Can I avoid having a data breach response plan in Colorado? What are the requirements?

Data Breach Response Plan Requirements in Colorado

Colorado law requires that governmental entities that maintain, own, or license computerized data that includes personal information about a resident of Colorado must have a data breach response plan in place ^[1.1].

Definition of Personal Information

Personal information is defined as a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: Social security number; driver’s license number or identification card number; student, military, or passport identification number; medical information; health insurance identification number; or biometric data ^[1.1].

Notification Requirements

If a governmental entity becomes aware that a security breach may have occurred, it must conduct a prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a Colorado resident has occurred or is reasonably likely to occur, the governmental entity must give notice to the affected Colorado residents in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred ^[1.1].

The notice must include the date, estimated date, or estimated date range of the security breach; a description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach; information that the resident can use to contact the governmental entity to inquire about the security breach; the toll-free numbers, addresses, and websites for consumer reporting agencies; the toll-free number, address, and website for the federal trade commission; and a statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes ^[1.1].

Penalties for Non-Compliance

The attorney general may bring an action for injunctive relief to enforce the provisions of the data breach response plan requirements in Colorado ^[1.1].

Conclusion

In summary, Colorado law requires that governmental entities that maintain, own, or license computerized data that includes personal information about a resident of Colorado must have a data breach response plan in place. If a security breach occurs, the governmental entity must conduct a prompt investigation and give notice to the affected Colorado residents. Failure to comply with these requirements may result in penalties enforced by the attorney general.

Additionally, there are no provisions in Colorado law that allow for avoiding the requirement of having a data breach response plan in place ^[1.1].

Network Access Plan Reporting Requirements

If you are a carrier offering a network in Colorado, you must establish that your network has an adequate number of providers and facilities within a reasonable distance. You must also have a documented quantifiable and measurable process for monitoring and assuring the sufficiency of the network in order to meet the health care needs of populations enrolled in its managed care plans on an ongoing basis ^[3.1].

You must also report the specific provider and facility types that will be measured and reported in the network access plan filed via SERFF. Those provider and facility types include, but are not limited to, the following: acute care hospital services, primary care providers (PCP), providers who may be available through the use of telehealth, pharmacy providers, within a reasonable distance and/or delivery time, and can include retail and/or mail-order pharmacy providers, and other provider and facility types ^[3.1].

Data Reporting Requirements for Out

If you are a carrier in Colorado, you must report data on out-of-network claims processed for non-emergency services received at an in-network facility by an out-of-network provider, and concerning claims processed for emergency services received at an out-of-network facility. The report must include the total amount charged by and paid to the out-of-network provider types, the number of claims denied or resolved by the out-of-network provider types, the total number of out-of-network claims processed, the total number and amount allowed prior to the application of the covered person’s cost-sharing requirements for each of the payment methodologies contained in § 10-16-704(3)(d), C.R.S., and more ^[2.1].

Source(s):

• [1.1] Governmental entity - notification of security breach.
• [2.1] Data Reporting Requirements for Out
• [3.1] Network Access Plan Reporting Requirements

Jurisdiction

Colorado

• Privacy