Privacy notice

We care about your privacy. The department is responsible for protecting the health information of Colorado citizens. We collect specific personal health information from individuals in the community and put that information together to measure the public's overall health and well-being. All medical information is safeguarded and held in strict confidence.

Our Privacy Office:
  • Ensures department compliance with the federal medical privacy law (Health Insurance Portability and Accountability Act of 1996, HIPAA), state statutes and Board of Health regulations.
  • Provides mandatory staff training on privacy and security.
  • Informs personnel about privacy and security safeguards.
  • Implements privacy and security policies and procedures.

Privacy disclaimer

This site includes links to other websites, including links to websites operated by other government agencies, nonprofit organizations and private businesses. When you link to another site, our Privacy Notice will not apply. When you link to another website, you are subject to the privacy policy of that site.

Neither the Colorado Department of Public Health and Environment nor any employee of the state of Colorado warrants the accuracy, reliability or timeliness of any information published by this system, nor endorses any content, viewpoints, products or services linked from this system, and shall not be held liable for any losses caused by reliance on the accuracy, reliability or timeliness of such information. Portions of such information may be incorrect or not current. Any person or entity that relies on any information obtained from this system does so at his or her own risk.

Public disclosure

The Colorado Open Records Act applies to this Privacy Policy under the Colorado Revised Statutes, Title 24, Article 72, Part 2, which states,"It is declared to be the public policy of this state that all public records shall be open for inspection by any person at reasonable times, except as provided in this Part 2 or as otherwise specifically provided by law." Much of the information we collect includes individually identified health information that is not subject to disclosure under the Colorado Open Records Act. Other information, however, is available through the Colorado Open Records Act.

Security statement

The Colorado Department of Public Health and Environment, along with the Colorado Department of Personnel and Administration, the developer and manager of the Colorado home page, have taken several steps to safeguard the integrity of the telecommunications and computing infrastructure, including but not limited to authentication, monitoring and auditing. Security measures have been integrated into the design, implementation and day-to-day practices of the entire operating environment as part of our continuing commitment to risk management.

HIPAA status

We have always worked to protect the health information we receive. We're serious about our responsibility to ensure health information is secure and kept confidential. This responsibility predates the Health Insurance Portability and Accountability Act (HIPAA) and is backed up by confidentiality requirements in Colorado statutes. It’s also expressed in our internal policies and procedures.

HIPAA applies to health plans, medical providers billing electronically and clearinghouses. The Colorado Department of Public Health and Environment is not a health plan, provider billing electronically nor a clearinghouse and therefore is not directly covered under HIPAA. The department is a public health authority under the act:

Public health authority means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

HIPAA acknowledges the importance of public health in the law itself (Public Law 104-191):

Public Health. — Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.

In key areas of the Privacy Rule, HIPAA provides for reporting to public health authorities (§164.512 b):

for purposes of preventing or controlling disease, injury, disability, including but not limited to the reporting of disease, injury, vital events such as births or death and the conduct of public health surveillance, public health investigations and public health interventions… or for purposes of reporting child abuse or neglect

The public health reporting under this section must be to a public health authority authorized by law to collect the information, but the information does not have to be specifically mandated by law. Rather, it is enough that the public health authority’s authorizing statute permit the receipt of the information. Reporting to a public health authority is voluntary, not required.

Many public health activities also are provided for as “required by law,” §164.512 (a) or as part of health oversight activities, §164.512 (d), including nursing home surveillance and oversight of government benefit programs where health information is important to eligibility.

§164.514 (d)(3)(iii)(A) also allows a health plan, provider billing electronically or clearinghouse to accept the word of the public health authority that the information requested is the “minimum necessary.”

The department is indirectly covered under HIPAA as a business associate for a few programs. If a health plan, provider billing electronically or clearinghouse hires another agency to do work for it, and shares health information, the hired agency is a business associate. Business associates must take measures to protect the information they receive. The Prenatal Plus program, for instance, is a business associate of Medicaid, as Medicaid is covered under HIPAA.

Use of the website

If personal information is requested on the website or is volunteered by the user, state and federal law may protect that information. However, all information becomes a public record once it is provided and may be subject to public inspection and copying if not protected by federal or state law.

Users are cautioned that the collection of personal information requested from or volunteered by children online or by email will be treated the same as information provided by an adult and may be subject to public access.

The following information may be collected during your visit to this website:

  • Internet protocol address and domain name used, but not the email address.
  • Type of browser used and client operating system identification.
  • Date and time visit occurred.
  • Web pages or services accessed at this site.

The information we collect or store is used to improve the content of our Web services and to better understand how people are using our services.

If during your visit to our site you send an email to us, the following information will be collected:

  • Email address used to send email.
  • Content of the email.

We use your email to respond appropriately. This may be to respond to you, to address issues you identify, to further improve our website, or to forward the email to another agency for appropriate action.

Privacy notice contact

Colorado Department of Public Health and Environment
Privacy officer, A5-OLRC
4300 Cherry Creek Drive South
Denver, CO 80246
Fax: 303-691-7702