Complying with HIPAA alone won't cut it - Covered entities need to keep up with changes in state laws

For healthcare organizations operating in multiple states, the complexity of compliance with privacy and security rules goes beyond understanding HIPAA. Add Colorado to the list of states with new laws defining special requirements for reporting breaches to the attorney general and definitions of personal information that include biometric data. While HIPAA allows for up to 60 days to provide notice to an individual regarding a breach, and also up to 60 days to report breaches of >500 individuals to the Office of Civil Rights (OCR), the new Colorado law requires notice to the individual within 30 days. Colorado is the most recent state to join the club of states with more stringent reporting rules than HIPAA requires, including most recently Alabama which enacted a 45 day time frame.