As in many states, Colorado businesses, legal offices and medical practices are legally required to protect against data breaches, and in some cases notify residents if their personal information has been compromised. Here’s what the law requires and how you can be compliant.
There are several federal laws in place that give specific requirements for protecting personal and confidential information.
The HIPAA Privacy Rule requires all covered entities to put in place “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information” such as prescriptions, diagnoses, and treatment information.
Entities covered by HIPAA include hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, and company health plans.
The U.S. Department of Health and Human Services recommends “shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.”
In 2009, the Health Information Technology for Economic and Clinic Health (HITECH) act added mandatory fines for violations, and raised the maximum penalty amount to $1.5 million.
FACTA Disposal Rule
The Disposal Rule, which is part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and is enforced by the Federal Trade Commission (FTC), requires all businesses and individuals that collect information for the purposes of establishing a consumer’s eligibility for credit, employment, or insurance (including employment background, check-writing history, insurance claims, residential or tenant history, or medical history) to take appropriate measures to dispose of sensitive information.
Entities covered by the Disposal Rule include consumer reporting companies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, attorneys, private investigators, debt collectors, and individuals who obtain a credit report on prospective nannies, contractors, or tenants.
Proper destruction includes burning, pulverizing, or shredding papers containing consumer report information so that the information cannot be read or reconstructed, and destroying or erasing electronic files or media containing consumer report information so that the information cannot be read or reconstructed.
The Gramm-Leach-Bliley Act
Aimed specifically at financial institutions, the Gramm-Leach-Bliley Act requires financial services companies including banks, investment firms, insurance companies, payday lenders, and check-cashing businesses, to keep customer information secure and dispose of it properly by shredding or otherwise destroying documents so they can’t be read or reconstructed.
Penalties for noncompliance can include 5 years in prison, plus up $100,000 for each violation.
Colorado State Laws
Public entities must have a records retention schedule, which lists all records maintained by the agency and how long they need to be kept. The retention schedule must be signed by the Colorado State Archivist and the State Auditor’s Office.
The Colorado State Archives recommends that confidential record be destroyed by shredding or by a professional company that can certify secure document destruction.
For more information, see the Records Management section of the Colorado Archives website.
While the state of Colorado does not specify how sensitive patient medical documents should be destroyed, the Colorado Medical Board recommends keeping patient records for 7-10 years after the last date of treatment. Colorado medical entities are bound by the requirements of HIPAA for proper document destruction requirements.
The data privacy and security of students in Colorado are protected by the new Student Data Transparency and Security Act, which covers how public and charter schools, school boards, and school districts collect and store student and educator records.
For more information, visit the Colorado Department of Educations Data Privacy and Security page.
Companies & Individuals
Any individual or private or public company (including nonprofits) that conducts business in Colorado and collects or personal information as part of their business is covered by several state data privacy laws.
The Colorado Consumer Protection Act requires businesses that collect personal identifying information to implement a policy for the proper destruction or disposal of documents containing that sensitive information. That information can include Social Security numbers, personal identification numbers, passwords, ID numbers, passport numbers, and fingerprints and other biometric data.
The Colorado Data Breach Law, which applies to any individual or company that conducts business in Colorado and collects personal information from Colorado residents, dictates how customers are notified if a data breach causes that personal information to be stolen, exposed, or otherwise compromised.