Colorado's Tougher Breach Law: Healthcare Incidents IncludedState Law Requires Quicker Notification Than HIPAA
Starting Sept. 1, organizations in Colorado must notify victims of breaches of personal information - including health data - within 30 days of determination that a breach occurred. That's a tougher requirement than the HIPAA breach notification rule, which requires notification of individuals within 60 days of discovery.
The new state law, which has tougher requirements than previous legislation, also requires notification of the Colorado attorney general within 30 days of breaches if more than 500 state residents have been affected.
Colorado's Protections For Consumer Data Privacy, recently signed into law by Gov. John Hickenlooper, contains some provisions for data security that are more rigorous than many other state breach laws. Efforts to enact a uniform federal data breach notification law, other than HIPAA, so far have been unsuccessful.
"This is part of a continuing trend in the states to add additional elements and complexity to their breach notification laws."
—Kirk Nahra, Wiley Rein
"This is part of a continuing trend in the states to add additional elements and complexity to their breach notification laws," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "We will continue to see these tweaks unless Congress steps in and passes a unifying national law."
Attorney Steven Teppler of the Abbott Lax Group explains that while Colorado's 30-day breach notification deadline is shorter than HIPAA's 60-day notification deadline for major breaches, the timer on Colorado's notification starts upon "determination" that a security incident is a breach, meaning that there is sufficient evidence to conclude that a breach has taken place. By comparison, the notification requirement under HIPAA starts upon "discovery" of a breach of unsecured protected health information.
Also, Colorado notification can be further delayed if law enforcement determines that issuing a notice will impeded a criminal investigation, he notes.
Colorado's 30-day notification requirement is not as strict as notification rovisions in some other states.
For instance, California requires health data breaches to be reported to affected individuals within 15 days of the breach being detected. For breaches that do not involve health data, notification must be made in "the most expedient time possible and without unreasonable delay," the California law states.
"Colorado's law is strong, but it's not as strong as Florida's in some respects," Teppler notes.
For example, Colorado's law appears to define "security breach" as the unauthorized "acquisition" of unencrypted data, Teppler notes. "Acquisition means exfiltration of data. Florida breach law covers unauthorized 'access,' as well."
The new Colorado law will have an impact on a broad range of organizations that handle healthcare information, including entities that are not physically located in the state, says privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
"For example, HIPAA covered entities and business associates creating or maintaining the health information of Colorado residents will need to comply with the notification requirements and timelines when an incident results in the unauthorized disclosure of their health information outside the borders of Colorado," he notes.
Organizations that handle health information but do not qualify as HIPAA CEs or BAs will be required to perform the steps called for in the new Colorado statute, Holtzman points out.
"For example, health care app vendors and developers that create or maintain health data [for residents of Colorado] that is being shared with a healthcare provider will be required to meet the Colorado statute's requirements for securely maintaining and disposing of personal information as well as the breach reporting and notification requirements," he says. "Also in the scope of this new law will be educational institutions that create or maintain health information that is generally subject to the requirements of the FERPA [Family Educational Rights and Privacy Act]."
Nahra also predicts that the Colorado law will have a substantial impact on "non-HIPAA" entities that handle health information, including those offering certain wearable devices and mobile apps. "And because the law is driven by the residence of the impacted individual, this provision, in theory, applies regardless of where the entity is."
Attorney Lynn Sessions, a partner at law firm BakerHostetler, notes other important changes made in the Colorado law include the expansion of the definition of personal information to include more than just Social Security numbers, driver's license numbers and financial account information. For instance, "biometric" information is now included under the banner of breached personal information subject to notification.
Steps to Take
In light of the new Colorado law, what steps do healthcare organizations need to take?
"Organizations will need to review their incident response and review policies and procedures to ensure the scheme provides sufficient time to investigate, assess and perform the necessary notifications within the time set by the Colorado statute," Holtzman says.
Sessions adds that it's also critical for entities to educate their staff on the changes and the need to quickly report and investigate suspected breaches. "They should also take a look at their policies and procedures as well as technical safeguards," she says.
Colorado's updated breach notification regulation was signed into law just days after the May 25 enforcement date for the European Union's General Data Protection Regulation.
But only certain U.S.-based healthcare entities - such as those having a location in the EU or actively soliciting EU patients - have to comply with GDPR, legal experts say (see GDPR Compliance for U.S. Healthcare: What You Need to Know).)