COLORADO SPRINGS — In order to pick a winner for one of Colorado's million-dollar vaccine lottery prizes, the state will make a random selection from the Colorado Immunization Information System. This database was created by state lawmakers in 2007 to facilitate electronic record sharing of vaccine information. Residents can check their vaccination status by using the CIIS public portal.
While the system uses two-factor authentication to protect the privacy of these records, the data may be vulnerable to access by others. Users are required to input a patient's first and last names, date of birth, gender, and relationship to the patient (if accessing records on behalf of a minor.)
They must then enter a cell phone number or email address where they would like to receive a code that is required to access the records. Names, dates of birth, and gender are frequently shared on social media accounts. Certain public figures may also have their birth dates published on Wikipedia.
The Colorado Department of Public Health and Environment is responsible for maintaining the CIIS database. A spokesperson pointed out in a statement to News 5 that anyone using the portal must attest that they will abide by the privacy and confidentiality policy.
Releasing confidential immunization records in public is considered a class 1 misdemeanor and is punishable by jail sentence between six and 18 months, and a fine of $500 to $5,000 for each unauthorized record released.
While state law considers immunization records stored in the CIIS to be strictly confidential, there are a limited number of exemptions for when the records may be released. These include releasing records to a patient's parent or legal guardian, to a health care provider, childcare center, school, university, health insurance provider, and hospital. The records may also be accessed by entities who have agreements with the state for immunizations, as well as the Colorado Department of Health Care Policy and Financing for Medicaid enrollment purposes.
There is not an exemption for employers to access the immunization records of their employees using the CIIS portal.
Patients have the right to opt-out of the CIIS. However, an individual patient, their parent, or their guardian must submit a request to do so with the state health department. Even after that patient has been removed, their name, date of birth, gender, city, county, and zip code will remain in the database in order to guarantee the continued privacy.