Some members of the Colorado legislature want to be exempt from the Health Insurance Portability and Accountability Act (HIPAA), the federal law requiring everyone else to protect individual health information from purposeful or accidental disclosure. “Health oversight agencies” are exempt from HIPAA requirements. If Senate Bill 275 passes, the entire Colorado legislature will become a “health oversight agency,” and members will be able to browse individual medical records at will without penalty.
It gets worse. The bill also gives the legislature access to all information that is “confidential under state statute, federal statute, state or federal administrative rule, or a rule of the state or federal courts.”
This means that the legislature also wants unfettered access to individual financial information, tax records, credit records, voting records, employment records, educational records, private court records, and anything else that individual lawmakers might want to see.
The second part of the bill says that a state employee can give “any information to a member of the General Assembly.” If the information is “confidential” and not covered under the Colorado Open Records Act, then the legislator receiving the information does not have to make it public and disciplinary action against the employee would be prohibited.
Want to mobilize votes for yourself? Have a state employee scan tax records for names and addresses of people paying student loans. Then send them a flier saying vote for you because you want to make Colorado taxpayers help in loan repayment.
Why should legislators be given unfettered access to previously confidential records? According to the bill’s preamble, “members of the general assembly may need to receive confidential information during the course of their official duties in making decisions and voting on legislation with respect to all areas of state government.” It even states that the legislature oversees the “health system in Colorado.”
Though some of its members wish otherwise, the Colorado legislature does not yet control the “health system in Colorado.” The federal government runs the Medicare and Veterans Administration. The state and the federal government run Colorado Medicaid.
But people who pay for their own care run their own affairs.
The Colorado legislature oversees the state Medicaid program, public health programs, the licensing of health care providers, laws governing health coverage, the Colorado Indigent Care Program, and a variety of grant programs required to follow federal rules. Before exempting itself from treating individual medical records with the respect required by HIPAA, the legislators supporting this bill need to explain exactly what part of the management of these entities requires giving them the power to browse confidential personal records.
The legislature might also first demonstrate that it is fit to engage in basic oversight before demanding broad new powers. In recent years it has “overseen” a fiscally and technically dysfunctional health exchange. It has overseen a Medicaid program that in one year paid over 800,000 claims without properly identifying who the money was being given to. And it has done little to correct the underfunding in the state pension system.
Awarding new powers to government requires careful thought because government always stretches any power it is given to the absolute limit and beyond. The Colorado legislature has disguised new taxes as fees in order to avoid the requirements of the TABOR Amendment. It has worked to compromise Colorado’s flat rate income tax by lowering the rate paid by favorite groups with subsidies and tax credits. Some lawmakers even want to dictate what children eat, how children play, and how many rounds gun owners can put in their magazines.
If this bill passes, members of the legislature will undoubtedly be using all kinds of confidential personal information in ways they shouldn’t.
The bill’s boilerplate pinky swear says that confidential information “will be kept confidential and used only for official legislative purposes connected to the consideration of official actions of the General Assembly.” But misuse is not defined and no penalties are specified if it occurs.
This offers about as much protection to Coloradans’ privacy as a cheap umbrella in a hurricane.
In a world where everyone else faces fines or worse for disclosing such confidential information, the Colorado legislators sponsoring and supporting SB 275 need to fully explain why they should be placed above the law.
Update: SB-275 has been amended.
Unfortunately, the guts of the bill remain the same. Legislators still end up exempt from the HIPPA rules the rest of us have to follow. State employees can leak any kind of presumably confidential individual information to members of the state legislature without penalty. Legislators can use the information as they wish without penalty, as long as they don’t leak it to anyone else and as long as it is “for official legislative purposes connected to the consideration of official actions of the general assembly” which, as noted above, pretty much covers every aspect of life.
The fact that its authors are fleeing from specifics while keeping the bill’s essential mechanics intact is telling. They’ve removed the clause detailing that the confidential information received by the members of the legislature may be confidential under “state statute, federal statute, state or federal administrative rule, or a rule of the state or federal courts” and replaced it with the much less descriptive access to “information that is confidential or sensitive.”
The result stays largely the same. State employees can leak previously confidential things like your individual banking, health, educational, tax, and arrest records to state legislators without being penalized.
Click here to read the full text of the amendment to the bill.
Linda Gorman is health care policy center director at the Independence Institute, a free market think tank in Denver.