits.

What are the benefits of provider organizations querying through the IZ Gateway when they can do that directly with IISs?

We anticipate that most providers who are already connected to an IIS will not onboard to or query through the IZ Gateway. For national vaccination provider organizations and other vaccinators that are not currently sharing data with IISs (e.g., skilled nursing facilities, Federal Bureau of Prisons, and DoD), there are multiple benefits to participating in the IZ Gateway, including reporting and querying capabilities for vaccination history and recommendations. The IZ Gateway allows national vaccination providers a single point for exchanging data with participating IISs instead of multiple, individual, point-to-point IIS connections. IZ Gateway’s onboarding concierge services help provider organizations navigate local policy and technology variations per IIS jurisdiction. Functionality is currently being developed that will enable national providers onboarding to the IZ Gateway to query data from IISs in multiple jurisdictions.

Legal Agreements

Can you provide tips on next steps when a jurisdiction does not have a statute that specifically permits sharing data with entities in other jurisdictions?

Navigating interjurisdictional data sharing involves analyzing the jurisdiction’s unique laws and legal authority. The Network for Public Law (NPHL) team is available to answer policy questions, discuss legal concerns, and assist in identifying potential approaches to support immunization information exchange. Contact the IIS Info Mailbox at if your jurisdiction needs assistance.

Is the agreement for an IIS to send data to CDC different from the DUA between an IIS and the Association of Public Health Laboratories (APHL)?

Yes, the IIS-CDC agreement is distinct from the IIS-APHL DUA that is used when participating in the IZ Gateway. The IIS-CDC agreement is still being finalized and will be shared as soon as it is ready. The IIS-APHL DUA is between APHL and the jurisdiction and facilitates data sharing between the IIS and IZ Gateway.

When will a jurisdiction need to have an IIS-CDC DUA in place?

Jurisdictions will need to have the IIS-CDC DUA for reporting in place by the time COVID-19 vaccine is available. CDC recognizes the timing for getting the IIS-CDC DUA in place is driven by the availability of the DUA to the IIS. CDC is working to make the agreement available as soon as possible.

Is it possible to have a single DUA that covers all components?

No, jurisdictions will need to complete both the IIS-CDC DUA and the IIS-APHL DUA. One DUA cannot cover all aspects of data sharing and exchange for several reasons, including:

  • The parties involved in the agreements differ. For example, the IIS-CDC DUA is between CDC and the jurisdiction. The IIS-APHL DUA is between the jurisdiction and APHL.
  • The terms of the agreements differ, including:
    • What data will be shared between the parties
    • How data will be routed between the parties
    • Whether and how data will be stored and used by the parties

In reviewing the interjurisdictional Memoranda of Understanding (MOU) on the AIRA website, I saw that some of the signed examples from other jurisdictions include an Appendix A that lists the core data elements and others do not. How does a jurisdiction know if it needs to include Appendix A?

The interjurisdictional MOU allows for multijurisdictional data exchange through IZ Gateway Share. The current version of the MOU (dated July 2020) no longer has an Appendix A. While prior versions included this information, it is no longer required. The current version can be found on the ISD Awardees SharePoint in the IZ Gateway Agreement Templates folder.

If a jurisdiction has its own DUA, can CDC and APHL sign that DUA instead?

No, jurisdictions must sign both the IIS-CDC DUA and the IIS-APHL DUA.

What agreements will currently enrolled Vaccines for Children (VFC) and 317 providers need to sign if their jurisdiction chooses to onboard to IZ Gateway Connect?

If an IIS is participating in IZ Gateway Connect, currently enrolled VFC and 317 providers need to sign the jurisdiction’s IIS-specific policy agreement(s) (e.g., provider site agreements, confidentiality agreements). If the provider is currently enrolled in the IIS, these agreements are likely already in place.

If a national provider organization opts to connect and send data through the IZ Gateway, the provider organization will need to sign a Business Associate Agreement (BAA) with APHL. Additional agreements may be required depending on the needs of the national provider organization.

Will jurisdictions be responsible for collecting BAAs between providers/electronic health record (EHR) vendors and APHL?

No, jurisdictions are not responsible for collecting the IZ Gateway BAA with either the provider organizations or their EHR vendors. Provider organizations not onboarded to an IISs that want to participate in the IZ Gateway will coordinate directly with APHL to complete the BAA.

Data Reporting

What does "dose-level eligibility" refer to?

Dose-level eligibility is a CDC-endorsed data element that applies to identifying and documenting a patient’s VFC eligibility to receive publicly supplied vaccine.

Data Exchange

What format does the IZ Gateway use and do the data need to be deidentified?

The IZ Gateway routes identified data from the sender to the receiver using HL7 Version 2.5.1 Release 1.5 messaging.

In the Share component of IZ Gateway, will data sharing be based on Query, or will it be automatically pushed to the relevant IIS (unsolicited) based on the patient's address?

In the Share component, the IZ Gateway will recognize when a patient is vaccinated outside of the jurisdiction in which he or she resides and will automatically push the patient’s record to the relevant IIS. By opting into IZ Gateway Share, a jurisdiction is automatically choosing to share data, when relevant, with all participating IISs.

In the Connect component of the IZ Gateway, will participating IISs receive data (push) from VAMS and other non-traditional vaccination providers (e.g., DoD) who administered vaccinations within the IIS’s jurisdiction?

Yes, in the Connect component of IZ Gateway, participating IISs will receive data from VAMS for patients in their jurisdictions. Participating IISs will also receive data for patients in their jurisdictions from non-traditional vaccination providers that are onboarded to IZ Gateway Connect and not already connected to IISs.

How does provider-initiated multijurisdictional data exchange work?

The Provider-Initiated Multijurisdictional Data Exchange component of IZ Gateway allows providers to initiate a query for immunization information from multiple jurisdictions.

Consumer Access

For the Consumer Access component of IZ Gateway, what IIS data does the consumer have access to and how do they access it?

The IZ Gateway enables consumers to access their vaccination records through an online application that is connected directly to an IIS or through the IZ Gateway. Consumers can access their and their families’ vaccination records and forecasts through the online application.

Can you provide more information about consumer authentication to access data for the Consumer Access component?

Consumer authentication processes vary by jurisdiction and product used for the IZ Gateway Access interface. However, all products will require the consumer to enter personal information, such as telephone number or email, that is matched to data in the IIS and then verified by contact with the device or email. The HHS Office of the Chief Technology Officer (HHS-CTO) is piloting a variety of authentication approaches. The pilot will allow HHS-CTO to evaluate customer experience, match rates, and related quality metrics.

Page last reviewed: August 12, 2021