Close this search box.

ImmTrac: Privacy Vs. Policy

At Texans for Vaccine Choice, we take our job of protecting the liberties of all Texans very seriously. It is our goal to make sure you are fully informed of all vaccine choice and informed consent related issues we are faced with this session.

For most bills this session, the reason for our opposition or support may be very obvious, but for others it may be less so. A good example of the latter would be HB 243 by Representative Donna Howard, and its partner in the Senate, SB 54 by Senator Judith Zaffirini.

HB 243 and SB 54 both deal with our state’s online immunization registry known as ImmTrac. ImmTrac is currently what is known as a “voluntary inclusion” or opt-in system. This means that your written consent is required by law for your information to be included in this government-run immunization tracking system. The goals of HB 243 and SB 54 are to switch to a “voluntary exclusion” or opt-out system. This would mean that the inclusion of your and your children’s immunization records (and birthdays, addresses, social security numbers, etc.) would happen automatically — without your written consent. If you do not wish to be included in the ImmTrac system, it is up to you to take the necessary steps to opt-out and to ensure your information is, in fact, removed. Sounds less than ideal, right? We’ve only scratched the surface.

Before we get down and dirty with the nitty-gritty details, let’s cover a few basics.

What is ImmTrac?

ImmTrac is an online database that stores and tracks its participants’ immunization records and other personal information. The Texas Department of State Health Services is in charge of overseeing the operations associated with the use of ImmTrac. ImmTrac is marketed to state residents as a convenient way to keep track of vaccination history in one location that is easily accessible by any person or organization that would need that information. It is marketed quite differently — I would argue more honestly — to “immunization stakeholders” as a “major component of the DSHS initiative to increase vaccine coverage across the state.” All of the data currently in ImmTrac will be rolled over to a new system called ImmTrac2 this coming April.

If I am in the ImmTrac system, what personal information of mine is stored on the database?

If you are currently in the ImmTrac system, the information stored under your first, middle, and last name can include:
– your home address
– your phone number
– your date of birth
– your gender
– your race
– your medicaid number (if applicable)
– your social security number
– your immunization history
– your “AIM” file (this tracks any disaster-related antivirals, immunizations, or medications you have received or will ever receive)
– if you are a first responder or immediate family of a first responder, there is a separate section labeled “Preparedness” where additional information may be stored.

If your child is in the system, all of the information above would be included for them in addition to the optional inclusion of their mother’s full name (including maiden name) as well as the father’s full name. In researching the data that is supposed to be stored in this system, only ONE source was found that quietly mentioned that any adverse reaction after vaccination is also to be noted. Far too many of us are aware of the slim likelihood of that occurring. There are several ImmTrac instructional videos, but none of them addressed how to enter an adverse reaction.


Interestingly, Representative Donna Howard seems to be under the impression that the only information that is recorded in the ImmTrac system is your name, date of birth, and your immunizations. What is worse, THIS IS WHAT SHE IS TELLING HER FELLOW LEGISLATORS. She even specifically states that social security numbers are not included in the registry. To hear it for yourself, listen to the short video clip below from March 2015 when Representative Howard was presenting opt-out legislation similar to HB 243 to the Public Health Committee.


For what purpose is all of my personal information stored?

The answer to that question depends on who is asking. If you are asking as a patient and consumer, the answer would be:
To provide you with a secure, convenient location for storing your immunization records. No more inconvenient papers to keep up with! The system notifies your doctor or local health department of any upcoming immunizations for which you are due and gives them the opportunity to send you handy reminders via mail, phone, or personal contact!

If you are asking as a public health policy maker, a healthcare provider, an insurance company, or a vaccine manufacturer, the answer is more along the lines of:
“IIS (Immunization Information Systems) are recommended as a best practice model by the Community Preventive Services Task Force because of their proven effectiveness to improve vaccination coverage … determine client vaccination status, guide public health responses to outbreaks of disease, inform vaccination coverage assessments, and facilitate vaccine management.”

Or maybe:
“In the case of an outbreak, public health officials can use a robust immunization registry to efficiently assess immunization coverage, identify pockets of under-vaccinated populations, and further prevent the spread of disease … to immunize those at risk, and to contain the outbreak.”

Or even:
“The Texas Department of State Health Services will be able to identify areas in Texas with low immunization rates and target those communities with special outreach projects….”

Translation: Tracking the vaccination status of Texas citizens allows more opportunities to increase vaccine uptake per individual. Individuals can be contacted as often as government officials want, in as many ways as they see fit, to remind them to come get their shots. Personal data can also be used to generate vaccine coverage reports in order to identify areas with lower vaccination rates that can then be targeted for “special outreach projects.”

Who has access to my personal information via ImmTrac?

According to Texas Law, the following persons/entities may legally access your personal information stored in the ImmTrac system:

– Texas public health district or local health department (to use the data for “internal public health research”)
– Any healthcare provider
– Any school or childcare facility
– Insurance companies
– Any state agency having legal custody of a child can access that child’s electronic health records
– The agencies of another state if it is determined you have re-located to that state during a natural disaster

Numbers from 2014 indicate that over 120,000,000 records were being stored and accessed by over 10,000 sites across the state. A “site” can be a doctor’s office, a school, a daycare facility, etc.

There are often multiple authorized users at one site. Each authorized user is issued a username and password by The Department of State Health Services and is able to access the ImmTrac system through the ImmTrac website. DSHS does not limit the number of individuals at one site who can become authorized users.

The site administrator (the person declared to be “in charge” at each site) is responsible for ensuring that each user in their facility is trained in proper privacy practices in regards to accessing and using our personal information. However, no reference was found in regard to DSHS audits or oversight where privacy and security are concerned, meaning each site is self-policing. If any user is caught improperly accessing or using your personal information, it is a Class A misdemeanor (if DSHS is alerted to the issue), but the only consequence is that the user is no longer allowed access to ImmTrac.

This is all despite the National Vaccine Advisory Committee’s recommendation that “registry developers should limit access to registry information and maintain audit trails to monitor records access. Each person should have access to his or her own records and to audit trails.” The only mention of an audit in relation to ImmTrac was DSHS requiring all sites to agree to make records available to DSHS should they ever want to audit record accuracy. As mentioned above, misuse of ImmTrac data is listed as a Class A misdemeanor, but without any oversight or security auditing, who is enforcing that?

How can I find out if my or my children’s information is included in the registry?

You can contact The Department of State Health Services to determine if you or your children are currently included in the ImmTrac system. You can request copies of immunization records or sign up to be included in ImmTrac here:

How do I remove myself or my children from the registry?

You can find the steps to remove you or your children from the registry on our FAQ page.

Now for everyone’s favorite part: The Nitty-Gritty.

Why the push to move from the current opt-in system requiring your explicit consent to an opt-out system where your consent to participate would be assumed and implied? The desire to increase vaccination rates across all age ranges and demographics would be one of the more prominent reasons, but there are a few others.

Medicare and Medicaid Electronic Health Record Incentive Programs offer financial incentives to providers who demonstrate “meaningful use” when it comes to implementing the use of EHR systems (such as ImmTrac) in their practices. In 2016, Texas ranked second (behind California, interestingly enough) in EHR payouts, receiving just under $2.5 billion in incentive money. There’s big money in tracking you.


An often-cited reason for moving from our current opt-in system to the opt-out system is cost. A study published in 2010 claims that the estimated cost of the opt-in system is $2.64 per person, whereas the cost of an opt-out system would be $.29 per person. These are numbers that the study authors developed by estimating the amount of time involved in obtaining consent and educating Texas citizens about the ImmTrac system (which is supposed to be done at every available opportunity) and applying a monetary value to that time, versus the time it would take to complete the opt-out process for an individual (which is supposed to be a one-time event).

Problems with this conclusion:
– No details given on the time estimated for either option, so accuracy cannot be assessed.
– No details given on the dollar amount assumed for either option, so accuracy cannot be assessed.
– According to HB 243, when using the opt-out system, the option to opt out of the registry would be required to be presented at the time an immunization is given. How is this time less costly than the time spent doing the exact opposite (presenting opportunity to opt in) in the current system? Maybe because they know the presenting of the option to opt-out will not be done as vigorously. Why would it be when client participation in the registry is so financially lucrative (see graph above)?
– This study was conducted by people with serious conflicts of interest. Each author would gain financially or professionally from the switch, either from the increased participation in ImmTrac brought on by the opt-out system (see graph above) or by the increased vaccination rates that would supposedly result from ImmTrac being populated with more data.
– Opting out is supposed to be a one-time event under our current system as well. However, TFVC has many documented stories of our members NOT being removed after making multiple requests, filling out forms, making phone calls, etc. What is the cost associated with these scenarios, and what steps are being taken to ensure this would not be the case in an opt-out system?
– TFVC also has many documented stories of our members or their children being added to the registry despite NEVER giving consent! If it is so costly to opt people in, shouldn’t we be more focused on NOT including those who do not wish to be included? What a waste of taxpayer money and government resources!
– According to their own data, the total estimated annual cost of the current opt-in system is $1.39 million, or 1/1000th of 1% of the total expenditures of the State of Texas for 2015. Even if this amount were reduced to zero, it would not have any noticeable or meaningful impact. Furthermore, a sizeable portion of this estimated amount is either in the form of indirect costs or is borne by private entities.

This study is a pretty good indicator of the value these individuals place on your privacy and informed consent. If there was ever a good way to spend money and resources, protecting the rights and privacy of Texas citizens would be one of them! They seem to disagree.

There are a few more factors that contribute to our opposition to these bills:

– There is no penalty specified for not removing an individual after they have made their opt out request.
– There is no penalty specified for not informing an individual of their right to opt out.
– The Texas Supreme Court has stated that Texans’ right to privacy “shall only yield when government can demonstrate that an intrusion is reasonably warranted.…”
– TFVC believes that it is prudent to err on the side of citizen privacy with the current opt-in system.
The CDC recommends that, “in communities where explicit consent is preferred, the opting in or informed consent approach should be offered.”
– An opt-out system sets up the opportunity for tracking all individuals that have requested to opt-out. Under the current system, you can anonymously decline to participate.
– An opt-out system does nothing to improve quality of or accuracy of data (see photo below).


Doctors have many concerns about the accuracy and relevancy of the ImmTrac system. A recent article written by Dr. Don R. Read, President of the Texas Medical Association, focuses on the huge administrative burden that comes with electronic health reporting systems and how that negatively affects the doctor-patient relationship. He points to a 2016 study which found that only 27% of physicians’ time is spent in valuable face-to-face time with patients, while 49% of their time is held captive by entering data into required electronic health records.

Growing state and federal government regulations and insurance company mandates directly impact the practice of medicine. Doctors are left frustrated and with our hands tied as we try to adhere to new compliance models, many of which were designed by people who have never set foot in an exam room. Most of these models have the unintended impact of reducing the time we can spend with our patients,” says Dr. Read.

Going back as far as 2007, there are recurring reports of physicians voicing their dissatisfaction with ImmTrac:
– “It would really help if there was reliable customer service at ImmTrac. They are understaffed, and my experience has been that they are unwilling or unable to address important problems like provider upload problems.
– “Only 33 percent of survey respondents who use ImmTrac agreed that “patient immunization information is usually complete and up-to-date.”
– “ImmTrac is often inaccurate – the same dose of vaccine will be entered into the system multiple times, making it look as if the child has had more vaccine doses than he’s really had.”
– “At every town hall meeting, participants expressed frustration with the burden of data entry.”

With all of the administrative burdens, inaccuracies, and lack of usability, one wonders why this system is even still in use. Instead of seeking to populate the system with the private information of more Texas citizens, perhaps state funds would be better spent auditing current ImmTrac practices and re-assessing relevancy.

TFVC believes that every Texan has the right to maintain control over their personal information. With secured websites frequently experiencing security breaches and identity theft being a commonplace occurrence, consent to store your personal and sensitive information should never be considered an unnecessary burden. Our goal is not to limit access to ImmTrac, but rather to have FULL INFORMED CONSENT. Our current opt-in, explicit consent system helps to ensure that only those who wish to participate will be included.

Our motive is your safety and liberty. What is theirs?

4 thoughts on “ImmTrac: Privacy Vs. Policy”

  1. Holly VanSchaik

    I just visited a pharmacy and attempted to get a flu vaccine for myself and my minor child. I do not wish to participate in IMMTRAC . After much waiting , being told I had to fill out the IMMTRAC consent form in order to get the vaccines, filling out said papers but writing all over them I DO NOT CONSENT….I was told the pharmacy CANNOT give us the vaccines if we do not consent to IMMTRAC!!!! What?!?!? It says right on the form or is supposed to be voluntary. They told me with their computer company is HAS to be entered, I can only opt out later when they send me a form by mail. Meanwhile, they still have all my info in their system including my mother’s maiden name. What’s the deal?!?!?!

  2. We checked the deny box on the immtrac form to opt out…however a few weeks later we got a welcome packet from immtrac that Our “request to join” was approved and we are now part of the system. What can we do?

  3. I’m not even an anti-vaccination sort of person, but the volun-told offering is a lot, even as an EMT. I do not want my information in there. Is there anyway that I can refuse it when going to get my flu shot? Bcz RN it’s necessary to sign to pay for my appt in advance. Which is forcing me to sign with no way to get around it prior to paying my copay.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top