States Enact Even Tougher Breach Notification Laws than Federal HIPAA Requirements

Starting September 1, 2018, Colorado’s new Protections For Consumers Data Privacy law will require organizations to notify victims of breaches containing personal information within 30 days of determining that a breach occurred — 30 days before current federal HIPAA requirements.

Like other state laws, Colorado’s newest approved bill signals to healthcare organizations that you can no longer wait for federal mandates to suggest how you protect your patients’ information. You must prepare for potential changes now or risk suffering the consequences.

Here’s what we know about the new law and how it could affect your organization.

Who is Affected?

First off, it’s important to note that Colorado’s law will impact not only businesses located within its borders but also entities who handle healthcare information of residents of the state.

This includes organizations that handle health information but don’t qualify as HIPAA covered entities (CEs) or business associates (BAs), meaning organizations like healthcare app developers and vendors who maintain health data like biometrics acquired from wearable devices or mobile apps. Furthermore, the new law applies to educational institutions that create or maintain health information that is subject to the Family Educational Rights and Privacy Act (FERPA).

Other important changes made in the Colorado law include the expansion of the definition of personal information to include more than just Social Security numbers, driver’s license numbers and financial account information. For instance, “biometric” information is now included under the banner of breached personal information subject to notification.

How to Prepare

While the Colorado state law precedes HIPAA requirements for notification by 30 days, it is less strict than California’s law, which requires notification at 15 days. Furthermore, Colorado’s law defines a “security breach” as the unauthorized acquisition of unencrypted data, versus Florida’s protective law that covers unauthorized access as well.

The time for resting on one’s laurels has passed.

Healthcare and associated organizations need to go beyond HIPAA-required protections to account for the evolving landscape of patient data protection. As healthcare breaches continue to increase, no business, small or large, is immune to the threats of improperly managed data.

The best way to find your footing and make the necessary updates to your data management plan is to identify gaps in your current strategy. Look for opportunities to get ahead of forthcoming state laws and install proactive notification measures across your IT security network.

For insights into industry-wide trends, key cybersecurity risks you need to be aware of and best practices for preventing cyber-attacks and managing sensitive patient information, download our white paper below.

Download the Whitepaper