By Matt Ullrich

On September 1, 2018, Colorado’s new data protection law, HB 18-1128 or “Protections for Consumer Data Privacy,” became law.  Here are some helpful tips to make sure your health care organization is in compliance with the new law.

  1. Update your Health Insurance Portability and Accountability Act (“HIPAA”) Policies
    • If you’re a covered entity or business associate subject to HIPAA, you should have HIPAA privacy and security policies and procedures already in place.
    • Review these policies and procedures and update the ones focused on breaches, reporting, and notification.
    • The new law requires Colorado residents to be notified of a breach no later than thirty (30) days after the date of determination that a breach occurred. Additionally, if five-hundred (500) or more Colorado residents are impacted, the Colorado Attorney General’s Office must be notified within the same timeframe.
  2. Update your Business Associate Agreements (“BAAs”)
    • Require your business associates or subcontractor business associates through BAAs to comply with the new law and inform your organization of breaches within three (3) to five (5) calendar days at the most.
    • This will help provide your organization with enough time to meet the new notification requirements outlined above.
    • Consider adding an indemnification provision to protect your organization should your business associates or subcontractor business associates fail to comply with the new law. Mandate your business associates and subcontractor business associates use encrypted devices and software. Lastly, require your business associates and subcontractor business associates to maintain cyber liability insurance.
  3. Train your Employees
    • Consistently train and educate your employees on common ways breaches occur, what to do if an employee suspects a breach, notification timeframes, and sanctions or discipline that might occur for employees who fail to notify management of a potential breach.
    • Training your employees is crucial because violation of Colorado’s new data protection law could lead to civil and/or criminal prosecution.

These tips (although not exhaustive) can help your health care organization on the path towards compliance. If your health care organization is in need of assistance regarding Colorado’s new data protection law, please contact Caplan & Earnest.

Matthew Ullrich’s practice focuses on health law, specifically related to HIPAA, telehealth, Medicaid, Medicare, long-term care, behavioral health, and transactions.  He may be reached at 303-443-8010 or mullrich@celaw.com.