MIIC DUA Attestation

Use this form to complete and submit a MIIC Data Use Agreement on behalf of your organization. You can view a PDF copy of agreement before starting this form. 

You may be asked for organizational identifiers and/or information about your organization's privacy and security practices. At any time, you can save and leave the Agreement and return at a later time once you have the necessary information. Learn about this functionality at Completing the MIIC Data Use Agreement (state.mn.us). 

Information you may need in order to complete the agreement:

• Out-of-state organizations must have a provider that holds a Minnesota license. Provider name and MN license number required.
• DHS license and/or certification number
• NPI
• MDH Health Facility ID (HFID)
• Pharmacy license
• Identified MIIC contacts

At any point you can utilize the 'Save & Return Later' functionality using the button at the bottom of the screen.

Facilities Spreadsheet Template
Select the link below to download the facilities spreadsheet template. List all the facilities that the agreement covers on the spreadsheet template. Use the "Instructions" tab of the template for assistance. Do not complete this spreadsheet if ______ does not have the authority to sign legal agreements on behalf of the facilities you wish to include. 

Save a copy of the completed facilities spreadsheet as you will need to upload it to this agreement before submission. 

If this is a renewal and you have 20 or more facilities, please click Save & Return at the bottom of the screen and contact the MIIC Help Desk at health.miichelp@state.mn.us to request a copy of the most recent facilities spreadsheet we have on file. Include your organization code with your request.

Any facility located outside the state of Minnesota must have a MN-licensed provider (and a valid MN license number) listed on the Facility Identifers tab in the facilities spreadsheet. 

Organizations that fall outside of Minnesota must have a Minnesota-licensed medical professional working on-site to participate in MIIC. Please list the name and Minnesota Provider License Number of one individual at your organization who is licensed in Minnesota. 

Note: If no one at your organization is licensed in Minnesota, your organization cannot participate in MIIC. However, you can still request records for your client through an online form at *insert link to that redcap program*

The organization is responsible for adhering to the following provisions:

Allowable Uses of MIIC Information:

• Assess an individual's immunization status in order to determine needed immunization
• Issue reminder notices to individuals due or recommended for immunizations and recall notices to individuals past due for immunizations
• Notify an individual of a vaccine-preventable disease outbreak that may affect them
• Produce individual immunization reports for school admission, childcare enrollment, or other processes that require an immunization history
• Notify an individual of any vaccine recalls
• Prepare summary reports without personally identifiable information
• Facilitate the ordering and management of state-supplied vaccine

The organization is responsible for adhering to the following provisions:

Participating in MIIC

• Access, provide and share immunization data only as allowed by the Minnesota Immunization Data Sharing Law (Minn. Stat. §144.3351). If the Organization is a health care entity that provides services to patients, at least one provider at each facility within the Organization must be licensed in Minnesota. 
• Designate an Administrator for MIIC who is responsible for establishing and overseeing individual user accounts within the Organization. Each Organization will advise their MIIC representative of the designation of its Administrator and any changes made to that designation. 
• Ensure that Current facilities and facilities that later become part of the Organization adhere to all provisions in this Agreement. When new facilities are added to the Organization, notify the MIIC Help Desk within one week. 

The organization is responsible for adhering to the following provisions:

Requirements for Participating in MIIC

• Prominently display and/or distribute informational materials about MIIC that notify individuals of their option to not participate. If a client wants to opt out of MIIC, refer the client to these materials. The decision of whether or not to participate in MIIC and the decision of whether or not to vaccinate are separate and distinct decisions to be made by the individual in consultation with their health care provider. No individual will be penalized for choosing to not participate in MIIC. 
• Data reported to MIIC must be associated with the physical site that administered and/or recorded the immunization. 
• Make a good faith effort to provide complete and accurate immunization information to MIIC within one week of acquiring the information. 
• Ensure that users do not enter inaccurate data, or falsify data currently in MIIC, neither knowingly nor negligently. 
• Resolve data discrepancies and update the demographic and/or  immunization information on individuals as needed in conjunction with MIIC representatives. 
• Ensure that immunization information is not reported to MIIC on those individuals who have indicated to the Organization their desire to opt out of MIIC. 
• Ensure that third party entities used by the Organization to help access, aggregate, and/or transport immunization data to/from MIIC will also abide by the terms of this Agreement. The terms must be included in the contract with the third party entity. 
• Ensure any third parties covered in number seven above do not enter into any further agreements related to MIIC, including a Business Associate Agreement (BAA), without prior authorization by the MIIC manager.
• Ensure that queries and updates sent to MIIC originate from facilities covered under this Agreement. Facilities should only query for their clients who received health care in Minnesota and/or may have immunization information in MIIC. 
• Ensure that individuals may request access to their immunization record in MIIC through any authorized user. The individual fulfilling the request must make a good faith effort to ensure the person requesting the record has lawful access pursuant to Minn. Stat. §144.3351 and §144.292.
• Ensure that printed reports from MIIC on individuals that go to another Organization authorized to receive immunization information will not contain sensitive information, such as insurance status or mother's name. No demographic information will be disclosed from MIIC to any other government or private entity, except for the allowable uses described above. All requests for data not covered by Minn. Stat. §144.3351 and this Agreement must be referred to MDH's MIIC Manager immediately.

The organization is responsible for adhering to the following provisions:

Ensuring MIIC Data Privacy and Security

• Take appropriate steps to ensure that assigned login names and passwords are not available to those not authorized to use MIIC. Ensure that login names and passwords are not shared among users; each user must have a unique login name and password. 
• If the Organization accesses MIIC client immunization history and forecasting via an Electronic Health Record (EHR)-embedded link or via a bulk query process, the Organization must have the ability to look into user activity and determine the user if requested by MDH.
• All authorized users must maintain the privacy of any individually identifiable information contained in MIIC, in accordance with Statutes, Sections §144.291-144.293 and §144.3351. Users are only authorized to use immunization information from MIIC based on §144.3351, as specified above under "Allowable Uses of MIIC Information."
• Take appropriate steps to ensure no individual's information is released through unintentional or accidental disclosure.
• Report immediately to MDH MIIC staff any privacy incident regarding the private or confidential data of which the user becomes aware. For purposes of this Agreement, "privacy incident" means violation of the Minnesota Government Data Practices Act (Minn. Stat. §13.3805) or the Minnesota Immunization Data Sharing Law (Minn. Stat. §144.3351). This includes, but is not limited to, "improper and/or unauthorized use or disclosure of not public information, improper or unauthorized access to or alteration of data, and incidents in which the confidentiality of the information maintained by the user has been breached." The user will ensure that any employee using MIIC agrees to be bound by the same restriction.
• A privacy incident will have occurred when information from MIIC is disclosed for any purpose other than those described in §144.3351, or as otherwise authorized by law. This pertains to both the demographic and immunization information in MIIC, and to release of information in any medium, including electronic, written, or oral. 
• Login names and passwords will not be shared among users; each user must have a unique login name and password. 
• Password-protected screen savers will be active on every workstation that is used to access MIIC. 
• Users' accounts will be inactivated, and any currently active sessions terminated within one business day of voluntary employment termination or transfer. In cases of involuntary termination, the person's account must be inactivated prior to notifying the employee of the termination. 
• Ensure that no personal devices, only work devices, are used to access MIIC. 
• Ensure that any system used to access MIIC is up to date on all software patches and updates. 
• Ensure that, when used, all wireless internet connections are authenticated. **
• Any digital or physical data from the MIIC system should have appropriate security controls in place to safeguard data. 
• Securely destroy any hard copies of information created from MIIC.