New Colorado Notification Requirements


Colorado Governor John Hickenlooper recently signed into law House Bill 18-1128 with the aim to improve privacy and security for all organizations, across all industries, including health care within Colorado.  Colorado now joins Florida as one of the toughest states for breach notification timelines.


Many states are overhauling data privacy and security laws due to recent massive breaches; the state of North Carolina is in considerations of allowing 15 days to report a breach!



What does this act entail?

This act requires Covered Entities and Governmental Entities in Colorado that maintain paper or electronic documents that contain personal identifying information to:

  • Develop and maintain written policies and have practices in place to protect from unauthorized access, use, modification, disclosure or destruction;

  • Implement and maintain reasonable security procedures and practices that are appropriate to the nature of personal identifying information and the nature and size of the business;

  • Require that third party service providers implement and maintain reasonable security procedures and practices;

  • Put in place security breach notification requirements that require notice to residents no later than 30 days after the discovery of the breach.


In health care, many of these requirements are already followed, in thanks to HIPAA; however one of these requirements stands out and allows less time for health care providers to notify affected individuals of a security breach.  Federal law from HIPAA states that Covered Entities have 60 days to notify affected individuals after the discovery of the breach.  Colorado law now requires all organizations, including health care organizations to notify individuals within 30 days – half the time required by HIPAA.


This act was introduced in January and unanimously passed in the State House Committee on May 29, 2018.  It will take effect on September 1, 2018.


What do I need to know about the changes to security breach notification?

  • When a Covered Entity becomes aware a security breach may have occurred, the Covered Entity shall in good faith prompt an investigation

  • Notice includes the following forms:

    • Written notice to the postal address listed in the records of the Covered Entity

    • Telephone notice

    • Electronic notice (if primary means of communication by the Covered Entity with a Colorado resident is by electronic means)

  • Notice to residents must be made in the most expedient time possible and without unreasonable delay, but not later than 30 days after the discovery date of the breach

  • Notice must include:

    • Date, estimated date or date range of the breach

    • Description of the personal information acquired

    • Ways to contact the Covered Entity

    • Toll-free numbers, addresses, and websites for consumer reporting agencies

    • Toll-free number, address, and website for the Federal Trade Commission

    • Statement the resident can obtain information from the Federal Trade Commission and credit reporting agencies about Fraud alerts and security freezes

  • If the affected individual’s online log information was possibly affect, the Covered Entity should direct the affected individual to promptly change his or her password and security question and answer

  • The Covered Entity is prohibited from charging a cost of providing the notice to residents

  • If working with a third party service provider who discovers a breach, they must give prompt notice to and cooperate with the Covered Entity

  • If the Covered Entity is required to notify more than one thousand Colorado residents of a security breach, the Covered Entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the anticipated date of notification to residents and the approximate number of residents who are to be notified.The Covered Entity is not required to provide them with the names or personal information of the residents.

  • The Covered Entity must provide notice of any security breach to the Colorado Attorney General no later than 30 days after the discovery date if the breach has affected 500 or more residents


The Attorney General may bring an action in law or equity to address violations of this act.  The Attorney General also has the authority to prosecute any criminal violations in relation to this act.



For more information on House Bill 18-1128, visit our .


To review the law and know what is required of you as a health care provider before it goes into effect on September 1, 2018, click here.



If you find this information to be useful, please subscribe to our blog here.