New Privacy and Data Security Laws Affecting Psychologists

By Terry Cipoletti, Esq., Caplan and Earnest, LLC

In May 2018, (former) Governor Hickenlooper signed three changes into Colorado law that effectively increased the obligations and potential financial penalties on most businesses operating in Colorado, including psychologists. These new privacy and data security laws went into effect last year on September 1, 2018. Whether you are a solo practitioner or part of a larger practice, if you keep any paper or electronic document with a patient’s “personal identifying information” as part of your practice, then you must comply with the new privacy laws. Additionally, if you keep “personal information” about a Colorado resident in electronic format as part of your practice, then you must comply with the newly amended data security law. Even if your practice is already subject to HIPAA (the federal Health Insurance Portability and Accountability Act), HIPAA only establishes a floor and not a ceiling in the law, meaning the State of Colorado may build additional protections on top of HIPAA.

The two new privacy laws apply to “personal identifying information,” while the new data security law applies to “personal information.” There is significant overlap between these two types of information, but the phrases are not identical. 

Personal identifying information means a social security number; personal identification number; password; pass code; government-issued driver’s license or ID card number; government passport number; biometric data (used for authenticating an individual for an online account); an employer, student or military ID number; or a financial transaction device (which includes any type of card or account [but not checks] that can be used to obtain cash, goods, services or to make financial payments).

Personal information means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following unencrypted data elements: social security number; student, military, or passport ID number; driver’s license number or ID card number; medical information; health insurance ID number; or biometric data. Personal information also includes a Colorado resident’s username or email address in combination with a password or security questions and answers; or account number or credit or debit card number in combination with any required security code or password that would permit access to the account.

 If you keep any of the above-referenced types of information, which most professionals (or their contracted billing companies) do, you need to be sure that you are complying with the new laws to protect your patients’ rights and to avoid potential monetary and other significant penalties. Even if your practice already has safeguards and written policies and procedures in place to comply with HIPAA, these new laws create a few additional and more restrictive obligations above and beyond what HIPAA may require. The following is a summary of some critical aspects of the new privacy and data security laws that every psychologist operating a practice in Colorado needs to be aware of and consider. 

Under C.R.S. § 6-1-713.5, if psychologists maintain, own or license personal identifying information in any aspect of their businesses, under the new law, they must enact reasonable security (safeguarding) procedures and practices to protect patients’ personal identifying information from unauthorized access, use, modification, disclosure, or destruction. What is “reasonable” is based in part on the nature and size of the business.

Under C.R.S. § 6-1-713, psychologists who maintain personal identifying information, whether in paper or electronic format, must develop a written policy for the destruction or proper disposal of the information. The written policy, unless otherwise required by state or federal law or regulation, must require that when the personal identifying information is no longer needed, it will be destroyed by shredding, erasing, or other modification to make the information unreadable or indecipherable. The new statute makes clear that other Colorado laws and Board policies still control and dictate how long mental health records must be kept by licensed healthcare professionals. For psychologists who are subject to the safeguarding obligations that HIPAA has created, the most notable change under the new privacy laws is the obligation to have an express written destruction policy.

Lastly, under C.R.S. § 6-1-716, the legislatureamended the security breach provisions of the Colorado Consumer Protection Act: (a) broadening the type of personal information covered by the security breach statute to include medical information, (b) significantly expanding those to whom businesses must now report a breach, and (c) greatly reducing the amount of time in which healthcare professionals (and all businesses) must provide notice of a breach. For any psychologist who is subject to this section and experiences a security breach, the psychologist, generally within 30 days, must notify each Colorado resident whose personal information was involved. If the breach affected 500 or more Colorado residents, the psychologist must also notify the Colorado Attorney General’s office within 30 days. Additionally, if a breach affects more than 1,000 Colorado residents, the psychologist must also notify the three national consumer reporting agencies (Equifax, Experian, TransUnion), generally within 30 days. Where HIPAA allowed healthcare providers a maximum of 60 days after discovery of a breach to provide individuals notice, Colorado’s new law has generally cut that time in half. The clock for notice starts ticking on the date the psychologist becomes aware that a security breach may have occurred. Like HIPAA, Colorado’s new security breach statute, with limited exception, does not create leeway to extend the notification deadline nor does it create any exemption based on the size of your practice. 

            In summary, the new laws require subject businesses, including solo practitioners: (1) to create security procedures to protect personal identifying information, (2) to develop a written policy for the secure destruction of the personal identifying information when it is no longer needed, and (3) to give notice within 30 days when a breach of any computerized personal information about a Colorado resident has occurred.