Sec. 3. (a) Records maintained as part of the immunization data registry are confidential.
(b) The state department may release information from the immunization data registry to the individual or to the individual's parent or guardian if the individual is less than eighteen (18) years of age.
(c) Subject to subsection (d), the state department may release information in the immunization data registry concerning an individual to the following persons or entities:
(1) The immunization data registry of another state.
(2) A provider or a provider's designee.
(3) A local health department.
(4) An elementary or secondary school that is attended by the individual.
(5) A child care center that is licensed under IC 12-17.2-4 in which the individual is enrolled.
(6) A child care home that is licensed under IC 12-17.2-5 in which the individual is enrolled.
(7) A child care ministry that is registered under IC 12-17.2-6 in which the individual is enrolled.
(8) The office of Medicaid policy and planning or a contractor of the office of Medicaid policy and planning.
(9) A child placing agency licensed under IC 31-27.
(10) A college or university (as defined in IC 21-7-13-10) that is attended by the individual.
(11) An entity, including a private entity, for the purpose of outreach and education to increase immunization rates, if the following conditions are met:
(A) The entity provides the following written information to the state department:
(i) Information concerning the proposed outreach and education, including the information the entity needs from the immunization data registry.
(ii) How the entity intends to use the information.
(iii) The safeguards the entity will take to protect the identity of each individual whose records will be released.
(B) The state department determines the proposed safeguards are adequate to protect the identity of each individual whose records will be released.
(C) An agreement is executed between the state department and the entity that specifies the entity's permitted use of the records and prohibits the release of names of individuals or any facts that may lead to the identification of an individual.
(12) The United States Centers for Disease Control and Prevention.
(13) An Indiana nonprofit entity that performs health data services for health care providers, if the state department executes a data use agreement with the entity that specifies the permitted use and disclosure of any released information.
(d) Before immunization data may be released to a person or an entity, the person or entity must enter into a data use agreement with the state department that provides that information that identifies a patient will not be released to any other person or entity without the written consent of the patient unless the release is to a person or entity described in subsection (c).
(e) The state department may release summary statistics regarding information in the immunization data registry to a person or entity that has entered into a data use agreement with the state department.
As added by P.L.231-1999, SEC.14. Amended by P.L.135-2003, SEC.3; P.L.161-2009, SEC.2; P.L.122-2012, SEC.7; P.L.171-2014, SEC.10; P.L.96-2017, SEC.3; P.L.218-2019, SEC.6; P.L.130-2021, SEC.14.