On May 29, 2018, Colorado Governor John Hickenlooper signed changes to Colorado law that significantly increase potential data breach burdens and financial penalties on entities operating in Colorado.1 Beginning September 1, 2018, any person – including a health care entity or professional – who maintains, owns, or licenses personal information must meet new requirements for storing and destroying information, as well as for alerting consumers of data breaches. Specifically, if an entity maintains the personal information of at least one Colorado resident, that entity must notify both the affected person(s) and the Colorado Attorney General of a breach “in the most expedient time possible,” and no more than 30 days after discovery.2 From a practical perspective, entities, including covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA), should update existing policies, procedures, and forms to reflect the new data destruction and breach notification requirements, or risk facing significant penalties under the Colorado Consumer Protection Act. Healthcare entities especially should understand how the new law will affect them, and where it overlaps with and where it differs from existing requirements under HIPAA.
Please see full publication below for more information.