[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” video_preview_image=”” border_size=”” border_color=”” border_style=”solid”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_size=”0″ border_color=”” border_style=”solid” border_position=”all” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” dimension_margin=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”no”][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” class=”” id=””]

Colorado has put into place a new law that will require organizations handling digital personal information of Colorado residents have security safeguards in place to protect information from unauthorized disclosure and misuse, as well as breach notification requirements that will apply in addition to any other state or federal requirements. Some other provisions in the bill:

The new Colorado law takes effect on September 1, 2018.

Of significant interest to organizations in health care and information technology is the protection applied to “health information” which is defined as, “….any information about a consumer’s medical or mental health treatment or diagnosis by a health care professional.”  The impact of this expansive definition will mean organizations that are not subject to the requirements of the HIPAA Privacy and Security Rules or Rules for the Confidentiality of Substance Abuse Treatment Information (42 CFR Part 2) will be required to comply with the requirements of the Colorado law when there has been a breach involving health information of Colorado residents. The provisions of the Colorado law will apply even if the organization is not located or doing business in the state.

Examples of scenarios the Colorado law could apply to organizations that are not subject to the HIPAA Breach Notification Rule:

  1. An Idaho app developer creates a sensor device that uses a smartphone to monitor an individual’s blood glucose levels. The data which includes the individual’s name is collected and stored on the developer’s cloud computing platform for later transmission to the individual’s health care provider. The app developer learns from their third-party service provider that a hacker gained access to the server on which the data was stored. The data files, including the names of individuals and blood glucose readings have been posted on an internet website. Under the new Colorado law, the app developer would be required to notify any Colorado residents whose data was disclosed.
  2. A Texas-based information security consulting company employs 75 consultants who reside in Colorado. The company’s unencrypted desktop workstation is stolen. Stored on the hard drive of the workstation are files containing employee sick leave records including notes from physicians. Under the new Colorado law, the employer would be required to notify any Colorado residents whose name and diagnosis or treatment information was disclosed.
  3. A health researcher employed by an Alabama based non-profit patient advocacy organization posts the prescription records of 1,500 Colorado residents to an online social media website. The prescription records identify the individual by first and last name, the prescribed pharmaceutical, and the name of the health care professional who issued the prescription. Under the new Colorado law, the organization would be required to notify any Colorado residents whose data was disclosed, as well as to notify the Colorado Attorney General and consumer credit reporting agencies.

The Bottom Line

Any organization that creates or maintains personal information about individuals should inventory the types of information it maintains and identify those individuals who are Colorado residents. Put into place information security policies and procedures that are designed to safeguard the personal information from misuse.

Summary of the Colorado Breach Notification and Data Protection Law

Key breach notification provisions of the new law:

Definition of personal information: The bill amends Colorado’s current breach notification law to define “personal information” as a Colorado resident’s first name or initial and last name in combination with one of the following:

The amended definition of “personal information” also includes:

Attorney General notification:

If an entity must notify Colorado residents of a data breach, and the breach has affected 500 or more residents, it must also provide notice to the Colorado Attorney General. Notice to the Attorney General is required even if the covered entity policy notifies other state or federal government entities pursuant to other state or federal law.

An organization that must notify 1,000 or more Colorado residents of a security breach, shall also notify all national consumer reporting agencies of anticipated notification to residents and number of residents to be notified. Entities that are subject to Gramm Leach Bliley Act (GLB) exempt from this requirement.

Timing requirements:

Notice to affected Colorado residents and the Colorado Attorney General must be made with 30 days after determining a security breach has occurred. The 30-day notice requirement is not preempted by any longer notice requirement by other state or federal law, like the HIPAA Breach Notification Rule.

Content of Notice Requirements:

The Colorado Breach Notification law requires that notice to affected Colorado residents must include:

Third-party service providers:

If an entity uses a third-party service provider to maintain computerized data that includes personal information of a Colorado resident, the third-party provider:

Requirements for Data Security Protections of personal identifying information:

Colorado is establishing requirements for organizations that maintain, own, or license personal identifying information to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information it holds, and the nature and size of the business and its operations. The definition of personal identifying information is:

Written disposal policy for entities operating in the state of Colorado:

The bill requires covered entities to create a written policy for the destruction or proper disposal of paper and electronic documents containing personal identifying information that requires the destruction of those documents when they are no longer needed. A covered entity is deemed in compliance with this section of the bill if it is regulated by state or federal law and maintains procedures for disposal of personal identifying information pursuant to that law.