§325-123  Confidentiality and content of registry records.  (a)  All immunization records and reports made for the purposes of this part that directly or indirectly identify a person shall be kept confidential and shall not be disclosed by any person unless:

     (1)  The person identified, the person's legal guardian, or in the case of a minor, the minor's parent or legal guardian consents;

     (2)  Disclosure is deemed necessary by the director of health to carry out this chapter;

     (3)  A court directs upon its determination that disclosure is necessary for the conduct of proceedings before it;

     (4)  The disclosure is made between the person's health care provider and payor to obtain reimbursement for services rendered to the person; provided that disclosure shall be made only if the provider informs the person that a reimbursement claim will be made to the person's payor, the person is afforded an opportunity to pay the reimbursement directly, and the person does not pay; or

     (5)  The department of health releases aggregate immunization information that does not disclose any identifying information of persons whose information is maintained in the registry.

     (b)  Registry information shall be limited to patient name, demographic information, and contact information; information specific to immunizations or medications received by the patient, including types, manufacturers, lot numbers, expiration dates, anatomical sites of administration, routes of administration, vaccine information statement publication dates, doses, dates administered, the patient's history of vaccine-preventable diseases, and contraindications, precautions, adverse reactions to, or comments regarding immunizations or medications; and the name and contact information of the vaccination administrator or medication provider and the patient's health care provider.

     (c)  The department of health shall adopt administrative, physical, and technical measures to ensure the security of the registry; protect the confidentiality, integrity, and availability of registry data; and prevent unauthorized access to registry information. [L 2010, c 113, pt of §1; am L 2012, c 275, §2]