Colorado Gov. John Hickenlooper signed into law expansive consumer data legislation that mandates all organizations report breaches within 30 days, making it the shortest turnaround for any state.

There are no exemptions from the notification rule, meaning healthcare organizations must report within 30 days -- half the time required by HIPAA. The legislation updates the state’s current notification language that states notification must happen without “reasonable delay.”

Introduced in January, the bill unanimously passed in the State House Committee. The aim is to drastically improve privacy and security for all organizations within the state.

The legislation overlaps with HIPAA requirements, as lawmakers added medical and health insurance identification data to the types of information covered by the law.

[Also: The biggest healthcare data breaches of 2018 (so far)]

And if there’s “a conflict between the time period for notice to individuals [under Colorado law or federal regulation or law], the law or regulation with the shortest time frame for notice to the individual controls," the bill states.

Colorado providers also need to keep in mind the bill’s language goes past HIPAA requirements for covered information and includes passwords, passcodes and similar data. Providers should review the law before it goes into effect on Sept. 1.

With the governor’s signature, Colorado joins Florida as one of the toughest states for breach notification timelines. Florida also has a 30-day notification law, but there’s a clause that gives organizations an extra 15 days if there’s a “good cause for delay.”

Colorado is just one of many states overhauling data privacy and security laws in the wake of the massive breaches that impacted Verizon, Equifax and a long list of others. Right now, North Carolina is considering what’s possibly the toughest turnaround, which would give just 15 days to report a breach.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com