Lane: CIIS pits profit against children’s privacy

Author: Rebecca Lane - March 23, 2017 - Updated: March 21, 2017

Rebecca Lane
Rebecca Lane

Recently, several Colorado newspapers have published articles regarding Colorado childhood immunization rates and fears surrounding the de-funding of the Colorado Immunization Information System (CIIS), a $3.3 million per year, tax payer funded, inaccurate, opt-out only tracking system that contains private medical information accessible to health care providers, governmental agencies and school personnel across the state.

In two Denver Post articles, the Colorado Children’s Immunization Coalition (CCIC) was referenced as the expert in immunization information for Colorado. CCIC is a nonprofit organization that works to increase immunization rates in the state. But according to the state auditor’s 2016 performance audit of the Colorado Department of Public Health and Environment (CDPHE), CCIC was implicated in a conflict of interest with the CDPHE. The audit reports that CDPHE awarded $1.8 million in contracts to CCIC from November 2008 through July 2015. The audit also reported that during that time, various CDPHE staff served on the board of directors of CCIC. Since CDPHE is the agency that runs CIIS, how can Coloradans rely on this type of reporting when biased sources such as CCIC are used to make the case for CIIS funding? Sourcing CCIC when asking about CIIS funding is akin to asking the fox if the henhouse should be left unlocked.

It has been reported that CIIS helps doctors and parents track vaccinations electronically and that before CIIS was created, vaccinations were tracked by paper records. This is true, but since the creation of CIIS, new electronic health information exchange networks such as the Colorado Regional Health Information Organization (CORHIO) have been created. These networks electronically track all patient health information which can be shared with health care providers across the state. Before the creation of these massive network databases CIIS was a more valuable tool. But now, doctors, clinics, hospitals, CDPHE and other medical providers use networks such as CORHIO to track the medical records of their patients. Vaccination records are input into the electronic health chart just like any other medical procedure and thus, immunization records are already available in the networks. CIIS has been made redundant.

A quote from the August 2016 CORHIO newsletter illustrates the point: CDPHE and CORHIO “have partnered to help community providers and hospitals submit immunization reports using existing health information exchange technology. Since June 2013, CORHIO participants have reported 494,695 immunizations to CIIS through the secure CORHIO network. This includes data from 69 individual sites, including office-based providers and hospitals or health systems.”

The CORHIO network partners with CDPHE and CDPHE runs CIIS. What’s more, the current head of CDPHE was the chief executive officer of CORHIO before his position at CDPHE, and he now sits on the board of directors of CORHIO.

Is CIIS really dedicated to public health or is it dedicated to data collection?

Besides being redundant, CIIS is not necessarily accurate. The CDPHE website immunization-records (CIIS) page states that, “the registry may not contain all records.” Not all providers participate in CIIS and if children have had immunizations out-of-state, these records will not be recorded in CIIS.

Additionally, this database is opt-out only. To opt-out, parents must be made aware that their children are being tracked in this database in the first place. Although, according to Colorado statute, they should be notified, most providers fail to tell parents their children’s immunization data will be shared with CIIS. If the parent does find out about CIIS and chooses to opt their child out of this tracking system, only the child’s immunization records are purged. The children opted out will then have their personally identifiable information moved to another database within CIIS for those who choose to opt-out; hardly a true opt-out.

Given the issues, is CIIS really worth $3.3 million per year of tax payer money? Do parents really want or need their children’s potentially inaccurate medical information stored redundantly in several databases across the state with each one vulnerable to security breaches and accessible by hundreds or thousands of people across the state? I would say defunding CIIS is a no brainer.

Rebecca Lane

Rebecca Lane

Rebecca Lane is a Colorado parent of young children in the public school system. She is concerned with the increased collection and sharing of children's data without parental knowledge or consent both within and outside of schools.


  • Jeffrey

    March 23, 2017 at 7:43 am

    I think there’s more to this story than Rebecca Lane is telling us. She makes seemingly convincing arguments about defunding a redundant government program. But why come out swinging over a single line in the budget?

    There’s clearly more to the story, a gap that leaves the reader suspicious and questioning. Is the author an anti-vaxxer? A privacy advocate?

    Please, Ms. Lane, tell us more about yourself and give a broader context to your argument.

    • Kathy Sincere

      March 23, 2017 at 10:05 pm


      You have an issue with Rebecca Lane; I have an issue with your vernacular.

      Rebecca Lane “makes seemingly convincing arguments about a redundant government program.” Seemingly? The word you are searching for is “seamlessly”. What part of her scenario/rationale for saving $3.3 Million Taxpayer Dollars did you not comprehend?

      Also, I take issue with your use of the term “anti-vaxxer” in reference to the author. Anti-vaxxer is hate language and needs to be called out as such. It is derogatory, demeaning and marginalizes the person it is used against. It is no different or less offensive than nigger or faggot . It is used in media to stir up negativity and deflect attention away from the real issue at hand. The issue here, in this article, is defunding another wasteful, unnecessary government program.

  • Pam Long

    March 23, 2017 at 11:26 am

    If privacy and wasteful spending of $3.3 million for CIIS (that’s a good start in the $700 million we are over spending as a state, one line at a time) resonates with readers, the budget process starts in a few days. Contact your Colorado lawmakers: https://leg.colorado.gov/legislators at “Find My Legislator” at the top. You do not have to hold any credentials to have an opinion, you can just be a parent or a taxpayer.

  • Connie

    March 23, 2017 at 11:28 am

    Rather than shoot the messenger…

    If you have valid comments as to why this is not a redundant program, please share. As a parent and a teacher, we could certainly find better ways to use $3.3 Million dollars. How about using this money to hire more teachers and for smaller class sizes? I would also like to hear more on what information is shared in both CIIS and CORHIO as I am not familiar with either. I thought HIPPA forbid sharing of medical information, am I wrong?

  • Pam Long

    March 23, 2017 at 2:39 pm

    HiPAA allows medical sharing of your complete medical record with any subscriber in CORHIO, not just your doctor. CORHIO is another opt-out system, you have to submit a notarized document for approval to CORHIO.

    And “Jeffrey’s” comment is beyond creepy and stalker-ish. Moderators can you please review?

  • Lawrence

    March 23, 2017 at 5:07 pm

    To answer your question Connie: information in a student’s record can be shared; HIPPA nor FERPA prevent this.

    “In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.”  https://www.hhs.gov/hipaa/for-professionals/faq/513/does-hipaa-apply-to-an-elementary-school/index.html

    FERPA privacy law allows for sharing of personal student data in a student’s record without parent consent, via  several exceptions in the law. These exceptions were made when FERPA was weakened in 2011 and now FERPA allows  “the release of student records to certain parties or under certain conditions. Records may be released without the student’s consent: (1) to school officials with a legitimate educational interest; (2) to other schools to which a student seeks or intends to enroll; (3) to education officials for audit and evaluation purposes; (4) to accrediting organizations; (5) to parties in connection with financial aid to a student; (6) to organizations conducting certain studies for or on behalf of a school; (7) to comply with a judicial order or lawfully issued subpoena; (8) in the case of health and safety emergencies; and (9) to state and local authorities within a juvenile justice system.” https://epic.org/privacy/student/ferpa/

    To see some of the researchers that have access to student personal information in Colorado, go here. http://www.cde.state.co.us/dataprivacyandsecurity/agreements

    To see some of the data points that the state dept of education collects (and can share) about students go here to their data dictionary.  http://www.cde.state.co.us/dataprivacyandsecurity/dataelementscollected

    I work for the state, so I am aware of these issues.

  • Joe

    March 23, 2017 at 8:34 pm

    There clearly is more to this story, Jeffrey. Are you someone who likes seeing money wasted, are you a board member of CCIC or just someone who likes other people’s personal information to be copied and spread around for no good or legal reason?

  • JB

    March 24, 2017 at 2:50 pm

    Paragraph 1 is inaccurate
    Paragraph 2 is irrelevant
    Paragraph 3 is not true

    Paragraphs there after have arguments based upon the first 3.

    Readers should do their own research and not rely on the opinion of R. Lane based on Parag 1-3.

Comments are closed.