Medical Surveillance from Womb to Tomb: Colorado Immunization Information System (CIIS)

Each piece of legislation regarding vaccination tracking was the camel’s nose under the tent. The camel is now in the tent and the danger to our medical freedoms is in full sight. In her essay From Womb to Tomb: Colorado Immunization Information System (CIIS), author Pam Long explains ten points that each of us should be concerned about. Pam notes that we must actively address these issues.

In 2016, when questioned regarding HB16-1164 why CIIS is an “opt-out” database, Rep. Dan Pabon responded, “Because no one would opt-in.”

The Colorado Immunization Information System (CIIS) tracks vaccine uptake on individuals. It is promoted as a service to public health. In the pattern of growing government in incremental ways that ultimately threaten freedom, CIIS has expanded over the years from a grant program to track infants up to age 24 months in rural and remote areas for vaccine accessibility (1992 HB1208), to a federally funded system that tracks all children (2001 HB1134) and adults (2007 HB1347) from birth to death, with a 2030 goal to link vaccine compliance verification to REAL ID. This essay summarizes ten alarming details in CIIS that require consumer protections. Even if a person receives every recommended vaccine and booster, this tracking system will soon have the capability of blocking access to work, school, travel, and medical facilities for those inaccurately reported in non-compliance.

1: Opt-out system instead of opt-in

Doctors and nurses are not required to tell parents that their child’s immunization records are added to the state immunization registry named CIIS. Records are added to the registry at creation of the birth certificate, when vaccines are given, and at schools and daycares when records are collected. It is an opt-out system, meaning a parent must have knowledge that the registry exists and of their opt-out rights.

When consent is required prior to government access, people usually choose privacy when given a choice. According to Patient Privacy and Public Trust: How Health Surveillance Systems Are Undermining Both, research indicates that most parents reject inclusion in health databases. For example, EUROCAT, a network of population-based registries of congenital anomalies (birth defects) in Europe, conducted a survey on registries implementation of informed consent. One registry reported a drop in its participation rate, noting that it had received “less than 10 written consents in the entire year in which opt-in consent was instituted.” This compared with 249 people added to the registry the year before it integrated consent. As a result, the registry eventually dropped the consent requirement (opt-in) and offered a dissent option (opt-out). In short, when people refused to cooperate of their own volition, the registry forced them in.

Currently, there is no true opt-out for CIIS. Lynn Trefren at CDPHE explained the secondary database that retains records of those who opt-out, “All information about an opted-out individual is purged from the CIIS database except first name, last name, gender, date of birth, city, county, state and zip code.”

2: Data security audit concerns

A 2017 audit of CDPHE’s three information systems reported five security concerns in their findings. First, the three CDPHE information systems did not comply with multiple Colorado Information Security Policy (CISP) and Office of Information Technology (OIT) Cyber Policy requirements and did not comply with several best practice recommendations. Second, security controls implemented for these three systems did not comply with all state policy requirements. Security controls need to be remediated to ensure the protection of the confidentiality, integrity, and availability of these systems and the data they maintain. Third, the audit identified data control weaknesses indicating OIT was not fully compliant with some requirements. Fourth, CDPHE IT policies were out of date. Twenty two of the sample of twenty four CDPHE agency-wide IT policies examined had not been reviewed or updated by CDPHE management in over one year and did not include current CISP and OIT Cyber Policy requirements. Fifth, the audit identified Information System Security Software control weaknesses indicating OIT was not fully compliant with some requirements related to system security plans.

3: Inaccuracy costs taxpayers millions of dollars

The CIIS system has a primary function as an inventory and product re-ordering system for vaccine providers. CIIS costs Coloradans $1.5 million per year. Taxpayers are supporting a highly profitable vaccine industry database. No other for-profit industry has a state funded record keeping system.

Colorado could reduce the CIIS expense by utilizing the more accurate Electronic Health Records (EHRs) data. First, the accuracy of CIIS is negatively impacted by duplicate and fragmented records. Second, there is no process in CIIS to inactivate people who have moved on, gone elsewhere (MOGE). Third, according to CDPHE on CIIS accuracy, “Most counties do not have all providers reporting to CIIS, so it is likely that the immunization rates generated out of CIIS underestimate the actual county rates.” The national standard for validity is 85% of state providers reporting to IIS systems, and Colorado reported to the CDC (2012) only 41% of private providers, 66% of public providers, and 76% of government providers reported to CIIS.

Finally, schools and daycares are required to report more accurate infectious disease data with currently enrolled students in accordance with Colorado regulations. In 2013 the Citizens’ Council for Health Freedom noted, “Data in the vaccination registry only agreed with the child’s medical record data in 59 percent of cases examined.”

4: Data sharing for profit

Public health officials often deflect privacy concerns using terms such as “HIPAA compliant” and “confidential” when referring to databases like CIIS. HIPAA notice is a permission slip for the government to disclose medical information without transparency. CIIS allows sharing of data without knowledge or consent of individuals. Furthermore, CIIS is not capable of maintaining “confidentiality” when defined as privacy between the doctor and patient.

CIIS shares vaccine records to paid subscribers in CORHIO, Colorado’s Health Information Exchange. According to CDPHE, CIIS also shares data with the following agencies:  Medicaid, HCPF, WIC, Refugee Health, Child Fatality Prevention System, and Vaccines for Children. Additionally, CDPHE shares CIIS data with a long list of undisclosed persons with no requirements in law which prohibit sharing Personally Identifying Information (PII) or limit records for people granted full access:

  • The individual’s healthcare provider
  • A school, childcare center or university where the individual is enrolled
  • A managed care organization or health insurer where the individual is enrolled
  • Hospitals
  • Persons or entities who have an agreement or research contract with the state for immunizations
  • To the extent necessary for the treatment, control, investigation, and prevention of vaccine preventable diseases in the minimum amount necessary

Furthermore, HB14-1288 required in section 25-4-910. “The Department of Public Health and Environment, in consultation with other state departments, shall establish a joint policy on immunization data collection and sharing.” However, this requirement in statute has never been completed by CDPHE.

5: Recall & reaction functions never utilized for public safety

CIIS has underutilized functions to identify patients and providers who received a recalled vaccine. Public Safety notifications have never been utilized for the Rotavirus vaccine recall (1999) or other identified hot lots, contaminated vials, or vaccines demonstrating vaccine failure. CIIS also has functions for training, access, and support for investigating reactions within the Vaccine Adverse Reactions System (VAERS). It is likely that financial incentives for providers to upload records of product sales to CIIS are in direct conflict with reporting product recalls or reactions to the public.

Contrary to public perception, the FDA is not a watchdog of the health and hygiene products. As reported in 2019 Special Report: Powder Keg – FDA bowed to industry for decades as alarms were sounded over talc, “Over the past 50 years, the FDA has relied upon – and often deferred to – industry even as outside experts and consumers repeatedly raised serious health concerns about talc powders and cosmetics, a Reuters investigation found.” A criminal investigation and $5 billion in jury verdicts against Johnson & Johnson (J&J) found carcinogenic asbestos in 11 talc-based products, including Johnson’s Baby Powder, first detected in 1971. J&J recalled 33,000 bottles, voluntarily. The FDA’s written report stated it has no power to ensure product safety nor can it force companies to recall products when potential hazards are discovered. “We are dependent on manufacturers to take steps to ensure the safety of their products,” the FDA said.

Likewise, the judicial system is not a watchdog of the vaccine industry, as the US shields vaccine manufacturers from liability. According to Big Pharma and Big Profits: The Multibillion Dollar Vaccine Market, “Vaccines are the only products in the U.S. that do not have liability. You cannot sue for injuries or death. But that is only in the U.S. Around the world, there are lawsuits because of serious injuries and deaths from vaccines. In Spain over Gardasil. In Japan over Gardasil. The flu shot was taken off the market for under five in Australia after deaths and injury. Prevnar was banned in China. Pfizer’s vaccination program was kicked out of the country. France just pulled Rotavirus off their schedule after infant deaths and injuries.”

6: Coercion

CIIS uses the data to activate reminder-recall-home visit programs to increase vaccine uptake. If a parent opts a child out of a vaccine, such as the controversial HPV vaccine for a sexually transmitted disease, the parent could be harassed by the state for their choice for their child, to include a home visit.

According to Vaccination Programs: Home Visits to Increase Vaccination Rates, home visitors assess clients’ vaccination status, discuss the importance of recommended vaccinations, and either provide vaccinations to clients in their homes or refer them to other services. Home visits may be conducted by vaccination providers (e.g., nurses) or others (e.g., social workers, community health workers). Interventions may be directed to everyone in a designated population (e.g., low-income single mothers), or to those who have not responded to other intervention efforts, such as client reminder and recall systems.

When does medical surveillance become coercion? According to Citizens’ Council for Health Freedom, “Concerns have included: the collection and use of the data by health officials; the creation of lists of those who refuse vaccinations; the use of clinic vaccination rates to score the performance of doctors; the use of such scores to financially penalize doctors; and the potential refusal of health plans to cover an unvaccinated or under-vaccinated individual.”

7: Data mining for targeting populations

According to a 2019 CDPHE briefing titled “Immunizations, exemptions, and vaccine hesitancy,” CIIS contains the records of 6.1 million people, 91% of Coloradans, from 1468 medical practices. The primary use of the data is to calculate immunization rates for each vaccine to meet the CDC’s 95% goals which result in federal funds for CDPHE. The data fields also include insurance source, medical home information, school enrollment, language, and employment information (despite employment information not authorized in statute).

The data is utilized in “targeting interventions.” Populations targeted for vaccine uptake are Latinos, Medicaid clients, and pregnant women. Infants ages 9-35 months are targeted for vaccine uptake reminders. Anyone eligible for the HPV vaccine is also targeted.

It is noteworthy that all eight brands of influenza vaccines have a similarly worded warning that vaccine safety has not been studied in pregnant populations. For example, “Available data with Fluzone Quadrivalent use in pregnant women is insufficient to inform vaccine-associated risk of adverse developmental outcomes.” These product warnings do not stop public health from using CIIS to target pregnant women for vaccine uptake, nor does the provided mailer information include the product contraindications. The entire system is based on increasing customers.

8: Circumventing FERPA since SB163 in 2020

Schools are required to protect the privacy of vaccine records as part of all student records under the federal law of FERPA, so an automated system like CIIS to collect immunization records from the schools was postured to violate federal law by phishing for private medical information. FERPA requires that schools and daycares can only release student records if parents have given prior written consent for the specific record and to the specific agency.

In 2016, CDPHE implemented a new online vaccine exemption form for schools that feeds PII directly into CIIS. However, Colorado statute only required a parent to submit a “statement of exemption” to the school. Statute did not require that a parent submit a form to the state for inclusion in a registry. CDPHE did not have authority in statute, nor did it follow the public rule making process to implement the new state exemption form. CDPHE spent years trying to implement the illegal state forms before finally introducing legislation during the pandemic lockdowns.

In 2020, during an unprecedented Sunday hearing at the Capitol, thousands of people protested SB20-163, a bill that included many controversial provisions. It created a Colorado vaccine exemption form that uploads to CIIS and a re-education module for any person who chooses a medical, religious, or personal belief exemption to any vaccine. Doctors who sign these medical exemption forms uploaded in CIIS are scrutinized and often subject to investigation for using their medical judgment.

9: CDC interface for future federal registry

CIIS creates a targeted population registry at the state level that interfaces with the CDC’s Vaccine and Tracking System at the federal level. According to the IIS Strategic Plan Executive Summary from the CDC, the end goal is “Real time, consolidated immunization data and services for all ages are available for authorized clinical, administrative, and public health users, and consumers, anytime and anywhere.” CIIS records are the source data for any proposed form of a vaccine passport.

The CDC uses financial incentives to recruit providers to report records electronically to CIIS and CORHIO, and each entry results in reward points which are cashed in for undisclosed dollar amounts. The CDC’s $1.5 Billion EHR Incentive Program renamed “Promoting Interoperability” to hide the financial incentives and portray the benefits of electronic records pays the Colorado AAP and Colorado AAFP providers.

10: Lack of evidence of public health benefit

The state is required to implement evidence-based programs. Research does NOT support that CIIS improves public health for its million-dollar annual expense. A 2015 Economic Review of IIS (Patel et al) found no actual benefit to public health measured by reduced morbidity and mortality, at the cost of $7 million over five years to the state. A 2015 Systematic Review of IIS (Groom et al) found that IIS had no performance measures or deliverables for public health, and practices using IIS did not have significantly higher vaccination rates than those practices not using an IIS.

In conclusion, the strength of CIIS is that it serves vaccine providers with highly individualized data for targeted sales, inventory, reordering. It is supported by vaccine providers and 80 medical association lobbyists in Colorado. However, CIIS has no consumer protections for the public. The weakness of CIIS is that it costs millions of dollars annually for redundant data collected in EHRs and at schools with better accuracy and privacy. CIIS is a security threat to sensitive data as ransomware targets centralized healthcare databases for millions of dollars. CIIS is also a threat to freedom with interventions for targeting people and coercion for vaccine uptake.



6 Responses

  1. Thanks Pam for all the specificity and details. And thanks too for “not” using the term “Latinx” which I hate. Spanish specifically makes nouns masculine or feminine (and uses the generic masculine for individuals of either sex). Knowing that there is ethnic targeting going on leads to “passing” rather than helping someone meet their nefarious diversity goals.

    As a parent of an adult child with severe DD who lives at home and attends an adult day program, and also a veteran of the SPED wars when our child was attending Public School, I’m appalled by the FERPA violations you lay out. I was a CNA for many years (just for my child) and quit a couple of years before the COVID nonsense when I saw the writing on the wall. I was ambivalent about flu shots and used to take them for work. At some point, I decided to no longer submit, and work would have me sign a form saying I “decline” the “free” flu shot each year. The last year I worked as a CNA, the form I had to sign said I “refuse”. The next red flag for me was that at a certain date we would all have to begin using contemporaneous (at the time individual tasks were performed) electronic medical records as opposed to turning in flow sheets for tasks performed at the end of each week… (Of course, we are still performing all the personal self-care tasks for our child – for free now – and are fortunate to financially be able to do so, although many are not so lucky. We do “not” claim our child as a dependent on our income tax, although we were able to claim the modifications on a wheelchair van as a medical expense. We have a guardianship for our child and preventatively put it into our last guardianship report – filed with the court and delivered to medical and adult day care providers – that we sought and obtained a religious exemption from COVID vaccination for our adult disabled child. We asked the UC Health doc for a medical exemption as well, which he declined to provide, although he said under his breath that he didn’t think everyone should have to take the vaccine.)

    A little OT Pam, but I “read only – not registered” on twitter, and would also like to add that I appreciate your comments there on insect venom allergies. Very interesting to me since I’m allergic to mosquito bites as well as certain plants and have carried generic Benadryl with me for years, and have topical Benadryl for same as well. I don’t have severe seasonal respiratory allergies, but I have found serendipitously that children’s Benadryl in liquid form works well for those, as well as for cold/flu symptoms. We are pretty sure that COVID made the rounds at our house, but every person’s symptoms were different, although we kept low profile and did not test. We doubled up on our supplements (C, D, zinc, “I”…), kept a low profile, and made it through, thank God. Among other symptoms, I felt like I had a gorilla sitting on my chest (pressure more than respiratory distress) and could hardly get out of bed to use the bathroom, as well as the most excruciating headaches…

    Finally, thanks as well for the comments on Greg Lopez which I have shared with friends.

  2. Dear Pam,

    This is a very interesting article on CIIS. I also read your article on the closed, private meetings between Board of Health Executive Directors. We are a newly formed small group seeking legal action and “sunshine” on these issues in the Boulder area. Would you be open to talking to us about what you know regarding the closed meetings?

    We have submitted a CORA to our local government related to the closed meetings but are receiving some pushback.

    If you could contact our group, we would really appreciate it!! We can be contacted via mafaboulder at protonmail dot com. Apologies for the clunky approach to contact you. I would deeply appreciate a note even if you aren’t interested, otherwise I may assume that I haven’t reached you and may attempt other modes of contact.


Leave a Reply

Your email address will not be published. Required fields are marked *

Table of Contents

colorado conservative values kim monson

Sign up for The Kim Monson Show newsletter.

Every Sunday you’ll get our upcoming week’s schedule, links to Kim’s latest podcasts, feature articles on the important political and social issues facing Coloradans. You’ll also be the first to hear about exclusive events and offers from Kim and her partners.