PUEBLO, Colo. (KRDO) — A report from the Colorado Department of Public Health and Environment obtained by 13 Investigations found Pueblo School District 60 violated HIPAA laws to access employee vaccination information.
The report says D60 “did not obtain written permission from staff before querying the CIIS for their vaccination records.”
In November 2021, all vaccinated District 60 employees received stipends of $1,000. However, unvaccinated employees did not receive the bonus.
Tammy Highberger, a D60 employee, said 13 Investigations she asked how the district would have known who was and who was not vaccinated and went to the state with a complaint. From there, the CDPHE began researching how the district could determine who was vaccinated.
“They accessed our information without our knowledge and then automatically deposited the money into our accounts,” Highberger said.
Highberger says she sought answers from the Colorado Department of Public Health and Environment about how the state database was being used and whether the school district could use it to access school records. vaccination.
“Give me an answer. How did they access our information,” Highberger asked.
The CDPHE report found that D60 accessed the Colorado Immunization Information System, a state database containing confidential and medical information to verify employees’ immunization status.
The report says. “On December 2, 2021, CDPHE obtained an audit log showing that the Executive Director of Human Resources for District 60 accessed over 2,000 adult immunization records in the CIIS.”
On December 3, 2021, a CDPHE Privacy Officer initiated an investigation into the district’s use of CIIS.
On December 15, 2021, District 60’s legal counsel told the officer that only one district employee had accessed the vaccination records, D60’s Director of Human Resources, Tammy Neal.
The report states that “Through the investigation and as stated in the summary document, it is clear that the CIIS Help Desk staff individuals responded inappropriately to the HR Manager’s CIIS user account request. D60 and did not communicate the limitations of using the CIIS to verify vaccination. employee status even if given the opportunity. »
13 Investigations learned that HIPAA violates CRS 25-4-2403(3)(c) regarding the disclosure of public health information to parents and guardians, but not to school districts.
“My employer actually unlawfully breached my information and that of over 2,000 employees, but they could also obtain my children’s information without any consent,” Highberger said.
According to the law:
“Vaccination records and epidemiological information may be communicated to the natural person who is the subject of the record, to a parent of a minor, to a guardian or to a person authorized to consent to vaccination under the 25-4-1704, to a physician, clinic, hospital, or licensed health care professional treating the person who is the subject of an immunization record, to a school at which that person is enrolled, or to an entity or person described in paragraphs (f), (h) or (i) of paragraph (2) of this section. »
However, CIIS law does not allow school districts to access employee immunization records to
check vaccination status, the report says. The CDPHE then deactivated the HRD’s CIIS user account.
CDPHE says District 60 has implemented a new process to visually review individuals’ vaccination cards provided by the individual for verification of COVID-19 vaccination status. They say the breach resulted in a loss of public trust and more people opting out of the CIIS database.
District sent an email to all of its employees informing them that they had the option of opting out of the CIIS system. This email is below.
The CDPHE indicates that several actions have been undertaken. These include:
- Reinforced the importance of properly reviewing CIIS user account requests with all CIIS helpdesk employees.
- Created an FAQ document for employers who have access to the CIIS to clarify that employers cannot use the CIIS to verify the vaccination status of their employees without the documented consent of each employee.
- Posting a static message in the “News” section of the CIIS school nurse web application to clarify that the CIIS cannot be used to view employee immunization records without their consent. This message is displayed to all CIIS school users at each login.
Proposed actions that the CDPHE recommends but have not yet been taken include:
- Perform a full audit of the CIIS user account for District 60 to ensure that authorized school users within the district have the appropriate level of access to the CIIS and to disable user accounts for those who do not require it. continued access to the CIIS.
- Create and distribute official communication to all Colorado school superintendents, school districts, and local public health agencies clarifying the appropriate uses of CIIS.
- Update the CIIS User Account Application Form with an option for the applicant to select “I am looking for employee immunization records” to serve as a final stop in the CIIS User Account creation process.
- Update the CIIS web pages and policies to make it clearer that the CIIS cannot be used to verify the vaccination status of employees without their consent.
- Run quarterly audit logs on District 60 CIIS users to ensure they are using CIIS appropriately.
- Explore the feasibility of an annual recertification process to ensure that CIIS users accept CIIS policies and procedures.
- Ask District 60 to inform its employees of their right to opt out of the CIIS.
When asked to comment on the report, District 60 provided 13 Investigations with the following statement:
District 60 provided eligible vaccinated employees with a $1,000 stipend. The state immunization database was used to verify immunization status. At the time the verification was made, D60 had access to and completed the training provided by the state. Since then, D60 has worked in collaboration with the CDPHE to improve, strengthen and clarify the process regarding access and use of the SIC system. As a result, D60 sent an email to all staff informing them of their ability to opt out of the system. We appreciate our partnership with the CDPHE as we navigate through the unprecedented challenges of the pandemic.
Pueblo School District 60
Highberger says she wished District 60 had asked each employee for their vaccination status, and if the employee didn’t want to provide it, they would have that option as well.
“We need more autonomy. We don’t need to be controlled. We’re adults. Just ask us and we can discuss things,” Highberger said.