Colorado Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Colorado.
Breach Notification Rules
Notification deadline
30 calendar days
Notification must be made within 30 days after determination of a security breach. AG must be notified if 500+ Colorado residents affected.
AG notification threshold
500+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $20,000 per violation under Consumer Protection Act
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 10 years | Patient turns 18 |
PDMP Requirements — Colorado PDMP
Check required
All controlled substances
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $5,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER, medication-assisted treatment for opioid use disorder, inpatient administration
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, nurses, dentists, psychologists, social workers, pharmacists, and other medical professionals
Report to
County Department of Human/Social Services or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor, up to $750 fine and/or 6 months jail
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Physicians, surgeons, nurses, dentists, psychologists, and other healthcare professionals
Report to
County Department of Human/Social Services, Adult Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from domestic violence (mandatory reporting requirement for healthcare professionals)
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 2 petty offense
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, nurses, laboratory directors, and healthcare facility administrators
Report to
Colorado Department of Public Health and Environment or local public health agency
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 2 petty offense
Immunity provision
Good faith reporters immune from civil and criminal liability
Stay compliant in Colorado
GuardWell tracks Colorado-specific breach deadlines, PDMP requirements, retention periods, and mandatory reporting obligations automatically.