Colorado Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Colorado.
Colorado healthcare compliance is shaped by HB 18-1128 (codified at C.R.S. §6-1-716) and overlaid by the Colorado Privacy Act, producing one of the tighter breach-notification regimes in the Mountain West: 30 days from determination of a security breach, with the Colorado Attorney General's office notified when 500 or more Colorado residents are affected. Civil penalties under the Colorado Consumer Protection Act can reach $20,000 per violation. Medical records retention is governed by CDPHE 6 CCR 1011-1 Chapter 4, requiring ten years from date of last encounter — among the longest general retention windows in the country — and a pediatric overlay extending to age of majority plus ten years. The Colorado Department of Public Health and Environment (CDPHE) handles communicable-disease reporting on a 24-hour clock, and the Colorado Board of Pharmacy administers the Colorado PDMP. For a Denver, Colorado Springs, or Boulder practice, that combination — 30-day breach window, ten-year retention, every-Rx PDMP — produces one of the most compressed breach-response timelines and one of the longest evidence-preservation tails in the country, simultaneously.
Breach Notification Rules
Notification deadline
30 calendar days
Notification must be made within 30 days after determination of a security breach. AG must be notified if 500+ Colorado residents affected.
AG notification threshold
500+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $20,000 per violation under Consumer Protection Act
Enforcement Posture
The Colorado Attorney General has taken an active posture on healthcare data privacy, leveraging both HB 18-1128 breach notification and the Colorado Privacy Act's consumer-data provisions to pursue enforcement under the Consumer Protection Act. Enforcement priorities have clustered around late breach notifications crossing the 30-day clock, ransomware events with delayed disclosure, third-party-vendor breaches where the practice failed to notify in its own right, and harm-analysis documentation gaps. Civil penalties under the Consumer Protection Act can reach $20,000 per violation, and the AG's office has been one of the more visible state regulators on data-broker and health-app privacy issues. Colorado's Medical Board separately pursues PDMP and prescribing-pattern enforcement through licensing discipline, and the CDPHE prosecutes communicable-disease reporting failures. The active posture means contemporaneous breach documentation and prompt notification carry real value.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 10 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Colorado PDMP)
The Colorado PDMP, administered by the Colorado Board of Pharmacy at coloradopdmp.com, requires a check on every controlled-substance prescription, with delegation permitted to registered clinical staff. Carve-outs apply for hospice patients, active cancer treatment, ≤5-day emergency supplies, medication-assisted treatment for opioid use disorder, and inpatient administration. The 5-day ER window is one of the more generous in the Mountain West, but the Medical Board has been active in pursuing pattern-of-missing-PDMP-query cases as licensing discipline matters in addition to civil penalties up to $5,000 per violation.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $5,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER, medication-assisted treatment for opioid use disorder, inpatient administration
How Colorado Rules Hit by Specialty
Pediatrics
Colorado's pediatric retention rule extends ten years past age of majority — meaning a chart for a patient last seen at age 5 must be retained until that patient turns 28. Denver- and Boulder-area pediatric practices should set destruction policies to hold pediatric charts until age 28 and treat any earlier purge as a documentation gap. CDPHE auditors actively check pediatric retention in licensure surveys.
Behavioral health
Colorado behavioral health practices face overlapping breach-notification, Colorado Privacy Act consumer-data, and federal 42 CFR Part 2 substance-use rules. A breach affecting Part 2 records triggers both the 30-day HB 18-1128 clock and the federal Part 2 re-disclosure framework. The Colorado AG has been active on cross-cutting consumer-privacy enforcement, and behavioral-health breaches involving consumer-facing apps draw heightened scrutiny.
Pain management
Colorado was an early state for opioid-prescribing reform, and the Colorado PDMP requires a check on every controlled-substance prescription with carve-outs for hospice, cancer, ≤5-day ER supplies, and medication-assisted treatment. Civil penalties up to $5,000 per violation attach to missing PDMP queries, on top of standard Medical Board licensing discipline.
Telehealth providers
Telehealth providers prescribing to Colorado residents must register with the Colorado PDMP regardless of physical location, and any breach affecting Colorado residents triggers the 30-day HB 18-1128 clock — among the shortest in the country. The Colorado Attorney General has been active in pursuing out-of-state telehealth providers whose breach-notification timing slipped past 30 days, leveraging the Consumer Protection Act's $20,000-per-violation civil penalty range.
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, nurses, dentists, psychologists, social workers, pharmacists, and other medical professionals
Report to
County Department of Human/Social Services or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor, up to $750 fine and/or 6 months jail
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Physicians, surgeons, nurses, dentists, psychologists, and other healthcare professionals
Report to
County Department of Human/Social Services, Adult Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from domestic violence (mandatory reporting requirement for healthcare professionals)
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 2 petty offense
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, nurses, laboratory directors, and healthcare facility administrators
Report to
Colorado Department of Public Health and Environment or local public health agency
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 2 petty offense
Immunity provision
Good faith reporters immune from civil and criminal liability
Colorado Compliance FAQs
Colorado's breach-notification statute requires notification within 30 days after determination of a security breach — one of the tighter windows in the country, half the federal HIPAA 60-day outer limit. If 500 or more Colorado residents are affected, the Colorado Attorney General's office must also be notified. Civil penalties under the Colorado Consumer Protection Act can reach $20,000 per violation, and harm-analysis documentation is required to support any decision not to notify.
Colorado requires pediatric record retention until age of majority (18) plus ten years — meaning a chart for a patient last seen at age 5 must be retained until age 28. The rule is set by CDPHE 6 CCR 1011-1 Chapter 4, and adult retention is also ten years from last encounter. Denver- and Colorado-Springs-area pediatric practices should align destruction policies to age 28, and CDPHE auditors actively check pediatric retention during licensure surveys.
Yes. The Colorado PDMP permits delegation to registered clinical staff including medical assistants, registered nurses, and licensed practical nurses, provided each delegate registers under the supervising prescriber at coloradopdmp.com. The prescriber remains accountable for the PDMP check on every controlled-substance prescription, with carve-outs for hospice, cancer, ≤5-day ER supplies, MAT, and inpatient administration. Civil penalties up to $5,000 per violation attach to noncompliance, on top of Medical Board licensing discipline.
The Colorado Attorney General's office must be notified when a breach affects 500 or more Colorado residents. Same 30-day window applies. Breaches below the 500-resident threshold still require individual notification within 30 days but no AG filing. The Colorado AG has been one of the more active state regulators in pursuing late breach-notification enforcement under the Consumer Protection Act, with civil penalties up to $20,000 per violation.
Failing to file a mandated child-abuse report in Colorado is a Class 3 misdemeanor under C.R.S. §19-3-304, carrying up to $750 in fines and/or six months in jail. Healthcare professionals — physicians, surgeons, nurses, dentists, psychologists, social workers, pharmacists — are mandated reporters to the County Department of Human/Social Services or local law enforcement. Good-faith reporters are immune from civil and criminal liability, and reports must be filed on reasonable suspicion.
Guides & Articles
Neighboring State Compliance Guides
Stay audit-ready in Colorado
GuardWell tracks Colorado-specific breach deadlines, retention periods, Colorado PDMP PDMP queries, and mandatory reporting obligations automatically.