VIIS Security

HCP as defined in § 8.01-581.1 Definitions

“Health care provider” means (i) a person, corporation, facility or institution licensed by this Commonwealth to provide health care or professional services as a physician or hospital, dentist, pharmacist, registered nurse or licensed practical nurse or a person who holds a multistate privilege to practice such nursing under the Nurse Licensure Compact, optometrist, podiatrist, chiropractor, physical therapist, physical therapy assistant, clinical psychologist, clinical social worker, professional counselor, licensed marriage and family therapist, licensed dental hygienist, health maintenance organization, or emergency medical care attendant or technician who provides services on a fee basis; (ii) a professional corporation, all of whose shareholders or members are so licensed; (iii) a partnership, all of whose partners are so licensed; (iv) a nursing home as defined in § 54.1-3100 except those nursing institutions conducted by and for those who rely upon treatment by spiritual means alone through prayer in accordance with a recognized church or religious denomination; (v) a professional limited liability company comprised of members as described in subdivision A 2 of § 13.1-1102; (vi) a corporation, partnership, limited liability company or any other entity, except a state-operated facility, which employs or engages a licensed health care provider and which primarily renders health care services; or (vii) a director, officer, employee, independent contractor, or agent of the persons or entities referenced herein, acting within the course and scope of his employment or engagement as related to health care or professional services.

HCP as defined in §32.1-127.1:03 Health Records Privacy

“Health care provider” means those entities listed in the definition of “health care provider” in § 8.01-581.1, except that state-operated facilities shall also be considered health care providers for the purposes of this section. Health care provider shall also include all persons who are licensed, certified, registered or permitted or who hold a multistate licensure privilege issued by any of the health regulatory boards within the Department of Health Professions, except persons regulated by the Board of Funeral Directors and Embalmers or the Board of Veterinary Medicine.

VIIS Information

The Code of Virginia, § 32.1-46.01 authorizes the Virginia Immunization Information System (VIIS), a statewide immunization information system that manages electronic immunization records.  This policy states behaviors required of VIIS users, Virginia Department of Health (VDH), and Division of Immunization (DOI) to protect the confidentiality, privacy and accuracy of client information.


  • VIIS is consistent with the Department of Health and Human Services and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
  • Authorized users of VIIS includes, but is not limited to:
  • Health care provider or health plans
  • Schools, Head Start programs, and day care centers
  • Individuals or organizations as required by law or in the management of a public health crisis
  • Other immunization registries
  • The review of this policy must involve the participation of representatives from the private and public health care sectors.

VDH/DOI Host Site Security

  • The system will force users to change their password every 90 days.
  • The VIIS system will time-out after 30 minutes.
  • No information from VIIS will be made available to law enforcement, the Immigration and Naturalization Service, or any other party.
  • The VIIS system will maintain an audit trail for all information accessed.
  • VDH will conduct a self-assessment of the potential risks and areas of vulnerability regarding VIIS and will develop, implement, and maintain appropriate security measures on an ongoing basis.
  • The release of immunization information shall be for statistical purposes or for studies that do not identify individuals.

Provider/ User Security

  • Access to VIIS is authorized under the condition that it is required to perform their job.
  • All VIIS users are required to sign a Confidentiality/ Security Agreement with VDH.
  • Each user must renew the user confidentiality/security agreement annually.
  • Each user is responsible for maintaining confidentiality.
  • The provider/user is obligated to act on any request by an individual to opt out of VIIS. If the patient elects to opt out, the provider should promptly mark “NO” for sharing of immunization data.
  • The user will make reasonable effort to ensure the accuracy of all immunization and demographic information entered or edited
  • Virus protection is recommended for each client site.
  • User desktops/laptops must have physical security and password screen savers when not being used by authorized individuals and will terminate the VIIS application prior to leaving the VIIS workstation
  • An ID and Password are required to access VIIS.
  • Users will not share or disclose their ID or password to anyone.
  • The VIIS Administrator will maintain completed user registration forms in a secure location
  • All data from VIIS will be encrypted before transfer.
  • VIIS records will be treated with the same vigilance, confidentiality, and privacy as any other patient medical record.
  • Patient immunization records will not be copied except for authorized use
  • VIIS information in a paper copy will not be left where it would be visible for unauthorized personnel and must be shredded before disposal
  • Unauthorized disclosure of information from confidential records may be punishable, upon conviction, by a fine and/or imprisonment or both, and/or civil penalties as prescribed by law as well as sanctions and/or disciplinary action.
  • If VIIS data is to be faxed, the sender must verify the fax number and receipt of data.
  • Any activity that would jeopardize the proper function/security of VIIS will not be conducted.
  • Misuse of VIIS may result in legal action against the user personally, and against the organization for which I am an agent.

Provider Responsibility

  • The VIIS Administrator at the user site will terminate access for an authorized user who no longer requires access.
  • Users will make every effort to protect VIIS screens from unauthorized view.
  • Should a material breach of personal privacy/confidentiality occur, the offending party must immediately notify the client and VDH/ DOI designee. Violators of this policy will be restricted from VIIS by the System Administrator at the offender’s site.
  • The VIIS Administrator will be notified immediately if unauthorized entry into the system is suspected.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the use and disclosure of protected health information.

Covered Entities of HIPAA are:

  • Health care providers who conduct certain financial and administrative transactions electronically
  • Health care clearinghouses; and Health Plans
  • HIPAA Section 164.512 (b) permits a covered entity to disclose protected health information for public health activities.
  • The Virginia Department of Health operates the Virginia Immunization Information System
  • The Code of Virginia allows for sharing of immunization data by health care providers without parental authority (§ 32.1-46)
  • The Code of Virginia allows for sharing of VIIS information with authorized users (§32.1-46.01)
  • Under HIPAA, VIIS can receive protected health information without patient authorization
  • In summary, immunization information can be shared as specified by the Code of Virginia through VIIS

Security Information

How can our practice as well as our clients be reassured the information is secure?

  • Public and private health care providers must sign a confidentiality agreement with Virginia Department of Health (VDH).
  • Users must be authorized by VDH and must follow strict security policy.
  • Licensure of all providers is verified by VDH before accessing the application.
  • Users are assigned IDs and passwords. Passwords are changed every 90 days.
  • Security roles are assigned to each user, limiting their access in VIIS.
  • Several security features exist to ensure the confidentiality of the information (see the VIIS Confidentiality and Security policy).
  • Encryption is used for transmitting all data over the Internet.
  • Information for statistical studies have all individual identifying information removed.