                                 CODE OF VIRGINIA

VIRGINIA IMMUNIZATION INFORMATION SYSTEM (§ 32.1-46.01)

A. The Board of Health shall establish the Virginia Immunization Information
System (VIIS), a statewide immunization registry that consolidates patient
immunization histories from birth to death into a complete, accurate, and
definitive record that may be made available to participating health care
providers throughout Virginia, to the extent funds are appropriated by the
General Assembly or otherwise made available. The purposes of VIIS shall be to
(i) protect the public health of all citizens of the Commonwealth, (ii) prevent
under-immunization and over-immunization of children, (iii) ensure up-to-date
recommendations for immunization scheduling to health care providers and the
Board, (iv) generate parental reminder and recall notices and manufacturer
recalls, (v) develop immunization coverage reports, (vi) identify areas of
under-immunized population, and (vii) provide, in the event of a public health
emergency, a mechanism for tracking the distribution and administration of
immunizations, immune globulins, or other preventive medications or emergency
treatments. Any health care provider, as defined in &#xA7; 32.1-127.1:03, in the
Commonwealth that administers immunizations shall report such patient
immunization information to VIIS pursuant to this section.

B. The Board of Health shall promulgate regulations to implement the VIIS that
shall address:

   1. Registration of participants, including, but not limited to, a list of
   those health care entities that are authorized and required to participate and
   any forms and agreements necessary for compliance with the regulations
   concerning patient privacy promulgated by the federal Department of Health and
   Human Services;

   2. Procedures for confirming, continuing, and terminating participation and
   disciplining any participant for unauthorized use or disclosure of any VIIS
   data;

   3. Procedures, timelines, and formats for reporting of immunizations by
   participants;

   4. Procedures to provide for a secure system of data entry that may include
   encrypted online data entry or secure delivery of data files;

   5. Procedures for incorporating the data reported on children&#8217;s
   immunizations pursuant to subsection E of &#xA7; 32.1-46;

   6. The patient identifying data to be reported, including, but not limited to,
   the patient&#8217;s name, date of birth, gender, telephone number, home
   address, birth place, and mother&#8217;s maiden name;

   7. The patient immunization information to be reported, including, but not
   necessarily limited to, the type of immunization administered (specified by
   current procedural terminology (CPT) code or Health Level 7 (HL7) code); date
   of administration; identity of administering person; lot number; and if
   present, any contraindications, or religious or medical exemptions;

   8. Mechanisms for entering into data-sharing agreements with other state and
   regional immunization registries for the exchange, on a periodic nonemergency
   basis and in the event of a public health emergency, of patient immunization
   information, after receiving, in writing, satisfactory assurances for the
   preservation of confidentiality, a clear description of the data requested,
   specific details on the intended use of the data, and the identities of the
   persons with whom the data will be shared;

   9. Procedures for the use of vital statistics data, including, but not
   necessarily limited to, the linking of birth certificates and death
   certificates;

   10. Procedures for requesting immunization records that are in compliance with
   the requirements for disclosing health records set forth in &#xA7;
   32.1-127.1:03; such procedures shall address the approved uses for the
   requested data, to whom the data may be disclosed, and information on the
   provisions for disclosure of health records pursuant to &#xA7; 32.1-127.1:03;

   11. Procedures for releasing aggregate data, from which personal identifying
   data has been removed or redacted, to qualified persons for purposes of
   research, statistical analysis, and reporting; and

   12. Procedures for the Commissioner of Health to access and release, as
   necessary, the data contained in VIIS in the event of an epidemic or an
   outbreak of any vaccine-preventable disease or the potential epidemic or
   epidemic of any disease of public health importance, public health
   significance, or public health threat for which a treatment or vaccine exists.
   				The Board&#8217;s regulations shall also include any necessary definitions
   for the operation of VIIS; however, &#8220;health care entity,&#8221;
   &#8220;health care plan,&#8221; and &#8220;health care provider&#8221; shall
   be as defined in subsection B of &#xA7; 32.1-127.1:03.

C. The establishment and implementation of VIIS is hereby declared to be a
necessary public health activity to ensure the integrity of the health care
system in Virginia and to prevent serious harm and serious threats to the health
and safety of individuals and the public. Pursuant to the regulations concerning
patient privacy promulgated by the federal Department of Health and Human
Services, covered entities may disclose protected health information to the
secure system established for VIIS without obtaining consent or authorization
for such disclosure. Such protected health information shall be used exclusively
for the purposes established in this section.

D. The Board and Commissioner of Health, any employees of the health department,
any participant, and any person authorized to report or disclose immunization
data hereunder shall be immune from civil liability in connection therewith
unless such person acted with gross negligence or malicious intent.

E. This section shall not diminish the responsibility of any physician or other
person to maintain accurate patient immunization data or the responsibility of
any parent, guardian, or person standing in loco parentis to cause a child to be
immunized in accordance with the provisions of &#xA7; 32.1-46. Further, this
section shall not be construed to require the immunization of any person who
objects thereto on the grounds that the administration of immunizing agents
conflicts with his religious tenets or practices, or any person for whom
administration of immunizing agents would be detrimental to his health.

F. The Commissioner may authorize linkages between VIIS and other secure
electronic databases that contain health records reported to the Department of
Health, subject to all state and federal privacy laws and regulations. These
health records may include newborn screening results reported pursuant to &#xA7;
32.1-65, newborn hearing screening results reported pursuant to &#xA7;
32.1-64.1, and blood-lead level screening results reported pursuant to &#xA7;
32.1-46.1. Health care providers authorized to use VIIS may view the health
records of individuals to whom the providers are providing health care services.

HISTORY: 2005, cc. 643, 684; 2012, c. 147; 2021, Sp. Sess. I, c. 211.