State Compliance

Colorado Privacy Act for Medical Practices: Where It Stacks on HIPAA

8 min read · Last reviewed May 23, 2026

The Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), effective July 1, 2023, applies to medical practices wherever non-PHI consumer data is processed — and the carve-out for HIPAA-covered information is narrower than most state privacy laws. The single biggest divergence: CPA's HIPAA carve-out under C.R.S. § 6-1-1304(2) excludes only the PHI itself, not the covered entity, so a HIPAA practice still has CPA obligations for its non-PHI data.

What the Colorado Privacy Act actually requires

The CPA, codified at C.R.S. § 6-1-1301 et seq., is a comprehensive consumer privacy statute administered by the Colorado AG. It applies to a "controller" that conducts business in Colorado or targets Colorado residents and that, during a calendar year, controls or processes the personal data of 100,000+ Colorado consumers, or 25,000+ consumers while deriving revenue from the sale of personal data.

Core obligations under the CPA:

  • Consumer rights under § 6-1-1306. Access, correction, deletion, portability, opt-out of targeted advertising, opt-out of sale, and opt-out of profiling for decisions producing legal or similarly significant effects. Controllers must respond within 45 days, extendable once for 45 more days.
  • Opt-in for sensitive data processing. C.R.S. § 6-1-1308(7) requires affirmative opt-in consent for processing "sensitive data," defined at § 6-1-1303(24) to include data revealing health condition or diagnosis, racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship status, genetic or biometric data, and personal data of a known child.
  • Privacy notice. § 6-1-1308(1) — a controller must provide a clear privacy notice detailing categories of personal data processed, purposes, categories of recipients, and the consumer's rights and how to exercise them.
  • Data protection assessments. § 6-1-1309 — controllers must conduct and document a data protection assessment before processing that presents a heightened risk of harm, including sensitive data processing and the sale of personal data.
  • Universal opt-out mechanism. § 6-1-1306(1)(a)(IV) — since July 1, 2024, controllers must recognize universal opt-out signals (browser-based "Global Privacy Control" signals) for opt-out of sale and targeted advertising.

The HIPAA carve-out at C.R.S. § 6-1-1304(2) is the scoping issue most healthcare practices misread. It excludes PHI processed by a HIPAA-covered entity or business associate, but it does not exclude the entity from CPA's reach for its other consumer data.

Where Colorado is stricter than HIPAA

The single comparative table a Colorado practice needs:

| Topic | HIPAA | Colorado CPA / breach statute | Stricter | |---|---|---|---| | Breach notification to individual | 60 days from discovery (45 CFR § 164.404(b)) | 30 days from determination of breach (C.R.S. § 6-1-716(2)(a)) | Colorado | | Sensitive-data consent | Authorization under 45 CFR § 164.508 for non-TPO uses | Opt-in consent for ALL sensitive data processing under C.R.S. § 6-1-1308(7) | Colorado | | Patient/consumer access response | 30 days, +30-day extension (45 CFR § 164.524(b)(2)) | 45 days, one 45-day extension (C.R.S. § 6-1-1306(2)(a)) | HIPAA tighter on PHI; CPA broader on consumer data | | Universal opt-out signals | Not required | Required as of 7/1/2024 (C.R.S. § 6-1-1306(1)(a)(IV)) | Colorado | | Data protection assessments | Optional risk analysis under Security Rule | Mandatory before high-risk processing (C.R.S. § 6-1-1309) | Colorado | | Notice to AG on breach | None | Required if 500+ Colorado residents (C.R.S. § 6-1-716(2)(g)) | Colorado | | Private right of action | None | None — AG only under C.R.S. § 6-1-1311 | Tie | | Civil penalty per violation | $145–$73,011 per violation, $2,190,294 annual cap per identical violation (2026 HHS-adjusted; 45 CFR § 160.404 and 45 CFR Part 102) | Up to $20,000 per violation under C.R.S. § 6-1-112(1)(a); $50k against elderly | Colorado per-violation lower than top HIPAA tier |

Colorado's narrow health-data carve-out catches practices that thought CPA didn't apply because they're HIPAA-covered. The carve-out is information-specific: PHI is out, but anything else the practice processes — marketing analytics, employee personal data, prospect-list data, non-patient wellness program data — is in scope. A practice that runs an email-list lead-gen funnel on its website is processing CPA-regulated consumer data even if every patient encounter falls neatly inside HIPAA.

The 30-day breach-notice window under C.R.S. § 6-1-716 is the second consistent surprise. HIPAA gives 60 days; Colorado requires individual notice within 30 days of breach determination. For mixed-resident breaches, the practice runs the 30-day clock for Colorado residents and the 60-day clock for the HHS filing.

Where HIPAA is stricter than Colorado

The three areas where federal law is the harder rule:

  • Security Rule technical safeguards. The CPA requires "reasonable" security at C.R.S. § 6-1-1308(5) without prescribing specifics. HIPAA's Security Rule at 45 CFR Part 164, Subpart C sets a structured technical, administrative, and physical safeguards program — annual risk analysis, audit logging, encryption decisions, contingency plan, workforce sanction policy.
  • PHI access rule. HIPAA's 30-day individual access right under 45 CFR § 164.524(b)(2) is tighter than CPA's 45-day consumer access window. For PHI specifically, HIPAA's clock controls.
  • Authorization specificity for marketing. HIPAA's authorization requirements at 45 CFR § 164.508(a)(3) are more prescriptive than CPA's opt-in standard. Where a single patient encounter involves both PHI marketing (HIPAA-regulated) and non-PHI marketing (CPA-regulated sensitive data), the practice runs both regimes in parallel.

Breach notification timeline

Colorado's breach-notification statute at C.R.S. § 6-1-716 imposes a tighter outer deadline than HIPAA:

  • Individual notice within 30 days. § 6-1-716(2)(a) — notice to affected Colorado residents in the most expedient time possible and no later than 30 days after determining a breach occurred.
  • AG notice if 500+ Colorado residents. § 6-1-716(2)(g) — written notice to the Colorado AG within 30 days, with breach details and a sample of the notice sent to consumers.
  • Substitute notice available via statewide media when cost of direct notice exceeds $250,000 or more than 250,000 Colorado residents are affected.
  • HIPAA parallel. 45 CFR § 164.404 — 60-day individual notice; HHS report under 45 CFR § 164.408 within 60 days for 500+ affected.

The 30-day Colorado window applies regardless of whether the breached data is PHI or non-PHI consumer data. A mixed breach runs both clocks.

Penalties + private right of action

The numbers a Colorado practice needs:

  • Civil penalty under the Colorado Consumer Protection Act. C.R.S. § 6-1-112(1)(a) — up to $20,000 per violation; up to $50,000 per violation against elderly consumers (60+).
  • AG-only enforcement. C.R.S. § 6-1-1311 — the AG and district attorneys hold exclusive enforcement authority. No private right of action exists under the CPA.
  • No private right of action. Plaintiffs cannot bring direct CPA claims. Common-law negligence claims based on a CPA violation as the predicate breach-of-duty are theoretically available but have not yet produced significant judgments.
  • HIPAA OCR penalties continue to apply in parallel under 45 CFR § 160.404.

The AG's enforcement posture since CPA took effect has emphasized sensitive-data opt-in violations and inadequate universal-opt-out implementation. The 60-day cure period at C.R.S. § 6-1-1311(1)(d) — repealed effective January 1, 2025 — was the cushion early enforcement targets relied on; that cushion is now gone.

Compliance checklist for in-state practices

A Colorado-specific overlay to a HIPAA program:

  • Scope assessment — document which data flows fall inside the HIPAA carve-out at C.R.S. § 6-1-1304(2) and which fall outside. Marketing lists, web-form leads, employee data, and analytics typically fall outside.
  • CPA privacy notice that meets C.R.S. § 6-1-1308(1) for non-PHI consumer data, separate from the HIPAA Notice of Privacy Practices.
  • Opt-in consent flow for sensitive-data processing under § 6-1-1308(7), including any non-PHI health data collected from prospects or non-patients.
  • Universal opt-out recognition as of 7/1/2024 — your website must honor browser-based Global Privacy Control signals for opt-out of sale and targeted advertising.
  • Data protection assessment under § 6-1-1309 for any high-risk processing (sensitive data, sale, profiling), retained and produced on AG request.
  • 30-day breach notification runbook that triggers Colorado-resident individual notice within 30 days of breach determination, and AG notice if 500+ affected.
  • Consumer-rights response process under § 6-1-1306, with a 45-day response clock distinct from HIPAA's 30-day PHI-access clock.
  • Annual CPA training for marketing, web, and IT staff who handle non-PHI consumer data, separately documented from HIPAA training.

The d3rx compliance binder state-overlay branches on Colorado and produces the CPA-aware privacy notice template, the 30-day breach-response runbook, and the sensitive-data opt-in flow a Colorado practice runs alongside the federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for actually executing the controls.

Cross-references: see Virginia CDPA for medical practices and Connecticut CTDPA for the comparable comprehensive state privacy laws a multi-state practice often runs alongside CPA.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversColorado Privacy Act for Medical Practices: Where It Stacks on HIPAA. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Does the Colorado Privacy Act apply to my patient marketing list?

Often yes. The CPA's HIPAA carve-out at C.R.S. § 6-1-1304(2) excludes PHI processed by a covered entity under HIPAA, but a patient marketing list assembled from non-PHI sources (web form opt-ins, purchased lists, public registry data) is not PHI and falls under the CPA. Practices that thought CPA didn't apply because they're HIPAA-covered have walked into AG enforcement when their patient-acquisition marketing pulled non-PHI data into CPA-regulated processing.

What's the difference between the CPA's HIPAA carve-out and Virginia's?

Narrower. Virginia's CDPA at Code of Virginia § 59.1-576 carves out the entire HIPAA-covered entity at the entity level. Colorado's CPA at C.R.S. § 6-1-1304(2) carves out only the *PHI*, not the entity. A HIPAA-covered Colorado practice still has CPA obligations for any consumer data that isn't PHI — employee data, prospect lists, web analytics, marketing data. This is the most-missed CPA scoping issue.

What does the Colorado AG actually enforce here — and how fast?

The Colorado AG and district attorneys hold exclusive CPA enforcement under C.R.S. § 6-1-1311. There is no private right of action. Civil penalties under the Colorado Consumer Protection Act run up to $20,000 per violation under C.R.S. § 6-1-112(1)(a) and up to $50,000 per violation against elderly consumers. The AG opened the first formal CPA investigations in 2024; enforcement priorities have focused on sensitive-data processing without explicit consent and inadequate opt-out mechanisms.

Does the 30-day breach notification window apply on top of HIPAA's 60 days?

Yes, for Colorado residents. C.R.S. § 6-1-716(2)(a) requires notice to affected Colorado residents in the most expedient time possible and no later than 30 days after determining a breach occurred. HIPAA's [45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404) gives 60 days for individual notice. A HIPAA-covered Colorado practice has to meet the 30-day Colorado deadline for Colorado residents, then the 60-day HHS deadline for the federal filing.

We're a small practice — is there a CPA threshold that exempts us?

Possibly. The CPA applies at C.R.S. § 6-1-1304(1)(a) only if you control or process personal data of (i) 100,000+ Colorado consumers per calendar year, or (ii) 25,000+ Colorado consumers and derive revenue from the sale of personal data. Most single-location practices don't hit the threshold. Multi-location systems, practices with large web-acquisition funnels, and any practice that 'sells' data — broadly defined under § 6-1-1303(23) — usually do.

Does CPA's 'sensitive data' definition include all my patient health information?

Yes, for any health information you process outside the HIPAA carve-out. C.R.S. § 6-1-1303(24) defines sensitive data to include 'personal data revealing a mental or physical health condition or diagnosis.' Sensitive data processing requires opt-in consent under § 6-1-1308(7). HIPAA PHI is carved out — but health information collected through a non-PHI channel (a wellness blog signup, a non-patient consult form) is CPA-regulated sensitive data and needs explicit opt-in.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. C.R.S. § 6-1-1301 et seq.https://leg.colorado.gov/
  2. 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
  3. 45 CFR § 164.524(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  4. 45 CFR § 164.508(a)(3)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
  5. 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  6. 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  7. 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides