Home About Alert Confidentiality Providers Parents LogIn

Larger Font

Confidentiality Policy - May 2007

I. Background
Oregon Immunization ALERT is a statewide childhood immunization information system. ALERT was developed to achieve complete and timely immunization of all children in Oregon. A major barrier to reaching this goal is the continuing difficulty of keeping immunization records accurate and up-to-date. ALERT addresses this problem by collecting immunization information from public and private health care providers and linking children’s immunization records. Even if a child receives immunizations from more than one health care provider in Oregon, ALERT will merge the immunization information from all providers to create a complete and current record for the child. This assists health care providers and parents to track which immunizations are needed for children in their care.
II. Statement of purpose
ALERT is an immunization information system that serves the public health goal of preventing the spread of childhood vaccine preventable diseases in Oregon. It accomplishes this goal through providing accurate and timely immunization information for all children in Oregon in order to assist providers to age-appropriately immunize all the children in their care.

The success and effectiveness of ALERT in achieving its public health goal will depend on the level of participation by providers and parents. To ensure the highest possible participation of the children in Oregon, all children will be enrolled in ALERT from birth records. Under the ALERT law [1], the purposes of ALERT are to:

  • increase the immunization rates of children in Oregon in order to reach the 2010 benchmark of age-appropriately immunizing 95% of Oregon’s children;
  • prevent the spread of vaccine preventable diseases;
  • waive the requirement that authorized users obtain consent for release of information from, or providing information to, ALERT;
  • allow authorized users to share information from the immunization record through or between immunization registries without violating confidentiality.
III. Purpose of confidentiality policy
The purpose of this policy is to address the need to provide appropriate confidentiality protection to the information in ALERT. The confidentiality of this information must be distinguished from issues of privacy. Privacy is concerned with the control individuals exert over the release of their personal information. Under ALERT’s policy, confidentiality is concerned with how the information provided to ALERT by individuals is accessed, collected, stored, used, and provided to other individuals and organizations.

In developing this confidentiality policy ALERT applied pertinent state laws, obtained comments from authorized users and other interested parties, consulted published sources on confidentiality, and applied principles of confidentiality, including the Code of Fair Information Practices.
IV. Definitions
A. All terms used in this policy have the same meaning as those terms used in the state law and administrative rules that authorize ALERT. (See attached.)

B. "Authorized User" means (including, but not limited to):
  • 1. providers: including health care providers licensed to provide health care services; managed health care systems; health maintenance organizations, health service contractors working under the direction of the Director of ALERT; insurance carriers and the Oregon medical assistance program;
  • 2. parents and guardians;
  • 3. schools and children's facilities;
  • 4. local health departments;
  • 5. the Oregon Department of Human Services; and
  • 6. the agents of local health departments and the Oregon Department of Human Services.

C. "Confidentiality" means:
  • 1. limiting the collection, access, use, storage, and release of information from authorized users to ALERT and from ALERT to authorized users in a manner that information will not be shared with non-authorized users, and
  • 2. information will only be used for the purposes permitted under the ALERT laws, rules, and policies.

D. "Immunization Record" includes, but is not limited to:
  • 1. any immunization received;
  • 2. date immunization was received;
  • 3. Complication or side effect associated with immunization;
  • 4. Client's name;

E. "Immunization tracking and recall record" includes but is not limited to:
  • 1. The client's name;
  • 2. Address of the parent or guardian of the client;
  • 3. Telephone number;
  • 4. Insurance carrier;
  • 5. Health care provider; and
  • 6. Other information needed to send reminder cards to, place telephone calls to or personally contact the client or the parent or the guardian of a client for the purposes of informing the client, parent or guardian that the client is due or past due to receive the recommended immunizations.
V. Confidentiality
Based on the ALERT law, rules, and general principles of confidentiality, the confidentiality policy for ALERT is as follows:

A. Information in ALERT is confidential under Oregon law.

B. Code of Fair Information Practices
    The principles in the Code of Fair Information Practices will be applied to ALERT. This means:

    1. the existence of ALERT and its purposes will be made known to all parents;

    2. parents will be informed about what information is maintained in ALERT and how that information is used;

    3. information collected for the purposes of ALERT will not be used for other purposes without the consent of the parent or guardian of the child (Note: additional demographic data [i.e., social security number, Medicaid number] may be collected for matching purposes only);

    4. parents or guardians may review records in ALERT and submit documentation to ALERT;

    5. ALERT will assure the reliability of the information it creates, maintains, uses, or disseminates; and

    6. ALERT will take reasonable precautions to prevent the misuse of the information it creates, maintains, uses, or disseminates.

C. Authorized users
    1. Only authorized users of ALERT may provide information to or receive information from ALERT.

    2. Information from the immunization record may only be shared among authorized users.

    3. According to ORS 433.090-102, information from the immunization tracking and recall record may only be used by authorized users to contact parents for the purposes of informing the parent or guardian that a child is due or past due to receive recommended immunizations.

    4. No information from ALERT will be made available to any party, who is not an authorized user, except as provided in Section VI (Research using ALERT information).

    5. All authorized users are required to sign a confidentiality agreement as provided by the Director. The Director shall determine the time period that each agreement is in effect. Upon signing a Confidentiality Agreement every authorized user shall receive a copy of this confidentiality policy and a copy of the policy whenever it is updated.

    6. All authorized users may receive information from ALERT upon authorization by the Director.

    7. No information from ALERT may be provided to any other party, including law enforcement or the Immigration and Naturalization Service, except as required by law.

    8. The Director will maintain an audit trail for all information received from or released from ALERT.

    9. The Director shall seek appropriate penalties for any misuse of information in ALERT by any authorized user or any other party, including federal civil penalties as defined in HIPAA rules (Federal Register/Vol. 68, No. 74/Thursday April 17, 2003/Rules and Regulations).

    10. Any paper copy of information from ALERT will be shredded before disposal. Information from ALERT that identifies individual providers will not be used for quality improvement or external reporting without the prior consent of the providers.

    11. When information is disclosed from ALERT, or from one authorized user to another authorized user, the information will include a notice that:
      - The information disclosed is from a confidential record and is protected by state law;
      - any further disclosure of the information in an identifiable form may be prohibited without the written informed consent of the person who is the subject of the information or as permitted under law; and
      - unauthorized disclosure of the information may result in penalties.
VI. Training of ALERT staff
The Director shall provide training to all Immunization Program staff, providers, and other authorized users regarding appropriate confidentiality procedures and HIPAA confidentiality procedures.
VII. Request for information
A. Request from law enforcement. In the event that a representative of law enforcement seeks information from ALERT on a specific child, the requestor will be referred to the child’s provider.

B. All Subpoenas, requests for production, warrants, and court orders will immediately be referred to the Office of the Attorney General.
VIII. Data retention and disposal
Records from ALERT will be retained according to recommendation from the State Archivist. Based on consultation with the State Archivist, ALERT is in compliance with Records Retention Schedule 99-0005 as all data is entered and maintained in electronic form for the life of the registry. Paper copies are securely stored and maintained for two years for verification and proofing purposes, then confidentially shredded.
IX. Voluntary Opt-Out
In any circumstance in which a parent or guardian specifically request that information on their child be removed from ALERT, the child’s record will be flagged so the parent or guardian will not receive reminders or recalls. However, under Oregon law, ALERT cannot remove the record or other information on any children from the registry.

Such request from a parent or guardian must be in writing, and should be sent to the attention of the ALERT Director.
X. Prohibited Transfer of Data or Secondary Use of ALERT data
Authorized users are not permitted to transfer data, either in paper or electronic form, to non-authorized users. Non-authorized users include, but are not limited to, software vendors, contractors, and quality improvement organizations. Potential users should be considered non-authorized unless specifically approved in writing by the Director and the Immunization Program Manager in advance of data transfer.
XI. Research using ALERT data
A. Information in ALERT is collected for the purposes noted above and may only be used for these purposes.

B. The Director of ALERT must approve requests for information from ALERT for research. The research must be shown to address at least one of the purposes of ALERT. Specific uses of ALERT data include:
    1. Aggregate data may be used within Oregon State Public Health Division and shared with authorized users for public health purposes. Examples include: identify under-immunized populations, track interventions to improve immunization rates, and monitor the implementation of changes in the vaccine schedule in Oregon.

    2. Patient-identified information may be used within the Immunization Program at the specific request of providers, health plans, and authorized users to assess immunization rates and identify areas of improvement. Only names and dates of birth and immunization histories may be used for this purpose. Addresses or other patient-specific information cannot be released.

    3. Data may be released for research pre-approved by the ALERT Director and by the requesting organization’s human subjects review process. Any data used for this purpose must be de-identified of names and other patient identifiers. Addresses or other patient-specific information cannot be released. Any request for information that does not directly address one of the purposes of ALERT or above conditions will be denied.

    4. In order to approve a request for research utilizing information in ALERT, the Director must determine that the following criteria is met:
      a) The request identifies one or more of the purposes for ALERT that the research will address;
      b) The researcher signs an agreement to maintain the confidentiality of all information from ALERT;
      c) In accordance with ALERT laws, and as determined by the Director, appropriate security provisions will be maintained for all information from ALERT; and
      d) The information cannot be obtained from any other source.

    5. If the Director determines that each of these criteria are met, the information may be provided to the requestor. Upon completion of any research involving information from ALERT, the researcher will immediately delete all information bases with personal identifying information.
C. Any request for information from ALERT that does not satisfy the above criteria may only be provided to the requestor in aggregate form that does not identify an individual.

D. Not withstanding the above, the Director may consider other requests for research from the Oregon State Public Health Division pursuant to OAR 333-19-005.
XII. Penalties
The Director shall seek appropriate penalties for any misuse of information in ALERT by any authorized user or any other party, including federal civil penalties under HIPAA rules (Federal Register/Vol. 68, No. 74/Thursday April 17, 2003/Rules and Regulations).
XIII. Review of confidentiality policy
A. The Director shall review and revise this policy as needed, but not less than annually.

B. The review of this policy must include the participation of authorized users.

C. The ALERT Advisory Committee must approve any changes to this policy.

[1] ORS 433.090-102
Our website's database was last updated on 1/5/2009  with 24,013,949 immunizations. [v3.4]  Users online [14]
You are using for . 38.103.63.55
Session ID: B6786GN6010NA7787    Location ID:     Tuesday, January 06, 2009    Top of Page