Get AI Briefings, Transcripts & Alerts on Local & National Government Meetings — Forever.
Aging service privacy officer warns consumer‑privacy draft would fragment client records
Summary
Bobby Leonard, privacy compliance officer at AgeWell testifying for the Vermont Aging Network Consortium, told the House Commerce & Economic Development committee that draft 2.3 of S.71 would force staff to parse single client records into HIPAA‑exempt and non‑exempt elements, creating confusion, administrative burden, and incentives to 'sanitize' notes.
Bobby Leonard, privacy compliance and privacy officer at AgeWell, testified April 8 on behalf of the Vermont Aging Network Consortium (VANC) and the state’s five Area Agencies on Aging (AAAs), arguing that the version of the consumer privacy bill under consideration would impose a second, conflicting privacy framework on organizations that already operate as HIPAA‑covered entities.
"Clients experience this information as a single record," Leonard said, explaining that AAAs document health, functional needs, caregiver contacts and personal preferences together. He told the committee that, under HIPAA, AAAs consistently apply strong confidentiality and retention practices; draft 2.3 “regulates personal data at the level of individual data elements, not at the level of the service record as a whole,” which would force staff to separate and evaluate parts of the same note.
Leonard offered two concrete examples. First, a routine access/deletion request — today handled under HIPAA processes — would, under draft 2.3, require staff to review records element‑by‑element to determine which parts are statutorily exempt and which are subject to deletion rights, prepare written denials, and manage appeals. Second, a case manager’s single sentence documenting mobility limitations, appointment preferences and emergency contacts could contain both PHI (protected health information) and non‑PHI personal data that draft 2.3 would treat differently, creating an inconsistent client experience.
He warned that the practical consequences include diverted staff time from services to compliance, increased legal costs, more appeals and perceived inconsistency that could erode trust. "The change will be the administrative burden and the client experience created by applying a second privacy framework," Leonard said. He urged the committee to advance S.71 as passed by the Senate, which he said exempts HIPAA‑regulated entities at the entity level and avoids the record‑level fragmentation in draft 2.3.
Committee members questioned Leonard about website trackers, donor and newsletter portals and an AI chatbot; Leonard said AAAs remove tracking tags from health‑related pages, post disclaimers on chatbots, secure donor platforms, and treat all client records to HIPAA standards wherever PHI is involved. He also said he expects deletion requests to increase if a comprehensive privacy law creates clearer public expectations about deletion rights.
The committee followed with technical questions about whether AAAs would be classified as 'controllers' under the bill, how HIPAA's "minimum necessary" standard compares to statutory data minimization, and whether a narrower PHI exemption (as in draft 2.3) would be workable; Leonard said AAAs act as controllers and that the biggest problem is the operational friction of applying two separate standards to one record.
The committee recessed after additional stakeholder testimony later in the session; no vote or formal action on S.71 was recorded in the transcript of this hearing.
