Skip to Content

State report finds District 60 violated state statute to access employee vaccination records

PUEBLO, Colo. (KRDO) -- A Colorado Department of Public Health and Environment report obtained by 13 Investigates found Pueblo School District 60 violated a state statute to gain access to vaccination information on employees.

The report states that D60, "did not get written authorization from staff prior to querying CIIS for their immunization records."

In November 2021, all vaccinated District 60 employees received $1,000 stipends. However, unvaccinated employees were not given the bonus.

Tammy Highberger, a D60 employee, told 13 Investigates she questioned how the district would've known who was and who wasn't vaccinated and went to the state with a complaint. From there, the CDPHE began looking into how the district was able to determine who was vaccinated.

"They had accessed our information without us knowing and then automatically deposited the money into our accounts," Highberger said.

Highberger says she sought answers from the Colorado Department of Public Health and Environment on how the state database was used, and if school district could use it to access immunization records.

"Give me an answer. How did they access our information," Highberger questioned.

The CDPHE report found that D60 accessed the Colorado Immunization Information System, a state database containing confidential and medical information to verify employee vaccination status.

The report states. "On December 2, 2021, CDPHE obtained an audit log showing the Executive Director of Human Resources for District 60 accessed more than 2,000 adult immunization records in CIIS."

On December 3, 2021, a CDPHE Privacy Officer initiated an investigation into the district's use of CIIS.

On December 15, 2021, District 60 legal counsel told the officer that only one district employee accessed the vaccination records, D60's Human Resources Director Tammy Neal.

The report says, "through investigation and as captured in the summary document, it is clear that individuals staffing the CIIS Help Desk inappropriately fulfilled the CIIS user account request from the D60 HR Director and failed to communicate the limitations of CIIS use for verifying the vaccination status of employees even though given the opportunity to do so."

13 Investigates learned that the HIPAA law violated CRS 25-4-2403(3)(c) related to releasing public health information to parents and guardians, but not to school districts.

"My employer actually violated my information and 2 thousand plus of the employees information illegally, but that they could also get my children's information without any consent," Highberger said.

According to the law:

"Immunization records and epidemiological information may be released to the individual who is the subject of the record, to a parent of a minor individual, to a guardian or person authorized to consent to immunization under section 25-4-1704, to the physician, clinic, hospital or licensed health care practitioner treating the person who is the subject of an immunization record, to a school in which such person is enrolled, or entity or person described in paragraph (f), (h), or (i) of subsection (2) of this section."

However, the CIIS statute does not permit school districts to access employee immunization records to
verify vaccination status, the report says. CDPHE subsequently deactivated the HR Director’s CIIS user account.

CDPHE says District 60 has established a new process to visually review individuals' vaccination cards provided by the individual for verification of COVID-19 vaccination status. They say the violation resulted in a loss of public trust and a greater number of individuals opting out of the CIIS database.

District sent an email to all of their employees letting them know that they had the option of opting out of the CIIS System. That email is below.

D60 Email to Employees

CDPHE says multiple actions have been taken. Those include:

  • Reinforced the importance of properly reviewing CIIS user account requests with all employees staffing the CIIS Help Desk.
  • Created a FAQs document for employers that have CIIS access to make it clear that employers cannot use CIIS to verify the vaccination status of their employees without documented consent from each employee.
  • Posted a static message in the “News” section of the CIIS school nurse web application to clarify that CIIS cannot be used to view employee vaccination records without consent. This message is displayed to all CIIS school users upon each login.

Proposed actions that CDPHE recommends but have not yet been taken include:

  • Perform a full CIIS user account audit for District 60 to ensure that authorized school users within the district have the appropriate level of access to CIIS, and to deactivate the user accounts of those without a demonstrated need for continued access to CIIS.
  • Create and distribute an official communication to all Colorado school superintendents, school districts, and local public health agencies clarifying the appropriate uses of CIIS.
  • Update the CIIS user account request form with an option for the requestor to select “I am seeking employee vaccination records” to serve as a hard stop in the CIIS user account creation process.
  • Update CIIS webpages and policies to make it more clear that CIIS cannot be used to verify the vaccination status of employees without consent.
  • Run quarterly audit logs on District 60 CIIS users to ensure they are appropriately using CIIS.
  • Explore the feasibility of an annual recertification process to assure users of CIIS agree to the CIIS policies and procedures.
  • Request District 60 notify its employees of their right to opt-out of CIIS.

When asked to comment on the report, District 60 provided 13 Investigates with the following statement:

District 60 did provide eligible vaccinated employees with a $1,000 stipend.  The state vaccination database was used to verify vaccination status.  At the time that the verification was done, D60 had access and followed the training that was provided by the state.  Since then, D60 has worked in collaboration with  CDPHE to improve, strengthen, and bring clarity to the process regarding access and use of the CIS system. As a result, D60 sent an email to all staff informing them of their ability to opt-out of the system. We are appreciative of our partnership with CDPHE as we navigated through the unprecedented challenges of the pandemic. 

Pueblo School District 60

Highberger says she wishes District 60 would have asked each employee about their vaccination status, and if the employee didn't want to provide it, they would have that option too.

"We need more autonomy. We don't need to be controlled. We are adults. Just ask us and we can discuss things," Highberger said.

The report says although CIIS was used in an unauthorized manner, D60’s intentions appear to have been for the purpose of promoting a public health measure and reducing the transmission of COVID-19 in the school district.

Editor's Note: The initial article listed the state statute violation as a HIPAA violation. That was incorrect. Accessing the CIIS database was in violation of state statute.

Author Profile Photo

Sean Rice

Sean is a reporter based out of Pueblo for KRDO. Learn more about him here.

Comments

5 Comments

  1. Big mess up by CIIS, and District 60 personnel over-stepped their bounds. I’m glad they are trying to make things more secure, but this is violating a federal law. Was this reported to the feds? They are the ones who need to ensure proper measures are taken and dispense any punishments.

  2. “the CIIS Help Desk inappropriately fulfilled the CIIS user account request from the D60 HR Director and failed to communicate the limitations of CIIS.”
    .
    Health Department was most at fault.

  3. you can believe this has been done by other employers as well.
    NOW it can’t.

  4. For CDPHE to stand here and point fingers at the District and crying fowl is no different than opening the door to your chicken coop for the fox waiting at the door, allowing him to kill the chickens, and then pointing fingers at him and saying he’s in the wrong. It was CDPHE who “inappropriately fulfilled the CIIS user account request” and let them in the door.

Comments are closed.

Skip to content