In The News

New Privacy and Data Security Laws Affecting Psychologists

By Terry Cipoletti, Esq., Caplan and Earnest, LLC

In May 2018, (former) Governor Hickenlooper signed three changes into Colorado law that effectively increased the obligations and potential financial penalties on most businesses operating in Colorado, including psychologists. These new privacy and data security laws went into effect last year on September 1, 2018. Whether you are a solo practitioner or part of a larger practice, if you keep any paper or electronic document with a patient’s “personal identifying information” as part of your practice, then you must comply with the new privacy laws. Additionally, if you keep “personal information” about a Colorado resident in electronic format as part of your practice, then you must comply with the newly amended data security law. Even if your practice is already subject to HIPAA (the federal Health Insurance Portability and Accountability Act), HIPAA only establishes a floor and not a ceiling in the law, meaning the State of Colorado may build additional protections on top of HIPAA.

The two new privacy laws apply to “personal identifying information,” while the new data security law applies to “personal information.” There is significant overlap between these two types of information, but the phrases are not identical. 

Personal identifying information means a social security number; personal identification number; password; pass code; government-issued driver’s license or ID card number; government passport number; biometric data (used for authenticating an individual for an online account); an employer, student or military ID number; or a financial transaction device (which includes any type of card or account [but not checks] that can be used to obtain cash, goods, services or to make financial payments).

Personal information means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following unencrypted data elements: social security number; student, military, or passport ID number; driver’s license number or ID card number; medical information; health insurance ID number; or biometric data. Personal information also includes a Colorado resident’s username or email address in combination with a password or security questions and answers; or account number or credit or debit card number in combination with any required security code or password that would permit access to the account.

 If you keep any of the above-referenced types of information, which most professionals (or their contracted billing companies) do, you need to be sure that you are complying with the new laws to protect your patients’ rights and to avoid potential monetary and other significant penalties. Even if your practice already has safeguards and written policies and procedures in place to comply with HIPAA, these new laws create a few additional and more restrictive obligations above and beyond what HIPAA may require. The following is a summary of some critical aspects of the new privacy and data security laws that every psychologist operating a practice in Colorado needs to be aware of and consider. 

Under C.R.S. § 6-1-713.5, if psychologists maintain, own or license personal identifying information in any aspect of their businesses, under the new law, they must enact reasonable security (safeguarding) procedures and practices to protect patients’ personal identifying information from unauthorized access, use, modification, disclosure, or destruction. What is “reasonable” is based in part on the nature and size of the business.

Under C.R.S. § 6-1-713, psychologists who maintain personal identifying information, whether in paper or electronic format, must develop a written policy for the destruction or proper disposal of the information. The written policy, unless otherwise required by state or federal law or regulation, must require that when the personal identifying information is no longer needed, it will be destroyed by shredding, erasing, or other modification to make the information unreadable or indecipherable. The new statute makes clear that other Colorado laws and Board policies still control and dictate how long mental health records must be kept by licensed healthcare professionals. For psychologists who are subject to the safeguarding obligations that HIPAA has created, the most notable change under the new privacy laws is the obligation to have an express written destruction policy.

Lastly, under C.R.S. § 6-1-716, the legislatureamended the security breach provisions of the Colorado Consumer Protection Act: (a) broadening the type of personal information covered by the security breach statute to include medical information, (b) significantly expanding those to whom businesses must now report a breach, and (c) greatly reducing the amount of time in which healthcare professionals (and all businesses) must provide notice of a breach. For any psychologist who is subject to this section and experiences a security breach, the psychologist, generally within 30 days, must notify each Colorado resident whose personal information was involved. If the breach affected 500 or more Colorado residents, the psychologist must also notify the Colorado Attorney General’s office within 30 days. Additionally, if a breach affects more than 1,000 Colorado residents, the psychologist must also notify the three national consumer reporting agencies (Equifax, Experian, TransUnion), generally within 30 days. Where HIPAA allowed healthcare providers a maximum of 60 days after discovery of a breach to provide individuals notice, Colorado’s new law has generally cut that time in half. The clock for notice starts ticking on the date the psychologist becomes aware that a security breach may have occurred. Like HIPAA, Colorado’s new security breach statute, with limited exception, does not create leeway to extend the notification deadline nor does it create any exemption based on the size of your practice. 

            In summary, the new laws require subject businesses, including solo practitioners: (1) to create security procedures to protect personal identifying information, (2) to develop a written policy for the secure destruction of the personal identifying information when it is no longer needed, and (3) to give notice within 30 days when a breach of any computerized personal information about a Colorado resident has occurred.


The April TCP Is Now Available

Posted: April 1, 2019

Members of CPA-- your April edition of The Colorado Psychologist is now available! Please click here to access your newsletter.

Inside April's Issue:

1. Message from the President
2. CPA Calendar of Events
4. Message from the Editors
5. Interview with a Psychologist: Joyce L. Fine, PhD
7. What's New at CPA
9. New and Returning CPA Members
10. Message from a CPA Board Member
12. Message from APA Counsel Rep. for CO
15. Will Psychoactive Drugs Give us a New Way to Heal?
18. The Use of Medical Marijuana for Chronic Pain
20. Advertising Rates



2019 Green Symposium - Two Weeks Away!

Posted: February 9, 2019 

Date: April 8, 2019
Time: 9:00am - 12:00pm
Location: COPIC Insurance Company, Mile High room 

**Online Registration closes Thursday, April 4th

 Register Here!


Join CPA and presenter Dr. Stuyt for her program on Monday, April 8 from 9:00am - 12:00pm. The Green Symposium is an annual gathering hosted by the Colorado Psychological Association. The Symposium focuses on the latest developments and research findings regarding cannabis. It began in 2017 in an effort to disseminate information to behavioral health care providers and others in the treatment community.

Marijuana Impact Assessment – The Consequences of High Potency THC Marijuana
Dr. Stuyt, MD

Level of Programming: Introductory

Program Description: 
Advocates for the legalization of medical and retail marijuana are quick to point out all the possible benefits that a community might see from such a venture. These include increased jobs, increased tax revenue, possible medical benefits and they advertise it as “safe” and “healthy” and “organic”. They utilize the words “cannabis” and “marijuana” for everything without differentiating between the different forms of cannabis that can have very different effects on the mind and body. However, without any clear guidelines or regulations from government officials, the cannabis industry has taken a page from the tobacco and alcohol industries’ play book and developed strains of marijuana and concentrated marijuana products with much higher concentrations of THC, the psychoactive component that causes addiction. Dr. Stuyt will cover how marijuana use contributes to addiction, depression, anxiety, suicidal ideation and psychosis. 

**3 CE Credits Available!

CE Price: $25.00

At the conclusion of this presentation, participants should be able to:

  1. Recognize the difference between different forms of cannabis including hemp, CBD products and high potency THC plants and concentrates.
  2. Describe the effect of THC on the developing brain.
  3. Discuss the role high potency THC cannabis plays in addiction, anxiety, depression, suicide, psychosis and cognitive impairment.


 The Colorado Psychological Association is approved by the American Psychological Association to sponsor continuing education for psychologists. CPA maintains responsibility for this program and its contents.



CPA Member - Psychologist: $65.00
Non-Member - Psychologist: $75.00

CPA Member - Student: $10.00
Non-Member - Student: $15.00

 Register Here!




SAMD EVENT: "Toward Right Relationship with Native People”

Posted: March 21, 2019

Date: Tuesday, April 9, 2019
Time: 7:00pm – 9:00 pm
Location: Parkhill United Methodist Church, 5209 Montview Blvd, Denver (NW corner of intersection at Montview and Glencoe)

This event is a monthly group conversation/workshop for individuals interested in participating in an open discussion of inter-racial issues.  There is an emphasis on current events within a historical context and how issues of race, ethnicity, gender and other aspects of our identity interact with the cultural communities in which we live. Ever respectful of differing opinions, participants are encouraged to discuss racial/cultural issues in an inclusive, nonjudgmental way. The activity for the April meeting as described by Boulder Friends is:

"An experiential workshop tracing the historic and ongoing impacts of the Doctrine of Discovery, the 15th-century justification for European subjugation of non-Christian peoples. Our goal is to raise our level of knowledge and concern about these impacts, recognize them in ourselves and our institutions, and explore how we can begin to take actions toward right relationship with Native peoples."

For those interested in attending this event, we ask you to come to the Omonoia Greek Bakery (free coffee or tea to the first 10 arriving) to meet with other members of the CPA community  attending this event.  If unable to attend the pre-event meeting, please join us at Parkhill United Methodist Church.  All are welcome and we look forward to seeing you there.


Pre-event meet up is at Omonoia Greek Bakery for free coffee or tea to the first 10 people arriving!

Time: 6:00 pm – 6:40 pm
Location: Omonoia Greek Bakery & Café: 2813 E. Colfax, Denver (across from East High School)

Please RSVP by no later than Thursday, April 4th to Reine Evereteze, Psy.D. (SAMD Chair) at 303-202-6143 or email: [email protected]



APA’s Testing Code Advocacy

Posted: March 26, 2019

APA has heard from many psychologists experiencing issues with reimbursement for psychological and neuropsychological testing using the new CPT codes that went into effect on January 1, 2019. APA is fighting for psychologists for timely and proper payment. They are collecting information about which companies/payers are not paying, paying very low rates, or otherwise creating claims reimbursement problems. 

APA is proactively contacting insurance companies to help educate them on applying the new testing codes correctly to pay psychologists. Current reports indicate Medicare should be operational, but there are reported problems with 15 states’ Medicaid plans and several commercial payers. Reports across the country indicate that many commercial insurers have been starting to process and pay claims.

Help APA collect data by participating in a survey to assess how the new psychological and neuropsychological testing codes are working. Please complete the survey by clicking on this link. 

<< first < Prev 11 12 13 14 15 16 17 18 19 20 Next > last >>

Page 11 of 53