According to bizjournals.com, any HIPAA-covered entities that do business in Colorado will now have 30 days to notify Coloradans (or Coloradoans, if you prefer) of a data breach involving personal information, and not the customary 60 calendar days under HIPAA. The reason? A bill on data security that went into effect in September.
As usual, the use of encryption provides safe harbor. Indeed, the bill – HB18-1128 – goes out of its way to define data breaches as unauthorized access to “unencrypted” personal information. Furthermore, it notes that cryptographically protected information is still subject to the reporting requirements if the encryption key is compromised; that “encryption” is whatever the security community generally holds to be as such; and that a breached entity does not need to provide notification if it determines that “misuse of information… has not occurred and is not reasonably likely to occur.”
In the past, variations of that last part were heavily criticized. Naturally, it’s in the breached entity’s interest to declare that there won’t be misuse of the hacked information, ergo no need to inform anyone about it. In 2018, however, it’d be a laughable position to take.
Surprising Development? Not Really
Colorado’s “encroachment” on HIPAA can take one aback but this would be merely a knee-jerk reaction to unfamiliar news: to date, if one was covered under HIPAA, state privacy and information security laws left HIPAA-covered entities alone. But there’s absolutely no reason for it. After all, it wouldn’t be the first time that a state decided to pass laws that are more severe than federal ones.
Furthermore, think about the purpose of notifications. Supposedly, it’s so (potentially) affected individuals can get a start on protecting themselves. If the past ten years have shown us anything, it’s that receiving a notification 30 days after the discovery of a data breach can already be too late. In that light, waiting 60 days could be disastrous.
It’s a wonder that HIPAA hasn’t updated its rules to reflect reality. HIPAA was, arguably, a trailblazer when it came to protecting personal information, with its no-nonsense approach and enforcement of the rules. That last one was a biggie: When Massachusetts General Hospital (MGH) was fined $1 million in 2011 – the largest amount at that time for a data breach – the medical sector not only took notice, they went into action. At minimum, entities started to encrypt their laptops; those paying attention did far, far more.
At the time, HIPAA’s 60-day deadline was seen as revolutionary by some (if memory serves, existing data breach laws didn’t codify a deadline for alerting people). Of course, companies being what they are, covered-entities ended up doing as most people feared would do: they put off sending notifications for as long as possible, like mailing letters on the 59th day.
Not everyone did this and HIPAA specifically prohibited the practice. A handful were fined as a result of purposefully delaying the inevitable. But waiting until the last possible moment to send notifications appears to be the ongoing behavior, regardless. The same thing happens for non-HIPAA data breaches, except that most states have set a 30-day limit, so companies send it on the 29th day.
Update Those BA Docs!
Unsurprisingly, Colorado’s law also affects business associates to HIPAA-covered entities. All hospitals, clinics, private practitioners, and others in the medical sector should immediately update legal documents that establish obligations between themselves and BAs.
Remember, a covered entity’s data breach is the covered entity’s responsibility, and a BA’s data breach is also the covered entity’s responsibility.
Related Articles and Sites: