WASHINGTON — The Trump administration is requiring states to submit personal information of people vaccinated against Covid-19 — including names, birth dates, ethnicities and addresses — raising alarms among state officials who fear that a federal vaccine registry could be misused.
The Centers for Disease Control and Prevention is instructing states to sign so-called data use agreements that commit them for the first time to sharing personal information in existing registries with the federal government. Some states, such as New York, are pushing back, either refusing to sign or signing while refusing to share the information.
Gov. Andrew M. Cuomo of New York warned that the collection of personal data could dissuade undocumented people from participating in the vaccination program. He called it “another example of them trying to extort the State of New York to get information that they can use at the Department of Homeland Security and ICE that they’ll use to deport people.”
Administration officials say that the information will not be shared with other federal agencies and that it is needed for several reasons: to ensure that people who move across state lines receive their follow-up doses; to track adverse reactions and address safety issues; and to assess the effectiveness of the vaccine among different demographic groups.
At a briefing with a small group of reporters on Monday, officials from Operation Warp Speed, the government’s vaccine initiative, defended the plan. They said all but a handful of states had signed data agreements, and the rest would sign by the end of the week, though it is not clear how many states will submit personal information.
“There is no social security number being asked for; there is no driver’s license number,” said Deacon Maddox, who runs the operation’s data and analysis system. “The only number I would say that is asked is the date of birth.”
The hurried effort at data gathering, with delivery of vaccine doses expected to begin next week, is making many immunization experts — including the doctor who ran the C.D.C.’s immunization program for 16 years — deeply uneasy. At issue is the delicate balance between a patient’s right to privacy and the government’s right to invoke its expansive authority in the name of ending the deadliest pandemic in more than a century.
In Minnesota, officials are refusing to report any identifying details to the C.D.C., but they will submit “de-identified doses-administered data” on a daily basis once the vaccine campaigns begin.
“This is a new activity for us, as we don’t typically report this level of detail on this frequency to the federal government,” Doug Schultz, a spokesman for the Minnesota Department of Health, said in an email. He added, “We will not be reporting name, ZIP code, race, ethnicity or address.”
In the United States, collecting immunization data has been a purely state-by-state effort. A push two decades ago to develop a federal registry imploded after an uproar over patient privacy and how the data would be used.
“The general philosophy in this country is states manage public health, so the concept that federally we are going to be tracking identified information is concerning,” said Dr. Shaun J. Grannis, a professor of medical informatics at Indiana University, who has advised the C.D.C. on data gathering.
“We are 50 different states with a patchwork quilt of regulations and different perspectives on privacy and security,” Dr. Grannis added. “And I think people are going to be asking the question: What does the C.D.C. do that we can’t do regionally?”
But at the briefing on Monday, Col. R.J. Mikesh of the Army, the information technology lead for Operation Warp Speed, said the data gathering was part of a “whole of America approach” to vaccine distribution. And some experts say that in the thick of a pandemic that has already cost nearly 284,000 lives in the United States, now is the time to start a federal vaccine registry.
“We’re in a pandemic,” said Dr. Carlos del Rio, an infectious disease expert at Emory University in Atlanta. “Privacy has its role, but it cannot be what drives decision-making when you’re trying to do a monumental task like vaccinating millions of Americans with a vaccine that requires two doses.”
The fight over the registry also exposes yet again the fractured nature of health data gathering — and how the government’s lack of sophistication has impeded the response to the pandemic, said Dr. Dan Hanfling, an expert in emergency response and a vice president at In-Q-Tel, the investment arm of the national intelligence community.
Some state immunization registries can coordinate to directly exchange information without a centralized federal database, but others cannot. “If you don’t have a national system, then at least there should be consistency in terms of what the states are doing,” Dr. Hanfling said.
And while there are ways to encrypt personally identifiable data, the C.D.C. is not yet using such a system. C.D.C. officials did not respond to repeated requests for comment.
When the National Governors Association warned that collecting personal data “may create a lack of trust and discourage people from getting vaccinated,” the C.D.C.’s parent agency, the Department of Health and Human Services posted a document saying that it was “exploring solutions” to protect privacy.
In the meantime, states are grappling with how — and to what extent — they should participate in the data-gathering effort. Some states have laws that preclude them from sharing identifiable health information.
In Pennsylvania, Cindy Findley, the deputy secretary for health promotion and disease prevention, said she could see the need for vaccine data collection but would prefer that states share information one on one. Lawyers for the state tried to amend the C.D.C.’s data use agreement, but its changes were rejected and Pennsylvania signed anyway, state officials said.
The data requirements are detailed in an appendix to the C.D.C.’s interim playbook for vaccine distribution, published in late October. Four organizations representing state health officials — including the Association of State and Territorial Health Officials and the Association of Immunization Managers — sent a letter to Dr. Robert R. Redfield, the C.D.C. director, outlining their reservations about the vaccine rollout plan.
Their primary concern, the letter said, was how the government would use the personally identifiable information and whether gathering it would erode public trust in the vaccine program.
“It’s an awful lot to ask 50 states to sign the data use agreement and to send potentially identifiable data into a cloud,” said Claire Hannan, the executive director of Association of Immunization Managers. “The experience that states have had with data around Covid in the federal government has not been ideal.”
Ms. Hannan and Rebecca Coyle, the executive director of the American Immunization Registry Association, which also sent the letter, say C.D.C. officials have yet to fully explain why they need personal information, what they will do with it and precisely who will have access to it.
“We want to make sure that people’s information is protected,” Ms. Coyle said. “We want to make sure that only the right people have access to the data, and I think it’s important to think long and hard about who needs access to what parts of the data.”
Dr. Walter A. Orenstein, who ran the C.D.C.’s immunization program from 1988 to 2004 and is now the associate director of the Emory Vaccine Center, said he shared that concern. He said he was not certain why the federal government needed personally identifiable data that would ordinarily remain at the state level.
During the Clinton administration, Dr. Orenstein said, he argued against a federal vaccine registry, against his own interests. “There was so much uptightness about the government holding the data that I was opposed to it,” he said, “even though I would have loved to have had that.”