Candor in Colorado: New Statutory Protections for Communications About Adverse Health Care Incidents

On Monday, July 1, 2019, Colorado’s Candor Act will go into effect, making it one of four states in the U.S. to adopt such a law. The Candor Act establishes a process for keeping communications between a patient and health care provider or health facility privileged following an adverse health care incident. Described as an “Open Discussion,” this process allows health care providers or health facilities to communicate with patients and families about a patient’s physical injury or death, conduct an investigation into a health care incident, and if appropriate, provide an offer of compensation because of the physical injury or death. If the statute’s steps are followed, the communications, investigation, and offer of compensation are privileged, confidential, not subject to discovery or subpoena, and are inadmissible at trial, an arbitration hearing, or certain administrative proceedings.

To achieve this protection, requirements of the statute must be fulfilled. For instance, the health care provider or health facility must notify the patient or her family of the intention to engage in an Open Discussion within 180 days after the provider knew about the incident. The patient must be advised of her rights to receive medical records, to have legal counsel if she chooses during the Open Discussion process, and to be notified of applicable limitation periods, among other requirements. If the patient agrees to participate in the Open Discussion, she must provide her agreement in writing.

As a condition of an offer of compensation, the provider or facility may require the patient to execute a release to resolve the health care incident. If the process is initiated properly by the provider, upon successful resolution and receipt of compensation, the event is not likely considered subject to certain reporting required by the Colorado Medical Board, Colorado Board of Nursing, other Colorado licensing boards, or the National Practitioner Data Bank. The law specifies that “candor compensation” is not considered a payment resulting from a written claim or demand for payment, a claim for purposes of reporting to a licensing board or insurance commissioner, or a payment resulting from a settlement, final judgment, administrative action or arbitration award.

Providers and facilities should be cautioned that the protections of the statute do not include certain materials not prepared specifically for an Open Discussion. When proceeding under this process, consult your legal counsel with expertise in the subject in order to ensure compliance with the nuances in the law and be advised of other risks. Providers and facilities should require all involved parties to sign documents as a condition of any compensation paid.

Three Key Requirements Imposed by Colorado’s New Consumer Data Privacy Statute

Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, will go into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

  1. Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.
  2. Written policies for the destruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.
  3. Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Personal information is defined broadly under the new law to include a resident’s first name or first initial and last name (e.g., Jane Doe or J. Doe), in combination with one of the following: medical information; health insurance identification number; biometric data; social security number; student, military, or passport identification number; driver’s license number or identification card. Personal information also includes—even when not tied to a resident’s name—a resident’s username or email address with a password or a security question and answer that permits access to an online account, or an account number or credit/debit card number in combination with a security code, access code or password that permits access to an online account.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law. Additionally, businesses need to operationalize procedures designed to ensure that employees and third-party service providers are adhering to privacy policies, since mere “paper compliance” falls short of protecting from the risk and exposure attendant to a breach.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than 30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA), C.R.S. §6-1-713, et seq., and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to treble (or triple) damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that the mandates of the various applicable laws are reconciled against each other. For example, Colorado’s breach notification provision indicates that the time period for notice to affected individuals with the shortest timeframe will control. Healthcare entities which are typically subject to a HIPAA’s 60-day notification requirement need to implement measures to comply with the shortened period under Colorado law.

Recommendations:

Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

  1. A thorough risk analysis of the type of data maintained should be completed. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked.  Physical security controls should be identified and regularly reinforced.
  2. Employees must be routinely trained in data privacy and security policies and procedures. Handbooks should be updated and it is a good idea to asses whether to require nondisclosure and confidentiality agreements. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for all employees accessing the sensitive information, especially for departing employees.
  3. Third-party service vendors should be identified and communicated with regularly to obtain reasonable assurances of compliance with the new law. Contractual documents should reflect vendors’ obligation to adhere to data maintenance, destruction and breach notification policies so that a coordinated and rapid response to a security incident is set in motion.
  4. Businesses, including HIPAA covered entities, should rework their data breach policies and ensure that third-party vendor agreements or business associate agreements reflect Colorado’s more stringent breach notification measures.

Conclusion:

The U.S. Department of Health and Human Services (HHS) recently announced that it is seeking comments regarding potential changes in HIPAA and 42 CFR Part 2,1 with the indication that action to reform the rules will be taken to ease the regulatory burden on the healthcare sector and coordinate better care at a lower cost. These efforts, however, must be juxtaposed with HHS’s continued aggressive enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules2 and many States’ efforts to enact their own heightened data security and breach laws.3

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.
___________________________________________________________________

1 42 CFR Part 2 is a federal privacy law governing the confidentiality for individuals seeking treatment for substance use disorders from federally assisted programs.
2 Of note is a recent ruling by a HHS Administrative Law Judge upholding $4.3 million in civil monetary penalties after The University of Texas MD Anderson Cancer Center reported three separate data breaches involving an unencrypted laptop and USB drives.
3 The California legislature’s recent passage of a sweeping consumer privacy law is just one such example.