HIPAA Compliance for Colorado Clinics: Federal and State Requirements

Colorado now requires more than HIPAA compliance alone. The Colorado Privacy Act covers health data collected outside covered transactions. The state breach notification law gives you 30 days — half of HIPAA’s 60-day ceiling — to notify affected Colorado residents. And the mental health records confidentiality statute restricts disclosures that HIPAA’s treatment exception would otherwise permit.

This guide covers the HIPAA baseline, then the three Colorado-specific frameworks most relevant to small clinic operations: the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), the data breach notification law (C.R.S. § 6-1-716), and mental health records confidentiality under C.R.S. § 27-65-121. For a full comparison of the CPA and HIPAA, see Colorado Privacy Act vs HIPAA.

The HIPAA Baseline for Colorado Clinics

Colorado clinics that transmit health information electronically in standard transactions are covered entities under HIPAA. The Privacy Rule governs permissible uses and disclosures of PHI. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule requires timely notification after a breach of unsecured PHI.

Small clinics meeting the HIPAA baseline need a documented risk analysis, risk management plan, workforce training program, Business Associate Agreements with vendors (see how small clinics track vendor BAAs), and an incident response process aligned to breach notification requirements. See HIPAA administrative safeguards for the complete requirements.

HIPAA preemption rules at 45 CFR § 160.203 preserve state laws that provide greater privacy protections. Where Colorado law is stricter, Colorado law governs.

Colorado Privacy Act: C.R.S. § 6-1-1301

Colorado enacted the Colorado Privacy Act (CPA) effective July 1, 2023. The CPA applies to controllers and processors that conduct business in Colorado or produce commercial products or services intentionally targeted to Colorado residents, and that meet threshold criteria: processing the personal data of 100,000 or more consumers per year, or deriving revenue from the sale of personal data and processing the data of 25,000 or more consumers annually.

Covered data and the HIPAA exemption

The CPA defines sensitive data to include health condition or diagnosis, mental health condition or diagnosis, sex life or sexual orientation, racial or ethnic origin, religious beliefs, and certain biometric and genetic data. Health-related sensitive data receives heightened protection — controllers must obtain consent before processing it.

HIPAA-covered entities are exempt from CPA obligations to the extent the personal data is PHI subject to HIPAA. Similarly, protected health information maintained under HIPAA by covered entities and business associates is exempt from the CPA’s requirements. This means most clinical patient records at a HIPAA-covered clinic are not subject to the CPA.

The exemption does not cover all data a modern clinic touches. Consider:

• Digital health tools: A patient-facing wellness app that collects health data from individuals not yet in a clinical treatment relationship is collecting data outside the HIPAA-covered framework. That data may be subject to the CPA.
• Website tracking: If a clinic’s website collects browsing behavior that can be associated with health conditions — through advertising pixels or analytics tools — that data may be sensitive data under the CPA.
• Employer health programs: If the clinic operates employer wellness programs for other businesses’ employees, those records may be outside HIPAA’s covered entity framework and within the CPA’s scope.

Consumer rights under the CPA

The CPA grants consumers the right to:

• Access personal data processed by the controller;
• Correct inaccurate personal data;
• Delete personal data provided by the consumer;
• Obtain a portable copy of personal data;
• Opt out of the processing of personal data for targeted advertising, sale, or certain profiling.

For sensitive data, including health data, consent is required before processing. Consumers have a right to withdraw consent, and controllers must provide a mechanism for withdrawal.

Data protection assessments

The CPA requires controllers to conduct data protection assessments for processing activities presenting heightened risks, including processing sensitive data. For a clinic that processes health data outside the HIPAA framework, a CPA data protection assessment is required and must be documented.

CPA enforcement

The Colorado AG has authority to enforce the CPA, with civil penalties available. The CPA does not create a private right of action — enforcement is through the AG. Before initiating an action, the AG must provide a 60-day cure period (available through January 2025; after that, cure periods are discretionary).

Colorado Data Breach Notification: C.R.S. § 6-1-716

Colorado’s breach notification law was amended in 2018 to impose one of the stricter deadlines in the country. Under C.R.S. § 6-1-716(2), any covered entity that becomes aware of a security breach affecting Colorado residents must notify affected residents in the most expedient time possible and no later than 30 days following discovery.

How this differs from HIPAA

HIPAA’s Breach Notification Rule at 45 CFR § 164.404 gives covered entities up to 60 calendar days from discovery to provide individual notices. Colorado’s 30-day ceiling cuts that timeline in half. For any breach affecting Colorado residents that also meets the HIPAA breach definition, the 30-day deadline governs.

What Colorado personal information includes

Colorado’s definition of personal information includes a Colorado resident’s first and last name, or first initial and last name, combined when unencrypted with any of: Social Security number, student or military ID numbers, financial account information, medical information, health insurance information, biometric data, or username/email address with password. Health and medical information in patient records qualifies.

AG and credit bureau notification

When a breach affects 500 or more Colorado residents, C.R.S. § 6-1-716(4) requires the entity to notify the Colorado AG. When the breach affects 1,000 or more Colorado residents, notification to consumer reporting agencies is also required. These obligations are in addition to HIPAA’s requirement to notify HHS and potentially local media for large breaches.

What the notice must contain

Colorado law prescribes the content of breach notices in greater detail than HIPAA’s baseline requirements. A compliant notice under C.R.S. § 6-1-716(6) must include:

• The date of the notice;
• A description of the incident;
• A description of the type of personal information acquired;
• The date of the breach, if known, and the date of discovery;
• What steps the entity has taken to protect information;
• What affected individuals can do to protect themselves;
• Contact information for the entity.

Clinics should maintain a breach notification template that satisfies both Colorado’s detailed content requirements and HIPAA’s requirements. See HIPAA breach notification templates for a starting framework.

Mental Health Records: C.R.S. § 27-65-121

Colorado Revised Statute § 27-65-121 governs the confidentiality of records and communications relating to persons who have been evaluated or treated for mental illness under Title 27 (Behavioral Health). The statute applies to records held by community mental health centers, psychiatric facilities, and other providers operating under the behavioral health framework.

Disclosure restrictions beyond HIPAA

Under C.R.S. § 27-65-121(1), all records maintained by mental health facilities and providers are confidential and may only be disclosed with the patient’s written consent or under specific statutory exceptions. Those exceptions include:

• Treatment by another provider where disclosure is necessary for care coordination;
• An emergency threatening the health or safety of the patient or others;
• Court orders in specific proceedings;
• Mandatory reporting requirements.

HIPAA’s Privacy Rule generally permits covered entities to disclose PHI for treatment, payment, and healthcare operations without patient authorization. Colorado’s § 27-65-121 does not incorporate the full treatment/payment/operations exception framework. For mental health records within its scope, Colorado law requires written consent for many disclosures a HIPAA-covered entity could otherwise make without one.

Substance use records and 42 CFR Part 2

Colorado clinics providing substance use disorder (SUD) treatment must also comply with 42 CFR Part 2, the federal SUD records confidentiality regulation, which is stricter than both HIPAA and Colorado general mental health records law in many respects. See the separate article on 42 CFR Part 2 for details.

Implications for integrated care practices

If your clinic integrates primary care and behavioral health, you must maintain separate authorization processes for behavioral health records. A single authorization permitting release of all medical records does not satisfy C.R.S. § 27-65-121 for mental health treatment records — configure your EHR to segregate and separately protect these records.

Four Action Items for Colorado Clinics

1. Set breach response to 30 days and configure AG notification triggers. Update your incident response procedure to reflect Colorado’s 30-day notification deadline. Build in a check point that triggers AG notification when a breach affects 500 or more Colorado residents. Ensure your breach notification template includes all the content Colorado law requires under C.R.S. § 6-1-716(6).

2. Assess Colorado Privacy Act exposure for non-PHI health data. Audit your digital touchpoints outside the clinical treatment relationship: consumer-facing tools, wellness programs, website analytics. Identify any health data collected from individuals who are not your clinic’s patients. Evaluate whether the CPA applies and whether consent and data protection assessment procedures are needed.

3. Review mental health records authorization procedures. Audit your authorization forms and disclosure procedures for behavioral health and mental health records. Confirm they require specific written consent as C.R.S. § 27-65-121 demands, not just a general HIPAA authorization for treatment purposes.

4. Conduct a risk analysis with Colorado-specific risk factors. Use the HIPAA risk analysis worksheet as a foundation. Add Colorado-specific risk factors: 30-day breach response capacity, CPA applicability to digital tools, and mental health records handling. Document your risk management decisions to support your compliance posture in an AG investigation.

Staying Current in Colorado

The Colorado Privacy Act and AG enforcement guidance continue to develop. The Colorado AG’s office publishes consumer protection guidance and has signaled active interest in health data privacy enforcement. Small clinics should monitor AG guidance on the CPA and confirm their compliance posture annually.

PHIGuard helps Colorado clinics manage HIPAA compliance, vendor BAA tracking, policy documentation, and incident response — with current plan and BAA details published on the pricing page. Visit PHIGuard HIPAA or review pricing.