Amendments to Data Breach Notification Law in Colorado Affect HIPAA-Regulated Entities

Passed during the 2018 state legislative session, House Bill 18-1128 went into effect on Sept. 1, 2018, changing Colorado’s law on the protection of personally identifying information and the procedure businesses must follow when that information is breached. Although the changes to the law are relatively extensive, HIPAA-regulated entities are exempted from most of these changes. The new law contains a “deemed compliance” provision stating that most HIPAA-regulated entities who comply with HIPAA’s rules and regulations are deemed also to be in compliance with the state law, with two important exceptions: (1) HIPAA-regulated entities still must provide notice to individuals affected by a breach within 30 days; and (2) in certain circumstances, HIPAA-regulated entities must provide notice of a breach to the Colorado attorney general.

Time Frame for Notice to Affected Individuals Shortened to 30 Days

The new law provides that, rather than apply HIPAA’s 60-day time frame, HIPAA-regulated entities must now comply with Colorado’s shorter, 30-day time frame in which businesses must provide notice of a breach to any affected individual. Accordingly, covered entities and their business associates in Colorado will likely need to make changes to the sections of their existing and template Business Associate Agreements that describe the parties’ notice obligations in the event of a breach. Most Business Associate Agreements in Colorado provide that the business associate must notify the covered entity of a breach within a time frame that allows the covered entity time to prepare and provide notice to affected individuals within HIPAA’s 60-day period. These provisions usually will not provide enough time for covered entities to respond under the new state law. Covered entities and business associates in Colorado may wish to change this time frame to allow no more than 25 days between the time the business associate learns of a breach and the time the covered entity receives notice.

Notice to the Colorado Attorney General

The new law also requires that HIPAA-regulated entities must, as soon as possible and no more than seven days after discovering a breach, provide notice to the Colorado attorney general of any breach that is believed to have affected 500 or more Colorado residents. Again, this new obligation means that HIPAA-regulated entities should change their existing and template Business Associate Agreements to require that they be notified of any breach involving 500 or more Colorado residents with sufficient time to allow notice to the attorney general. Covered entities and business associates in Colorado may wish to notify the covered entity of such a breach immediately upon becoming aware of it.

Under rare circumstances, business associates and covered entities that contract with other businesses to store or use personal information on behalf of the other business may be subject to all the new law’s more strict requirements without the protection of the “deemed compliance” provision for HIPAA-regulated entities. If you provide such services under contract with other businesses, you may wish to consult with legal counsel to understand all your legal obligations under the new law.