Colorado Privacy Act and HIPAA: What Colorado Clinics Must Know

The Colorado Privacy Act (CPA, effective July 1, 2023) creates a layered compliance picture for your clinic: HIPAA governs PHI from covered transactions, and the CPA governs health-related data collected through other channels. Getting the boundary right requires knowing exactly where the CPA’s HIPAA exemption applies and where it stops.

CPA Scope and the HIPAA Exemption

The CPA, codified at C.R.S. §§ 6-1-1301 through 6-1-1313, applies to entities that conduct business in Colorado or target products or services to Colorado residents, and that meet one of two thresholds: (1) control or process the personal data of 100,000 or more Colorado consumers per calendar year, or (2) derive revenue from selling personal data and control or process the personal data of 25,000 or more Colorado consumers.

A small clinic serving fewer than 25,000 patients and not selling data may not meet the CPA’s threshold — but the volume thresholds count all personal data, not just patient data, and include employees and website visitors. A clinic with a patient portal, email marketing, and standard employee records can easily cross 100,000 records per year across all categories.

The HIPAA exemption

C.R.S. § 6-1-1304(2) provides that the CPA does not apply to protected health information as defined under HIPAA to the extent the entity is subject to HIPAA. The exemption also extends to information maintained in the same manner as PHI — de-identified data or limited data sets as defined under 45 CFR § 164.514.

The exemption is data-specific, not entity-specific. Being a HIPAA-covered entity does not give your clinic a blanket exemption — only data that qualifies as HIPAA-governed PHI is exempt. Health information collected through a wellness portal outside a covered transaction, appointment requests through a website form without a BAA, or patient satisfaction surveys containing health information may not qualify for the exemption.

Sensitive Data: The CPA’s Health Categories

Under C.R.S. § 6-1-1303(25), the CPA identifies “sensitive data” as a category requiring heightened protection. The health-related categories of sensitive data include:

• Personal data that reveals a consumer’s mental or physical health diagnosis
• Personal data that reveals a consumer’s mental or physical health condition or treatment
• Genetic data
• Biometric data processed for the purpose of uniquely identifying a consumer

These categories are broader than — and in some respects different from — HIPAA’s PHI definition. If your clinic collects a patient’s mental health diagnosis through a channel that does not qualify as a covered transaction, you have collected CPA-sensitive data — triggering processing obligations beyond the general CPA requirements.

Consumer Rights Under the CPA

Consumers whose data is covered by the CPA have the following rights under C.R.S. § 6-1-1306:

Right of access. Consumers may request confirmation of whether a controller is processing their personal data and, if so, to receive a copy of that data.

Right to correction. Consumers may request correction of inaccurate personal data, considering the nature of the data and the purposes of processing.

Right to deletion. Consumers may request deletion of personal data the controller has collected about them.

Right to portability. Consumers may request that their personal data be provided in a portable, technically feasible format.

Right to opt out. Consumers may opt out of the processing of their personal data for (1) targeted advertising, (2) the sale of personal data, and (3) profiling in decisions producing legal or similarly significant effects.

Controllers — entities that determine the purposes and means of processing — must respond to consumer requests within 45 days, with one 45-day extension available if necessary. If the controller declines a request, the consumer may appeal, and the controller must respond to the appeal within 60 days.

The deletion and access rights under the CPA apply to CPA-covered data, which for a clinic means non-HIPAA health data. If your clinic receives deletion requests for this category of data, you need a response process separate from your HIPAA records retention process — HIPAA-required records cannot be deleted on consumer request, but CPA-covered data carries no HIPAA retention obligation.

Data Protection Assessments

C.R.S. § 6-1-1309 requires controllers to conduct and document a data protection assessment before processing personal data that presents a heightened risk of harm to consumers. The statute identifies the following as per se high-risk activities requiring an assessment:

• Processing sensitive data (including health diagnoses and treatment information)
• Selling personal data
• Processing for targeted advertising
• Processing for profiling that involves risk of harm to consumers

If your clinic processes health diagnosis or condition data through a CPA-covered system — a non-HIPAA patient portal, a wellness program database, a survey platform — you must document a data protection assessment before beginning or continuing that processing. The assessment must identify and weigh the benefits of the processing against potential risks to consumers.

Data protection assessments do not need to be submitted to the Colorado AG but must be available to the AG upon request during a civil investigation. Maintaining these assessments is a key CPA documentation obligation.

Colorado Breach Notification: C.R.S. § 6-1-716

Colorado’s data breach notification law, at C.R.S. § 6-1-716, requires notification to affected Colorado residents without unreasonable delay and no later than 30 days after discovering a security breach. The 30-day deadline is stricter than HIPAA’s 60-day ceiling. When a breach affects 500 or more Colorado residents, the Colorado AG must be notified simultaneously with notifying affected individuals.

The Colorado breach notification law covers a “covered entity” — any person or business that maintains, owns, or licenses personal information about a Colorado resident — in the course of the person’s business, vocation, occupation, or volunteer activities. Colorado clinics are squarely within this definition.

Personal information subject to Colorado breach notification includes the combination of first name or initial and last name with: Social Security number, student or military ID, driver’s license number, financial account information, health insurance information, or medical information.

For a Colorado clinic that suffers a breach involving PHI: HIPAA’s 60-day notification window applies to the HIPAA notification requirements; Colorado’s 30-day window applies to the state notification requirements for Colorado residents. The clinic must meet both, meaning the Colorado deadline governs as the tighter of the two.

Mental Health Record Protections in Colorado

Colorado has specific mental health record protections under the Colorado Mental Health Practice Act (C.R.S. § 12-245-101 et seq.) and the Colorado Mental Health Care Confidentiality Act (C.R.S. § 27-65-121). Under the Mental Health Care Confidentiality Act, information and records regarding persons who have sought or received treatment for mental health disorders are confidential and may only be disclosed as specifically authorized by the Act.

The confidentiality provisions under C.R.S. § 27-65-121 apply to mental health facilities and to licensed mental health professionals providing treatment. For a clinic providing any mental health services, these protections operate alongside HIPAA’s restrictions on psychotherapy notes (45 CFR § 164.508(a)(2)) but apply more broadly to all mental health treatment records, not just psychotherapy notes specifically.

Action Items for Colorado Clinics

Map your data beyond PHI. Conduct an inventory of health-related data collected outside covered transactions. Common sources include patient intake websites, wellness portals, employee health programs, and patient communication platforms that are not business associates.

Assess CPA threshold applicability. Determine whether your clinic meets the CPA’s 100,000-consumer or 25,000-consumer/data-sale thresholds. Include employees, website visitors, and portal users in the count — not just active patients.

Conduct data protection assessments. For any CPA-covered data processing that involves health diagnosis, condition, or treatment information, document a data protection assessment before processing begins.

Update breach response procedures. Incorporate Colorado’s 30-day notification deadline and the AG notification trigger for breaches affecting 500 or more Colorado residents. See HIPAA breach notification templates as a starting framework.

Review vendor contracts. Vendors processing CPA-covered data need contractual protections aligned with CPA’s data processor requirements at C.R.S. § 6-1-1305. This is in addition to HIPAA BAA requirements. See how small clinics track vendor BAAs for a vendor tracking framework.

For clinics looking to understand the HIPAA administrative safeguards that underpin CPA-aligned security programs, that article covers the federal Security Rule obligations that form the baseline for Colorado compliance.

PHIGuard helps Colorado clinics maintain HIPAA compliance documentation, breach notification timelines, and vendor tracking in one system — with flat per-clinic pricing and no per-user fees. See PHIGuard’s compliance tools or review pricing.