Privacy & Security

Colorado proposes requiring data breaches to be reported in 30 days

The amended bill that would cut breach reporting time in half for healthcare providers, unanimously passed a State House committee meeting last week.
By Jessica Davis
February 19, 2018
11:45 AM

The Colorado legislature is considering a bill to drastically improve the state’s privacy and data security law, including giving organizations just 30 days to report a breach.

Introduced in January, the amended bill passed unanimously in the House Committee on State, Veterans and Military Affairs on Feb. 14.

The proposed bill overlaps between HIPAA and state privacy laws, as legislators added medical information and health insurance identification numbers to the types of personal information covered by the bill. This includes the timeframe.

[Also: North Carolina proposes law requiring data breaches to be reported in 15 days]

Current Colorado privacy laws state organizations must report without “reasonable delay,” while HIPAA regulation requires healthcare organizations report breaches within 60 days after a breach is discovered.

The proposed rule creates a 30-day breach notification rule, from the time the organization determines “there is sufficient evidence to conclude that a security breach has taken place."

And “in the case of a conflict between the time period for notice to individuals [under Colorado law or federal regulation or law], the law or regulation with the shortest time frame for notice to the individual controls," according to the amended bill.

[Also: Iowa legislature proposes requiring orgs to report breaches within 45 days]

Also noteworthy, the bill’s language regarding personal information extends further than HIPAA language to include passwords, passcodes and the like, so providers will need to make sure they are compliant with the state’s statute.

The legislation has been referred to the Committee on Appropriations for consideration. If the bill passes, Colorado would join Florida as the toughest states on breach notification timelines.

[Also: Proposed Senate bill would fine, jail execs who conceal data breaches]

Florida also has a 30-day notification rule, but allows an additional 15 days if there’s a “good cause for the delay.”

States have been steadily proposing modifications to privacy laws, given the increase in cyberattacks. For example, North Carolina is currently considering legislation to give organizations just 15 days from time of discovery to report a breach.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Government & Policy, Privacy & Security

More regional news

Two medical researchers in a lab look at information on a laptop

New NIH tool uses genAI to connect volunteers with clinical trials

By
Andrea Fox
November 26, 2024
A pharmacist doing an inventory using a digital tablet

Singapore General Hospital developing AI to prevent antibiotic resistance

By
Adam Ang
November 25, 2024
View of Mount Sinai Health System buildings in Manhattan

Mount Sinai Health announces new Center for AI and Human Health

By
Andrea Fox
November 25, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Two medical researchers in a lab look at information on a laptop
New NIH tool uses genAI to connect volunteers with clinical trials

Most Read

FCC set to require georouting for 988 Lifeline calls, enhancing access to local services
Sens. Warner & Wyden seek healthcare cybersecurity mandates in new bill
Epic calls on Carequality to release Particle dispute resolution
VP candidates' EHRs may have been improperly accessed by VA employees
5G will power the next evolutionary stage of healthcare in APAC
Healthcare workforces need to prep for deep fakes and AI-enabled cyberattacks

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Paul Wilder at CommonWell Health Alliance_Part 2_Digital binary code with springing lock Photo by JuSun/iStock/Getty Images Plus
Notching up FHIR at scale - Part 2
Paul Wilder at CommonWell Health Alliance_Part 1_Digital binary code with springing lock Photo by JuSun/iStock/Getty Images Plus
Notching up FHIR at scale - Part 1
David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes

More Stories

David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
Stethoscope on an iPad
HIMSSCast: Care provider or tool? When and why patients like AI
EHR tips on migrating an all-digital hospital to Epic
Patient in mask talking to receptionist in mask
Almost a quarter of Americans underinsured, survey finds
VA building signage
House passes veterans healthcare package without RESET Act
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
David Miles of Oklahoma Heart Hospital
Deep dive: A tour of all-digital Oklahoma Heart Hospital, where automation is the norm
Healthcare workers looking at X-ray images on monitors
Streamlining healthcare operations with multicloud-by-design