Colorado passes data protection law requiring breach notification within 30 days

The month-long window is the shortest turnaround from a state and doesn’t exempt the healthcare sector, effectively giving Colorado providers just half the time required by HIPAA to report.
By Jessica Davis
01:08 PM
Share
Colorado passes new 30-day notification data protection law

Colorado Gov. John Hickenlooper signed into law expansive consumer data legislation that mandates all organizations report breaches within 30 days, making it the shortest turnaround for any state.

There are no exemptions from the notification rule, meaning healthcare organizations must report within 30 days -- half the time required by HIPAA. The legislation updates the state’s current notification language that states notification must happen without “reasonable delay.”

Introduced in January, the bill unanimously passed in the State House Committee. The aim is to drastically improve privacy and security for all organizations within the state.

The legislation overlaps with HIPAA requirements, as lawmakers added medical and health insurance identification data to the types of information covered by the law.

[Also: The biggest healthcare data breaches of 2018 (so far)]

And if there’s “a conflict between the time period for notice to individuals [under Colorado law or federal regulation or law], the law or regulation with the shortest time frame for notice to the individual controls," the bill states.

Colorado providers also need to keep in mind the bill’s language goes past HIPAA requirements for covered information and includes passwords, passcodes and similar data. Providers should review the law before it goes into effect on Sept. 1.

With the governor’s signature, Colorado joins Florida as one of the toughest states for breach notification timelines. Florida also has a 30-day notification law, but there’s a clause that gives organizations an extra 15 days if there’s a “good cause for delay.”

Colorado is just one of many states overhauling data privacy and security laws in the wake of the massive breaches that impacted Verizon, Equifax and a long list of others. Right now, North Carolina is considering what’s possibly the toughest turnaround, which would give just 15 days to report a breach.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com