California and Colorado update laws on protected health information

January 25, 2019

A trend to watch: Last year, two states made significant changes to laws related to personally identifiable information and protected health information.

In 2018, Colorado and California made significant changes to their state laws related to personally identifiable information and protected health information. 

Effective Sept. 1, 2018, Colorado House Bill 18-1128 changed the procedures that Colorado businesses must follow. Although the changes to the law are extensive, HIPAA-regulated entities (e.g., covered entities, business associates, and subcontractors) are exempt from several of the changes-with the following caveats and exceptions.

First, the deemed compliance provision should be viewed as the general rule. Specifically, HIPAA-regulated entities that are in compliance with HIPAA’s rules and regulations are also deemed to be in compliance with the Colorado law.

Second, two exceptions to this general rule became effective:

  • HIPAA-regulated entities still must provide notice of a breach to affected individuals within 30 days (HIPAA has a 60-day provision) and

  • HIPAA-regulated entities must notify the Office of the Attorney General for the State of Colorado.

HIPAA also requires that notice be given to the secretary of the United States Department of Health and Human Services. Hence, physicians should be conscience of the parallel requirements under both Colorado law and HIPAA.

Effective Jan. 1, 2020, the California Consumer Privacy Act of 2018, officially called AB-375, grants consumers the right to request a business to disclose the categories and specific pieces of personal information it collects about a consumer. The AB-375 requires entities that meet the following criteria to comply with the law:

  • annual gross revenue in excess of $25 million;

  • annually purchases, receives for the business’ commercial purposes, sells, or shares-for commercial purposes, alone or in combination-the personal information of 50,000 or more consumers, households or devices; or

  • derives at least 50 percent of its annual revenues from selling consumers’ personal information.

Most California physician practices probably do not meet these requirements; however, it is worth noting that under HIPAA patients have the right to request an accounting of who their protected health information was disclosed to.

In terms of breach notification, California Civil Code s. 1798.29(a) [agency] and California Civil Code s. 1798.82(a) [person or business] requires a business or a state agency to notify a California resident of a breach of unencrypted personal information that was acquired, or reasonably believed to have been acquired, by an unauthorized person.

By maintaining a pulse on changes regulations and technology, physicians and their business associates can have reasonable assurances that the technical, administrative, and physical safeguards that they are attesting to in their business associate agreements remain accurate. Physicians who stay current can mitigate their risks of breaches, harm to patients, and legal liability.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.