AL Providers Illegally Accessed COVID-19 Immunization Registry

September 13, 2021 - Alabama Attorney General Steve Marshall released a statement warning healthcare providers to stop using the state’s COVID-19 immunization registry unlawfully to verify vaccination status for patients’ employers.

The state of Alabama’s immunization registry, known as ImmPRINT, provides the state with patient demographic data and has been used for years to avoid unnecessary vaccinations for patients, the statement explained.

The registry has few permitted uses and is governed by the Alabama State Board of Health.

“The Attorney General’s Office has received complaints from healthcare employees who believe their COVID-19 immunization status was obtained by their employers through the ImmPRINT registry for the purpose of verifying compliance with the employer’s immunization requirement,” Marshall said in the statement.

“In several of those cases, a shared employer specifically acknowledged accessing the state immunization database for this purpose. This privacy violation is unlawful.”

Marshall’s office sent a cease and desist notice to an unnamed employer calling on them to stop the illegal activity. The Alabama Department of Public Health has similarly warned that it is “inappropriate for any employer to use the ImmPRINT system to verify the COVID-19 vaccination status of an employee and that using the immunization registry in this manner will result in immediate termination of database access,” the statement continued.

The Alabama Department of Public Health’s official “Exchange of Immunization Information and Operation of the Alabama Immunization Registry” document explains that immunization data can only be shared with “individuals and entities with a legitimate need to know immunization data.”

The entities include public and private healthcare providers, insurers, managed care organizations, the Alabama Medicaid Agency, officials at daycare centers, schools, and post-secondary educational institutations, and other state and federal immunization registries.

If healthcare entities fail to cease the illegal practice, each day of violation will count as a separate legal offense and the providers will be barred from accessing the ImmPRINT registry.

“The Attorney General’s Office does not dispute the seriousness of the pandemic in Alabama,” the statement concluded.

“This statement merely reflects the Office’s interpretation of relevant state law.”

Vaccine mandates have put many healthcare employers in a sticky situation with employees who are reluctant to get the vaccine. Some healthcare leaders are concerned that healthcare worker vaccine mandates could fuel hospital staffing shortages.

In addition, employees across all sectors continue to cite HIPAA as a reason to keep their vaccination status private. Despite common misconceptions, the HIPAA Privacy Rule was created with the goal of helping individuals maintain health insurance should they lose their jobs.

The rule has continuously evolved over the past 25 years to account for the increasing popularity of EHRs. HIPAA rules ensure that providers cannot share protected health information (PHI) with family members, friends, or the public without written consent. But the rule only applies to covered entities such as healthcare providers.

Gyms, restaurants, life insurers, most law enforcement agencies, most schools, and employers are not required to follow HIPAA rules. Individuals may choose not to answer these questions, but employers are legally allowed to ask about vaccination status.