I have been writing for some time on the topic of vaccine credentials in the US and especially the role of public health registries in creating and supporting them. While the rules around data management for vaccinations apply within the US, people move in and out of the country and their data needs to move with them. Managing and documenting vaccination events for people inside the US who received COVID-19 vaccinations outside of the US is challenging and may not get easier anytime soon.
COVID vaccination providers in the US are required to electronically submit data about all doses administered at their location to their designated state, local, or territorial Immunization Information System (IIS). This data is sent from electronic health records (EHR) to IIS via standard data exchange protocols and application programming interfaces (API). The data must include not only patient identification information but also the specific vaccine administered (or CVX) code assigned by the Centers for Disease Control and Prevention (CDC) and the date of administration of the vaccine.
CDC has only defined CVX codes for COVID vaccines with a US Food & Drug Administration (FDA) Emergency Use Authorization (EUA), and for those vaccines where an EUA is expected soon. There is a “COVID-Unspecified” CVX code (213) that is not supposed to be used for recording of administered doses for COVID-19 (though this is permitted for some other vaccines). An IIS may receive a record from an EHR with a COVID-Unspecified CVX code which it may or may not store as a historical dose (meaning, a dose administered by a site other than the one submitting it) depending on its policy. An EHR could also send a record with an alternative coding scheme – a National Drug Code (NDC) – expecting an IIS to convert it to a CVX code (there is a crosswalk table maintained by CDC). Clearly, an IIS would not be able to convert the NDC code to a CVX code for a non-EUA vaccine if it could even secure that value from the original packaging that came along with the vaccine, though these vaccines are not likely to have an NDC code anyway.
This will likely come to head this summer as foreign students return to colleges and universities, especially where COVID vaccination is required for attendance (see article). Colleges and universities do not have consistent clinical guidance as to which vaccines to even accept (there is no clinical guidance in the US for non-EUA vaccines), but if they chose to store doses for non-EUA vaccines from foreign countries and then attempt to forward them to an IIS it will be problematic for the reasons described above. Some organizations may choose to use the broader set of vaccines that have been issued a Emergency Use Listing (EUL) by the World Health Organization (WHO). While this may provide some additional clinical guidance, the EUL vaccines that do not have US FDA EUA status still do not have CVX codes and cannot be accurately stored in US EHRs or IIS.
Colleges and universities (as well as clinical organizations) will be able to store these non-EUA vaccine COVID doses in their local systems (see example from Brown University), but interoperability with other systems will be difficult. Remember, digital vaccine credentials are not intended to be full vaccination histories nor to function as full vaccination records so they are not a good source of persistent information for an organization which has the need to document the immunization status of its students, members or affiliates.
Update: CDC has now published CVX codes for several non-US COVID vaccines to assist in historical record-keeping. CDC is also now allowing the “COVID-Unspecified” CVX code to be used to record dose administration.
Send us feedback about this blog