If you run a healthcare practice in Colorado, you are operating under two distinct privacy frameworks. HIPAA is the federal law most healthcare providers know — or at least know the name of. The Colorado Privacy Act (CPA) is a state-level consumer privacy law that took full effect in July 2023. The two laws were written for different purposes, cover different types of data, and impose different requirements. In some areas they overlap; in others they diverge significantly.
For a dental office manager or medical practice administrator, understanding the relationship between the two laws matters for a specific reason: the exemptions in the CPA that apply to HIPAA-covered information are narrower than many practices assume. If your practice handles personal data beyond clinical PHI — website visitor data, marketing contacts, employee records, or data from non-clinical applications — the CPA may apply to that data even if HIPAA doesn't.
What HIPAA Covers (and What It Doesn't)
HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their Business Associates. It governs Protected Health Information (PHI) — individually identifiable health information that relates to a person's past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare.
Crucially, HIPAA doesn't govern all information a healthcare organization touches. It governs PHI specifically. That means:
- Employee records in your HR systems are generally not covered by HIPAA
- Website analytics data identifying visitors who haven't submitted patient information may not be PHI
- Marketing data for prospective patients who haven't become patients yet may not be PHI
- Contact information for vendors or business contacts isn't PHI
For these categories of non-PHI personal data, HIPAA provides no guidance. That's where the Colorado Privacy Act comes in.
What the Colorado Privacy Act Covers
The CPA is a broad consumer privacy law modeled partly on the European GDPR and partly on California's CCPA. It applies to businesses that conduct business in Colorado or target Colorado residents and meet either of these thresholds:
- Control or process the personal data of 100,000 or more Colorado consumers per year, OR
- Control or process the personal data of 25,000 or more Colorado consumers per year AND derive revenue (or discounts on goods/services) from the sale of personal data
Most small dental or medical practices will fall well below the 100,000 threshold. The 25,000 threshold with a revenue-from-data component is also unlikely to apply to a practice that doesn't sell data. However, practices that use advertising platforms, marketing analytics tools, or patient engagement software that shares data with third parties should verify their position under the CPA with an attorney.
Growing practices and the CPA threshold: A dental group with multiple locations, or a medical practice that uses a patient portal with broad adoption, could accumulate personal data records faster than expected. If your practice is growing, it's worth tracking your approximate data volume to know when the CPA thresholds become relevant.
Key Differences Between HIPAA and the CPA
The HIPAA Exemption in the CPA — and Its Limits
The CPA contains an exemption for data governed by HIPAA. Specifically, "protected health information" as defined by HIPAA is exempt from most CPA requirements, as are covered entities and Business Associates "to the extent they are complying with HIPAA."
This exemption is often summarized as "if you comply with HIPAA, you don't also have to comply with the CPA." That's an oversimplification that can create compliance gaps.
The exemption applies to PHI specifically — not to the covered entity as a whole, and not to all data the entity handles. A dental practice that:
- Runs a patient newsletter through a marketing platform that stores contact email addresses
- Tracks website visitor behavior through Google Analytics
- Uses a scheduling app where people can book appointments before becoming patients
- Collects employee data in an HR management system
...may have data in each of those categories that is not PHI and therefore not covered by the CPA's HIPAA exemption. If the practice meets the CPA's applicability thresholds, the CPA applies to that non-PHI personal data.
Breach Notification: Where the Two Laws Diverge Most
One of the most practically significant differences between HIPAA and Colorado's state law involves breach notification timelines. This matters directly for any Colorado practice that experiences a data security incident.
| Framework | Notification to Individuals | Notification to Regulator | Notes |
|---|---|---|---|
| HIPAA Breach Notification Rule | Within 60 days of discovery | HHS within 60 days (500+ records); within 60 days of year end (small breaches) | Applies to breaches of PHI; encrypted data may not be a reportable breach |
| Colorado Security Breach Notification Act (C.R.S. § 6-1-716) | Expeditiously, no later than 30 days after determination of breach | Colorado AG within 30 days if breach affects 500+ Colorado residents | Applies to "personal information" including SSNs, financial account data, medical/insurance info, and more |
Colorado's state breach notification law is more demanding than HIPAA on timing — 30 days versus 60 days. A Colorado healthcare practice experiencing a breach that triggers both laws must comply with the stricter timeline: 30 days. Missing the Colorado notification deadline creates state enforcement exposure even if the practice complied with HIPAA's 60-day window.
Colorado's state law also covers a broader definition of "personal information" than HIPAA's PHI. A breach involving employee Social Security numbers, patient financial account numbers, or non-medical personal information about Colorado residents could trigger Colorado notification requirements without necessarily triggering HIPAA (depending on whether PHI was involved).
Consumer Rights: A Gap Between the Laws
The CPA grants Colorado consumers meaningful rights over their personal data: the right to access it, correct inaccurate information, delete it, obtain a portable copy, and opt out of its use for targeted advertising or sale to third parties. HIPAA grants patients the right to access and amend their PHI, but not the broader suite of rights the CPA provides.
For a dental or medical practice that stores any personal data beyond clinical PHI — marketing lists, website visitor data, employee records — the CPA's consumer rights provisions apply to that data if the practice meets the applicability thresholds. A consumer who submits a deletion request under the CPA is exercising a right that HIPAA doesn't create, and the practice must have a process to respond.
The practical implication: if your practice is approaching CPA applicability thresholds, you need a process for responding to consumer rights requests that is separate from your HIPAA patient request process. These are different rights under different frameworks, and conflating them creates legal risk.
What This Means for IT Infrastructure
Both laws impose data security requirements, though they approach it differently. HIPAA's Security Rule requires specific Technical Safeguards — documented controls mapped to the regulation. The CPA requires "reasonable security practices appropriate to the volume and nature of the personal data at issue."
In practice, a healthcare practice with strong HIPAA-aligned security controls will generally satisfy the CPA's reasonable security standard for non-PHI data as well — the controls are not in conflict. The bigger challenge is data governance: knowing which systems hold which categories of data, which categories are PHI (and therefore governed primarily by HIPAA), and which are non-PHI personal data (subject to the CPA if applicable).
An IT provider working with a Colorado healthcare practice should understand both frameworks well enough to ask the right questions about data flows: which systems hold patient data, which hold non-patient personal data, how that data moves between systems and to third parties, and what the retention and deletion policies are. Most IT providers focus exclusively on HIPAA and don't address the CPA gap at all.
Summary: Operating Under Both Laws
For most small Colorado healthcare practices — a single-location dental office, a small primary care group, a nursing home — the CPA's applicability thresholds may not currently be met. But the law is worth understanding for a few reasons:
- Data volumes grow as practices add patients, use more software, and engage in digital marketing
- The breach notification timeline (30 days) applies to Colorado's Security Breach Notification Act regardless of CPA applicability — and it affects healthcare practices directly
- The HIPAA exemption in the CPA is narrower than it's often described, and non-PHI data may not be covered
- As your practice's data practices evolve — particularly if you use marketing platforms, patient engagement tools, or analytics — the CPA picture can change
Disclaimer: This article is for general informational purposes only and does not constitute legal or compliance advice. Both HIPAA and the Colorado Privacy Act are complex regulatory frameworks. Consult a qualified healthcare attorney for guidance specific to your practice's data practices and compliance obligations.