Colorado Breach Law Uses Long Arms to Protect Health Information Not Covered by HIPAA

July 3, 2018 David Holtzman

Colorado has put into place a new law that will require organizations handling digital personal information of Colorado residents have security safeguards in place to protect information from unauthorized disclosure and misuse, as well as breach notification requirements that will apply in addition to any other state or federal requirements. Some other provisions in the bill:

  • Sets new standards for breach notification to require notice by any organization to affected Colorado residents, and in some cases the Colorado Attorney General, within 30 days of determining that a security breach has occurred;
  • Imposes content requirements for the notice to residents and expands the definition of personal information;
  • Establishes data security requirements for businesses non-profit organizations as well as their third-party service providers; and,
  • Sets tighter standards for Colorado-based organizations regarding disposal of personal identifying information.

The new Colorado law takes effect on September 1, 2018.

Of significant interest to organizations in health care and information technology is the protection applied to “health information” which is defined as, “….any information about a consumer’s medical or mental health treatment or diagnosis by a health care professional.”  The impact of this expansive definition will mean organizations that are not subject to the requirements of the HIPAA Privacy and Security Rules or Rules for the Confidentiality of Substance Abuse Treatment Information (42 CFR Part 2) will be required to comply with the requirements of the Colorado law when there has been a breach involving health information of Colorado residents. The provisions of the Colorado law will apply even if the organization is not located or doing business in the state.

Examples of scenarios the Colorado law could apply to organizations that are not subject to the HIPAA Breach Notification Rule:

  1. An Idaho app developer creates a sensor device that uses a smartphone to monitor an individual’s blood glucose levels. The data which includes the individual’s name is collected and stored on the developer’s cloud computing platform for later transmission to the individual’s health care provider. The app developer learns from their third-party service provider that a hacker gained access to the server on which the data was stored. The data files, including the names of individuals and blood glucose readings have been posted on an internet website. Under the new Colorado law, the app developer would be required to notify any Colorado residents whose data was disclosed.
  2. A Texas-based information security consulting company employs 75 consultants who reside in Colorado. The company’s unencrypted desktop workstation is stolen. Stored on the hard drive of the workstation are files containing employee sick leave records including notes from physicians. Under the new Colorado law, the employer would be required to notify any Colorado residents whose name and diagnosis or treatment information was disclosed.
  3. A health researcher employed by an Alabama based non-profit patient advocacy organization posts the prescription records of 1,500 Colorado residents to an online social media website. The prescription records identify the individual by first and last name, the prescribed pharmaceutical, and the name of the health care professional who issued the prescription. Under the new Colorado law, the organization would be required to notify any Colorado residents whose data was disclosed, as well as to notify the Colorado Attorney General and consumer credit reporting agencies.

The Bottom Line

Any organization that creates or maintains personal information about individuals should inventory the types of information it maintains and identify those individuals who are Colorado residents. Put into place information security policies and procedures that are designed to safeguard the personal information from misuse.

Summary of the Colorado Breach Notification and Data Protection Law

Key breach notification provisions of the new law:

Definition of personal information: The bill amends Colorado’s current breach notification law to define “personal information” as a Colorado resident’s first name or initial and last name in combination with one of the following:

  • Social Security Number
  • Student, military or passport number
  • Medical information which is defined as any information about a consumer’s medical or mental health treatment or diagnosis by a health care professional
  • Health insurance identification number
  • Biometric data

The amended definition of “personal information” also includes:

  • Username or email address in combination with a password and any security questions that would permit access to an online account
  • An account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to that account.

Attorney General notification:

If an entity must notify Colorado residents of a data breach, and the breach has affected 500 or more residents, it must also provide notice to the Colorado Attorney General. Notice to the Attorney General is required even if the covered entity policy notifies other state or federal government entities pursuant to other state or federal law.

An organization that must notify 1,000 or more Colorado residents of a security breach, shall also notify all national consumer reporting agencies of anticipated notification to residents and number of residents to be notified. Entities that are subject to Gramm Leach Bliley Act (GLB) exempt from this requirement.

Timing requirements:

Notice to affected Colorado residents and the Colorado Attorney General must be made with 30 days after determining a security breach has occurred. The 30-day notice requirement is not preempted by any longer notice requirement by other state or federal law, like the HIPAA Breach Notification Rule.

Content of Notice Requirements:

The Colorado Breach Notification law requires that notice to affected Colorado residents must include:

  • The date, estimated date or date range of the breach;
  • A description of the personal information acquired or reasonably believed to have been acquired;
  • Contact information for the entity;
  • The toll-free numbers, addresses, and websites for consumer reporting agencies and the FTC; and,
  • A statement that the Colorado resident can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes.
  • If the breach involves a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account, the entity must also direct affected individuals to promptly change their password and security questions and answers, or to take other steps appropriate to protect the individual’s online account with the entity and all other online accounts for which the individual used the same or similar information.

Third-party service providers:

If an entity uses a third-party service provider to maintain computerized data that includes personal information of a Colorado resident, the third-party provider:

  • Is responsible to notify entity in the event of misuse of data of the Colorado resident has occurred or is likely to occur without unreasonable delay; and,
  • Must cooperate with the covered entity when sharing relevant information about a security breach. However, not required to share their confidential business information or trade secrets when reporting a security breach.

Requirements for Data Security Protections of personal identifying information:

Colorado is establishing requirements for organizations that maintain, own, or license personal identifying information to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information it holds, and the nature and size of the business and its operations. The definition of personal identifying information is:

  • Social Security Number,
  • A password or passcode,
  • State issued driver’s license or identification card number,
  • Student, military or passport number,
  • Biometric data, and,
  • Financial transaction device

Written disposal policy for entities operating in the state of Colorado:

The bill requires covered entities to create a written policy for the destruction or proper disposal of paper and electronic documents containing personal identifying information that requires the destruction of those documents when they are no longer needed. A covered entity is deemed in compliance with this section of the bill if it is regulated by state or federal law and maintains procedures for disposal of personal identifying information pursuant to that law.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
EHR Vendor Mistake Impacts 150,000 U.K. Patients
EHR Vendor Mistake Impacts 150,000 U.K. Patients

Next Article
Humana Notifying Victims of 'Identity Spoofing' Attack
Humana Notifying Victims of 'Identity Spoofing' Attack