Three Key Requirements Imposed by Colorado’s New Consumer Data Privacy Statute

Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, will go into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

  1. Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.
  2. Written policies for the destruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.
  3. Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Personal information is defined broadly under the new law to include a resident’s first name or first initial and last name (e.g., Jane Doe or J. Doe), in combination with one of the following: medical information; health insurance identification number; biometric data; social security number; student, military, or passport identification number; driver’s license number or identification card. Personal information also includes—even when not tied to a resident’s name—a resident’s username or email address with a password or a security question and answer that permits access to an online account, or an account number or credit/debit card number in combination with a security code, access code or password that permits access to an online account.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law. Additionally, businesses need to operationalize procedures designed to ensure that employees and third-party service providers are adhering to privacy policies, since mere “paper compliance” falls short of protecting from the risk and exposure attendant to a breach.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than 30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA), C.R.S. §6-1-713, et seq., and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to treble (or triple) damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that the mandates of the various applicable laws are reconciled against each other. For example, Colorado’s breach notification provision indicates that the time period for notice to affected individuals with the shortest timeframe will control. Healthcare entities which are typically subject to a HIPAA’s 60-day notification requirement need to implement measures to comply with the shortened period under Colorado law.

Recommendations:

Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

  1. A thorough risk analysis of the type of data maintained should be completed. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked.  Physical security controls should be identified and regularly reinforced.
  2. Employees must be routinely trained in data privacy and security policies and procedures. Handbooks should be updated and it is a good idea to asses whether to require nondisclosure and confidentiality agreements. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for all employees accessing the sensitive information, especially for departing employees.
  3. Third-party service vendors should be identified and communicated with regularly to obtain reasonable assurances of compliance with the new law. Contractual documents should reflect vendors’ obligation to adhere to data maintenance, destruction and breach notification policies so that a coordinated and rapid response to a security incident is set in motion.
  4. Businesses, including HIPAA covered entities, should rework their data breach policies and ensure that third-party vendor agreements or business associate agreements reflect Colorado’s more stringent breach notification measures.

Conclusion:

The U.S. Department of Health and Human Services (HHS) recently announced that it is seeking comments regarding potential changes in HIPAA and 42 CFR Part 2,1 with the indication that action to reform the rules will be taken to ease the regulatory burden on the healthcare sector and coordinate better care at a lower cost. These efforts, however, must be juxtaposed with HHS’s continued aggressive enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules2 and many States’ efforts to enact their own heightened data security and breach laws.3

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.
___________________________________________________________________

1 42 CFR Part 2 is a federal privacy law governing the confidentiality for individuals seeking treatment for substance use disorders from federally assisted programs.
2 Of note is a recent ruling by a HHS Administrative Law Judge upholding $4.3 million in civil monetary penalties after The University of Texas MD Anderson Cancer Center reported three separate data breaches involving an unencrypted laptop and USB drives.
3 The California legislature’s recent passage of a sweeping consumer privacy law is just one such example.

Colorado Voters Approves “End of Life Options” Measure

On November 9, 2016, Colorado voters approved Proposition 106, the “End of Life Options” measure. Modeled after Oregon’s “Dignity in Death” law, it allows a Colorado resident who is terminally ill to seek a prescription for a lethal dose of medication if two doctors certify that the resident is mentally competent and has less than six months to live. The detailed act consists of 23 separate statutes, and it addresses a number of issues that may raise important questions for health care providers. For example, under Section 118 of the law, health care facilities (specifically including long term care facilities) are expressly permitted to bar employed or contracted physicians from writing a prescription for the terminal medication; obviously, health care facilities will need to decide whether – and how – their physicians will be allowed to participate in the right-to-die process. Look for updates from Gordon & Rees on key factors that health care providers must consider in upcoming weeks. The law is scheduled to become effective in the next month.

To read Proposition 106, the “End of Life Options” measure, please click here.

CMS ISSUES CHANGES TO REQUIREMENTS OF PARTICIPATION AFFECTING LTC FACILITIES: ARBITRATION IS OUT—ARE WAIVER OF JURY TRIALS IN?

Effective November 28, 2016, long-term care facilities that participate in Medicare and Medicaid will no longer be able to enter into “pre-dispute” agreements for binding arbitration with their residents.  The Centers for Medicare & Medicaid Services (CMS) issued the final rule on September 28, 2016, after consideration of extensive comments from key stakeholders in the long-term care community regarding proposed revisions.

Under the rule, a facility can ask a resident or a resident’s representative to enter into an arbitration agreement after a dispute arises.  However, the facility must comply with several requirements, such as ensuring that the agreement provides for the selection of a neutral arbitrator and a venue convenient to both parties.  Further, a resident’s right to remain in the facility cannot be contingent upon entering into the arbitration agreement and the agreement cannot contain language that discourages communications with federal, state or local surveyors and other officials.

As one of the more controversial changes, critics of the new arbitration rule have reacted strongly against the change and have commented that this part of the rule “clearly exceeds” CMS’s statutory authority.  In its response to public comments, CMS explains that the Secretary of Health and Human Services has the authority to administer the program under the Social Security Act by setting general practice parameters for payment under Medicare and Medicaid.  CMS further cites to its authority to promulgate regulations for residents’ health, safety and well-being and states that there is “significant evidence that pre-dispute arbitration agreements have a deleterious impact on the quality of care for Medicare and Medicaid patients.”  Nevertheless, there are several legal bases upon which to challenge the agency’s ability to preclude an arbitration agreement.

While CMS’s comments cite to a resident’s waiver of the right to a jury trial as a major factor considered in its decision to disallow pre-dispute arbitration agreements, the final rule does not expressly preclude jury trial waiver provisions within facility admissions agreements.  Jury waivers may help to address runaway verdicts that have become a concern in negligence cases in past years, while still respecting expressed concerns that arbitration presents undue costs to residents and creates an environment of “secrecy.”  Note that state law may vary on whether such waivers are enforceable.

Also remarkable is CMS’s comment that it will not address waiver of class-action litigation in this rule, but rather reserve the issue for consideration during future rulemaking.

The broad-sweeping final rule also contains several other provisions that directly affect compliance programs, training of nursing staff, updating infection and control programs, and other key requirements that long-term care facilities must comply with in order to participate in the Medicare and Medicaid programs.  It is advisable for long-term care facilities to promptly consult with a knowledgeable healthcare attorney to assess modifications to admissions packets and to otherwise establish the framework necessary to comply with the revised Requirements of Participation.