When rollout began for COVID-19 vaccinations, numerous news articles outlined privacy concerns about state / territory level vaccine registries being asked to share personally identifying information with the Centers for Disease Control (CDC). Information privacy concerns like this have a unique impact on survivors of domestic violence, sexual violence, and stalking, because they can have significant effects on survivor safety.  

State and territory immunization registries have been around for many years, and were created to help public health officials keep track of immunization information for people living in the state. These systems are generally known as Immunization Information Systems (IIS), and have been primarily used to track childhood vaccinations. The COVID-19 pandemic has brought them to the forefront, as local governments work to coordinate vaccine distribution.

In August of 2020, the federal government announced a new software product called the Immunization Gateway (IZ Gateway). The idea behind the IZ Gateway is to increase access to information stored in state immunization registries around the country, so that health care providers and consumers can have access to their information regardless of where they were located, and can coordinate across jurisdictions. The system is designed so that state registries can share information with each other and with the CDC.

While systems like IIS and the IZ Gateway have obvious benefits for healthcare coordination, the privacy concerns they raise for survivors may leave them feeling forced into the impossible decision of choosing between their health and safety. The good news is that immunization registries must have privacy protections built in, and knowing more about these protections will help survivors know how they can access vaccines while safeguarding their privacy.

The CDC requires that states and territories protect the privacy of all users of IIS. Each IIS must have a privacy policy and process that:

  • Details what information is stored, who has access to it, how it will be used, how long it will be stored, what a data breach is, and what the consequences are for such a breach;

  • Ensures participation is optional and voluntary; and

  • Requires that information stored within the system can only be used for its intended purpose.

If you are working with survivors who are concerned about how their private information is stored and shared within their immunization registry, you can visit the CDC’s list of immunization registries by state, choose the location of interest, then follow the link to explore the state/territory’s immunization registry website and learn what privacy protections are available. If you’re having trouble locating specific information in your state/territory, you can reach out to us at safetynet@nnedv.org to help identify the privacy rights and rules specific to your local immunization registry.


© 2021 National Network to End Domestic Violence, Safety Net Project. Supported by US DOJ-OVW Grant #2019-TA-AX-K003. Opinions, findings, and conclusions or recommendations expressed are the authors and do not necessarily represent the views of DOJ.

We update our materials frequently. Please visit TechSafety.org for the latest version of this and other materials.