Although vaccine rollout began slowly in the United States, millions of people are now being vaccinated against COVID-19 per day. As individuals receive the vaccine, states have been collecting personal health data in individual immunization registries. Experts say this data collection is essential to effectively monitor vaccination progress, report adverse reactions, compare vaccine efficacy in cross sections of the population, and keep track of who needs second doses and when.

Although states have traditionally been responsible for collecting immunization data without federal intervention, some say the global scale of the pandemic and the need to understand vaccination progress nationally require greater federal intervention in tracking immunization data. In December 2020, the U.S. Centers for Disease Control and Prevention (CDC) began asking states to enter into Data Use and Sharing Agreements that would require states to share vaccination data with the federal government, with the stated goal of “generat[ing] a comprehensive picture of COVID-19 vaccine uptake nationally.” Many states have signed the agreements as is, but some have negotiated with the CDC to share less data, or to ensure that the data will not be used for particular purposes. Minnesota and Colorado, for instance, will only submit de-identified data on vaccine doses administered in each state. California will only provide the federal government with the birth year and sex of vaccinated individuals, as well as the county where the vaccine was administered.

Naturally, the collection and storage of health information at the federal level raises significant privacy concerns. Although the Health Insurance Portability and Accountability Act (HIPAA) normally protects against the disclosure of identifiable immunization data by covered entities, HIPAA contains various exceptions to ensure public health and safety. Throughout the pandemic, the U.S. Department of Health and Human Services (HHS) has announced its intention to empower HIPAA covered entities to use technology to contain the spread of COVID-19 without fear of massive penalties. For instance, HHS exercised its enforcement discretion to announce it will not enforce penalties in connection with the good faith use of online scheduling applications for COVID-19 vaccinations. HHS also clarified that using Protected Health Information (PHI) to identify and contact individuals who have recovered from COVID-19 to facilitate plasma donations is permitted during the pandemic. In this instance, to justify its request for vaccination data from states, the CDC relies on the HIPAA exception that permits a covered entity to disclose such data to public health authorities, such as the CDC, when the disclosure of PHI is necessary to prevent or control disease.

Notably, even with this exception, covered entities must reasonably limit the disclosure to the minimum amount necessary to accomplish the public health purpose. To meet this requirement, the data received from the states will be stored on a cloud-hosted “COVID-19 Data Clearinghouse” that will receive, de-duplicate, and de-identify the data, and then populate IZ Data Lake, a separate cloud-hosted repository, with limited datasets of redacted vaccination data. Only authorized users that need to see the data for vaccination management and administration purposes will be given access to these limited, redacted datasets. This limits access to the larger pool of data that is received by the COVID-19 Data Clearinghouse. The repositories will also be independently audited to ensure compliance with privacy laws. Should there be a data breach, the CDC is putting in place appropriate response teams to coordinate a response to the incident.

To be sure, even with these risk mitigation measures in place, the collection of vaccination data at the federal level requires the secure collection, management, and dissemination of data at an unprecedented scale.

*    *   *

Proskauer’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team is focused on supporting and addressing client concerns. Visit our Coronavirus Resource Center for guidance on risk management measures, practical steps businesses can take, and resources to help manage ongoing operations. If you operate a multi-state business and are navigating ever-changing COVID-related developments to employment and privacy-related rules, regulations, orders, and guidance, request access to our ProTrack COVID-19 tool, which allows you to search legal requirements in the jurisdictions where you conduct business. With this tool, you can now stay up-to-date on legislation at the state level regarding vaccination requirements.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ryan P. Blaney Ryan P. Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.