As a decade-long watchdog of CDPHE, the most corrupt state agency in Colorado, this article intends to update the public on the prior attempts and current attempt of this rogue agency in its long term, incremental plan to obtain citizen’s personally identifying data (PII) under the guise of “health and safety” to strong arm vaccine uptake. The Family Educational Rights and Privacy Act (FERPA) of 1974, has been the unyielding obstacle of this rogue agency. CDPHE seeks to abolish privacy to implement a medical surveillance state, with coercive tactics triggered in the Colorado Immunization Information System (CIIS) database. Once an adult or student is included in the registry, with recently added data fields for employer and school information, CDPHE has the power to send individualized reminder notices on vaccine boosters, recall notices to quarantine, and to conduct home visits with social workers, nurses, and law enforcement. The unpublished strategic plan has always been to steal medical records, to kill medical privacy, and to destroy medical choice. This CDPHE pilot program of a public vaccine compliance dashboard currently targets students by an Executive Order of Gov. Polis, but it is aimed and ready to include all adults in Colorado, with easy additions of government and private sector reporting if it goes unchallenged in the courts.
CDPHE’s prior attempts to bypass the FERPA obstacle
Since 1978, local schools have collected immunization and exemption records for students. CDPHE data has consistently reported near 95% compliance with all recommended vaccines for school attendance, with only 2% of students utilizing exemptions for medical, religious, or philosophical reasons. The 3% unaccounted for was determined to be caused by administrative processing time or a lag in parents to turn in records at fall enrollment (“in-process” and “non-compliant”). By CDC standards, these numbers indicate vaccine program success, but it became clear to all who attended hearings at the Capitol in recent years that “zero exemptions” is CDPHE’s heavy-handed end goal.
In 2016, CDPHE attempted to become a state approval agency for vaccine exemptions in HB16-1164, Transfer Immunization Exemption Duties To CDPHE. This bill attempted to create two types of citizens: the compliant and the outcasts. The bill would maintain the local school immunization record process for students who consented to every vaccine, but brazenly created a new state approval process for any student who chose to submit an exemption for any one vaccine. The “experts” at bill hearings testified in transparency that exemptions would not actually be approved by the state. (I have actually heard doctors testify that they have NEVER and will NEVER support a vaccine exemption for any reason, thus indicating the decision is strongly influenced by ideology and not medical contraindications.). This bill died because the sponsor, Rep. Dan Pabon (D), who advocated for our “health and safety” was arrested for a DUI and caught on police video attempting to use his position to avoid arrest, after installing his legislator’s license plates on his wife’s vehicle. CDPHE continued for over a year to pretend that this bill became law and instructed schools to have parents submit vaccine exemptions to the state for approval. HSLDA threatened a lawsuit to finally end this CDPHE policy, which forced schools to correct their exemption process to be in accordance with state law in 2017-2018.
In 2018, CDPHE replaced their legislative mule Rep. Pabon with newly elected Rep. Kyle Mullica (D). In January 2019, Mullica introduced HB19-1312, School Immunization Requirements. This bill aimed to “modernize” and “standardize” the vaccine exemption process. This was double-speak to create an electronic state exemption form that bypassed the FERPA privacy protections at the local schools, and thereby directly uploaded exemption records to CIIS, the state vaccine tracking registry. It also gave power to the state board of health to adopt the ACIP recommendations on exemptions (double-speak for zero exemption policy) and to mandate vaccines which are currently only recommended (hepatitis A, rotavirus, and meningococcal). Furthermore, it required physicians to submit all immunization and exemption data to CIIS, when no requirement existed for CIIS participation. This bill died because hundreds of parents showed up weekly in Denver, causing so much disruption in the Capitol on a daily basis that the Democrats let it die begrudgingly in the final hours of session.
Because rookie Rep. Mullica failed in his first bill attempt, CDPHE reintroduced their bill in 2020 in the Senate with co-sponsors Sen. Kevin Priola (who recently admitted he has actually been voting as Democrat for years while portraying himself as a Republican) and Sen. Julie Gonzalez (Democratic abortion activist). Because Mullica had reported to the media that he had been the victim of a death threat (despite neither Northglenn police nor Colorado State Patrol were able to produce evidence of this death threat to the public), his Democrat peers told parents that they were out for “revenge.” (Yes, this unhinged vindictiveness is the state of affairs in the Colorado Capitol under a Democratic supermajority). SB20-163, School Entry Immunization, created a state exemption certificate, and new requirements that make obtaining a vaccine exemption nearly impossible.
SB163 legislated three ways to achieve “zero exemptions:” (1) create a certificate that doctors will refuse to sign, (2) create an education module that captures all exempting students in the CIIS tracking registry (resulting in parent refusal and leaving public schools), and (3) create a public reporting requirement for schools that shames administrators into pressuring parents to vaccinate (especially in small, rural schools where only a few unvaccinated students can put the school in CDPHE’s “red” status). SB163 doubled down on the threat to medical freedom with an additional threat to religious freedom, as many of the vocally opposed parents were homeschool parents. This law created the term “nonmedical exemption” to replace a religious or personal belief exemption, and to undermine the protections in the Religious Freedom Restoration Act of 1993. First, SB163 created a state exemption certificate that would place doctors under CDPHE’s scrutiny and threat to their medical license for signing a valid medical exemption, and doctors would also refuse to sign to approve someone’s religious beliefs in a “nonmedical” exemption. Second, SB163 created CDPHE’s online education module on vaccines, which does not provide informed consent on the associated risks but does capture personally identifying information for inclusion in CIIS. Third, SB163 created a 95% vaccination standard for all schools and a CDPHE school-shaming dashboard to coerce vaccine uptake on parents. Prior to SB163, since 1978, parents provided a doctor’s letter or statement of exemption to their local school and medical privacy was upheld, with no evidence of demonstrated risk to public health. This bill was passed during February to June in 2020, with many COVID restrictions to public participation in the legislative process. Despite an unprecedented Sunday hearing with a time limit of 90 minutes on public testimony, thousands of people protested outside during the House Health & Insurance Committee hearing.
Gov. Polis’ amended Executive Order is a violation of FERPA protections
A student’s health records, including information related to immunizations received and exemptions, are considered part of the educational record and are protected from disclosure in the Family Educational Rights and Privacy Act (FERPA) of 1974.
In October 2021, Gov. Polis amended an Executive Order with the requirement that CDE share personally identifying information of students with CDPHE without the prior, written parental consent required by FERPA:
“I direct the Colorado Department of Education to share with the Colorado
Department of Public Health and Environment (CDPHE) student
information necessary for public health purposes of ongoing COVID-19
investigation and disease mitigation, including information identifying the
student’s school of attendance and sufficient information about students to
match their information to records in CDPHE immunization and disease
control databases. This data sharing is necessary in connection with the
COVID-19 pandemic to protect the health and safety of our student
population and is permissible pursuant to the Family Educational Rights
and Privacy Act, 20 U.S.C. § 1232g(b)(1)(I), which permits such data
sharing with appropriate persons in connection with an emergency if the
information is necessary to protect the health or safety of the student or
A basic understanding of FERPA would justify a legal challenge to Polis’ Executive Order.If FERPA allowed the sharing of student PII, then why is the Executive Order necessary? FERPA allows the sharing of aggregate data, not PII, but that fact is not clarified in the Executive Order to the public. CDE understood that FERPA prohibited the sharing of the student data with PII and refused to share the student data with CDPHE, which resulted in Polis issuing the Executive Order. Moreover, can Polis use the health and safety emergency exceptions of FERPA to request student PII two months after he declared the emergency phase of the pandemic had ended? Furthermore, how has this sensitive data sharing demonstrated that it protects health or safety? The COVID vaccine does not prevent transmission, so what evidence is there that any disease mitigation has resulted from this data sharing? CDPHE launched the dashboard in March 2022, eight months after Polis declared the emergency phase of the pandemic had ended. Who will hold Polis and CDPHE accountable?
This is a short list of FERPA violations that should be challenged legally in this EO:
- Are schools recording this sharing of PII in the student record as required by law? Can CDE and CDPHE justify that COVID is a significant threat to daycares, K-12, and college students?
“When an educational agency or institution makes a disclosure under the health or safety exception, it must record in the student’s education records the articulable and significant threat that formed the basis for the disclosure, and the parties to whom the information was disclosed. See § 99.32(a)(5).” Source: US DOE
- FERPA requires a case-by-case request of PII, and blanket requests like Gov. Polis’ EO are prohibited.
“An educational agency or institution must make this determination on a case-by-case basis, taking into account the totality of the circumstances pertaining to a threat to the health or safety of a student or others. If the school determines that there is an articulable and significant threat to the health or safety of a student or other individuals and that a third party needs personally identifiable information (PII) from education records to protect the health or safety of the student or other individuals, it may disclose that information to appropriate parties without consent.” Source: US DOE
- FERPA also requires an actual or imminent emergency to be in place for release of PII. A COVID epidemic, by the epidemic definition of case numbers, does not currently exist and has never occurred among students in daycares, K-12 schools, and college students.
“FERPA’s health or safety emergency provision permits such disclosures when the disclosure is necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36. This exception to FERPA’s general consent requirement is limited to the period of the emergency and generally does not allow for a blanket release of PII from a student’s education records. Rather, these disclosures must be related to an actual, impending, or imminent emergency, such as a natural disaster, a terrorist attack, a campus shooting, or the outbreak of an epidemic disease.” Source: US DOE
- Schools may NOT release PII for emergency preparedness for the future.
“Disclosures made under the health or safety emergency provision must be ‘in connection with an emergency,’ which means it must be related to an actual, impending, or imminent emergency, such as a natural disaster, a terrorist attack, a campus shooting, or the outbreak of an epidemic disease.” Source: US DOE
- CDPHE must destroy the data after the period of the emergency ends, and when the purpose for the PII request is no longer valid. There is no provision in FERPA that allows Polis or CDPHE to make a statewide blanket request for student PII and store it in a database forever. CDE & CDPHE are required to publish when the data will be destroyed.
“FERPA requires that PII from education records be destroyed when no longer needed for the specific purpose for which it was disclosed, and that the written agreement specify the time period for destruction.” Source: US DOE
Freedom supporters recognize the threat of this data collection
Senator Paul Lundeen and State Board of Education Vice Chair Steve Durham articulately expressed the many concerns about this data theft in The Gazette:
“The data dashboard was created using sensitive student data from both the Colorado Department of Education (CDE) and the Colorado Department of Public Health and Environment. In particular, data shared with CDPHE included student personally identifiable information like names, dates of birth, gender, district of parents’ residence, grade level, and more.
These personally identifiable data points were then overlaid with state-held medical records related to COVID-19 vaccination status — also extremely sensitive information for many families, especially in the politically charged atmosphere surrounding COVID-19 — to determine whether individual students had been vaccinated. Once matched, CDPHE used the data to calculate school- and grade-level vaccination rates and build the associated public dashboard.”
A parent at Falcon School District, Jeff Kemp, expressed his valid concerns about the student data sharing to KOAA:
“I think it is unnecessary, overreaches, and problematic because it sets precedent for the next version,” said Jeff Kemp, Falcon School District 49 parent.
He doesn’t see the purpose in the new directive.
“Wasn’t necessary two months when we all thought we were going to die, wasn’t necessary six months ago when there was another surge, and it’s clearly not necessary now. Are people getting sick? Sure. Are they getting seriously ill? No. Percentages are roughly the same, if not better,” said Kemp.
Kemp also believes the new tool will do more harm than good.
“They are putting our schoolhouses in this uncomfortable position of being mandatory reporters on things that don’t affect kids, don’t matter to kids. It is certainly not the role of our government, I’ve never asked to help me manage my health, I will never ask them to manage my health. I will not ask the government permission to educate my children, and I’m certainly not asking the government’s help in managing my children’s health,” said Kemp.
He says state health officials should not have access to student information, and that it raises concerns over privacy.
“What are they going to do with it in ten, fifteen years from now. That’s what we don’t know, we don’t know how it’s going to be used but we know it builds profiles and a mechanism for the government to be more intrusive,” said Kemp.
For people who support this data sharing, they might think it provides a false security by health enforcement (contact tracing) or safety in schools (zero COVID mitigation measures). Those who are apathetic might even think this personally identifying information has always been shared. But in reality, the state notifying the public that a named person is unvaccinated only serves to make the person a target. It does not “guide local response” in any responsible way. The unvaccinated are not disease carriers, and the vaccinated are not immune to disease. This article illustrates that the state government officials who make these decisions are not morally guided people, not genuinely concerned about public health and safety, and not held accountable for violating state and federal law to reach their goal of zero exemptions. If this Executive Order remains unchallenged in the courts for illegal data sharing, we can expect that employers and state agencies will be under the same reporting requirements and coercive tactics in the near future which will threaten employment and benefits for those who have exemptions or are bringing down the 95% compliance rate for any given public or private entity.