Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance

Can I use third-party project management tools that collect personal information in Colorado? What are the requirements?

October 18, 2023

Based on the provided context documents, if a third-party project management tool collects personal information in Colorado, the following requirements must be met:

Requirements for Record Keeping and Reporting

If a third party makes a request for a record from a state agency and the record contains personal identifying information, the state agency shall retain a written record containing the following information:

The request
The date of the request
Whether the request was granted or denied
The name and title of the state agency employee who granted or denied the request
A description of the articulated purpose of the request
The identity of the requestor, including the federal office or agency or other entity that requested information, the name of the individual requestor, and, if the requestor is a law enforcement officer, the individual’s badge number
A summary of why the request was granted or denied ^[1.1]

Requirements for Authorization for Disclosure of Nonpublic Personal Information

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed. However, there are exceptions to this requirement, including for activities related to claims administration, underwriting, policy placement or issuance, loss control, ratemaking and guaranty fund functions, reinsurance and excess loss insurance, risk management, case management, disease management, quality assurance, quality improvement, performance evaluation, provider credentialing verification, utilization review, peer review activities, actuarial, scientific, medical or public policy research, grievance procedures, internal administration of compliance, managerial, and information systems, policyholder service functions, auditing, reporting, database security, administration of consumer disputes and inquiries, external accreditation standards, the replacement of a group benefit plan or workers’ compensation policy or program, activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit, any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services, disclosure that is required, or is one of the lawful or appropriate methods, to enforce licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes, and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process ^[4.3].

Public Access to Procurement Information

Procurement records shall be open for public inspection after the award as provided in sections 24-72-203 and 24-72-204. The executive director may promulgate rules to clarify the process for classifying confidential or proprietary information in procurement records ^[2.1].

Based on the provided context documents, there are no specific requirements for third-party project management tools that collect personal information in Colorado. However, if the personal information collected falls under the definition of nonpublic personal health information or personal identifying information, the requirements for authorization and record keeping and reporting must be met. Additionally, procurement records shall be open for public inspection after the award as provided in sections 24-72-203 and 24-72-204.

Source(s):

Jurisdiction

Colorado

Privacy