Privacy notice

We care about your privacy. The Colorado Department of Public Health and Environment (CDPHE) is responsible for protecting the health information of Colorado citizens. We collect specific protected health information (PHI) from individuals in the community and put that information together to measure the public's overall health and well-being. All medical information is safeguarded and held in strict confidence.

Our Privacy Office:
  • Ensures CDPHE compliance with federal regulation, state statutes, and Board of Health regulations
  • Provides mandatory staff training on privacy 
  • Informs personnel about privacy safeguards
  • Implements privacy policies and procedures

Privacy Disclaimer

This site includes links to other websites, including links to websites operated by other government agencies, nonprofit organizations, and private businesses. When you link to another site, our Privacy Notice will not apply. When you link to another website, you are subject to the privacy policy of that site.

Neither CDPHE nor any employee of the state of Colorado warrants the accuracy, reliability, or timeliness of any information published by this system, nor endorses any content, viewpoints, products or services linked from this system, and shall not be held liable for any losses caused by reliance on the accuracy, reliability, or timeliness of such information. Portions of such information may be incorrect or not current. Any person or entity that relies on any information obtained from this system does so at their own risk.

Public Disclosure

The Colorado Open Records Act (CORA) at Colorado Revised Statutes (CRS), § 24-72-201, et seq., which applies to CDPHE states,"[i]t is declared to be the public policy of this state that all public records shall be open for inspection by any person at reasonable times, except as provided in this Part 2 or as otherwise specifically provided by law." Much of the information CDPHE collects includes protected health information that is exempt from disclosure under CORA. Other information, however, is available through CORA.

Security Statement

CDPHE, along with the Colorado Department of Personnel and Administration, the developer and manager of the Colorado home page, have taken several steps to safeguard the integrity of the telecommunications and computing infrastructure, including but not limited to authentication, monitoring, and auditing. Security measures have been integrated into the design, implementation, and day-to-day practices of the entire operating environment as part of our continuing commitment to risk management.

HIPAA Status

CDPHE protects the health information we receive, and we take seriously our responsibility to ensure health information is secure and kept confidential. This responsibility predates the Health Insurance Portability and Accountability Act (HIPAA) [Public Law 104-191] and is based on confidentiality requirements in Colorado statutes. It is also expressed in internal CDPHE policies and procedures.

CDPHE is a “hybrid entity” as defined at Code of Federal Regulations 45 CFR 164.103 - “a single legal entity that is a covered entity, whose business activities include both covered and non-covered functions…”  CDPHE operates exclusively as a “public health authority” under HIPAA, meaning an entity that is responsible for public health matters as part of its official mandate, for all of its programs except two. 

  • The CDPHE Mobile Public Health Clinic Program is a “covered entity” and a healthcare provider.  
  • The Newcomer Health Program is a “business associate” of the Colorado Department of Human Services.  

For these two programs, CDPHE complies with all HIPAA privacy and security requirements.

For all other programs, CDPHE is a “public health authority”.

Public health authority means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.  [45 CFR §164.501]

In key areas of the federal Privacy Rule, HIPAA provides for reporting to public health authorities:

A public health authority is “authorized by law to collect or receive protected health information (PHI) for the purpose of preventing or controlling disease, injury, or disability, including but not limited to the reporting of disease, injury, vital events such as births or death and the conduct of public health surveillance, public health investigations and public health interventions… or for purposes of reporting child abuse or neglect.”. [45 CFR 164.512(b)(1)(i)]  

The public health reporting allowed under this section must be to a public health authority authorized by law to collect the information.  While many public health activities and reporting requirements are recognized in HIPAA regulations as “required by law” [45 CFR §164.512 (a)],the law relied upon does not have to be specifically mandated reporting. Rather, it is enough that the public health authority’s authorizing statute permits the receipt of the information.  Additionally, some functions performed by CDPHE are health oversight activities [45 CFR §164.512 (d)], including nursing home surveillance and oversight of government benefit programs where protected health information is important for eligibility.  In all of these circumstances, disclosure of protected health information to CDPHE is permitted without the individual’s written authorization or opportunity to object.

Finally, with respect to the information sought by a public health authority, 45 CFR §164.514 (d)(3)(iii)(A) also allows a health plan, provider billing electronically, or clearinghouse to accept the word of the public health authority that the information requested is the “minimum necessary”.

Use of the Website

If personal information is requested on the website or is volunteered by the user, state and federal law may protect that information. However, all information becomes a public record once it is provided and may be subject to public inspection and copying if not protected by federal or state law.

Users are cautioned that the collection of personal information requested from or volunteered by children online or by email will be treated the same as information provided by an adult and may be subject to public access.

The following information may be collected during your visit to this website:

  • Internet protocol address and domain name used, but not the email address
  • Type of browser used and client operating system identification
  • Date and time visit occurred
  • Web pages or services accessed at this site

The information we collect or store is used to improve the content of our web services and to better understand how people are using our services.

If during your visit to our site you send an email to us, the following information will be collected:

  • Email address used to send email
  • Content of the email

We use your email to respond appropriately. This may be to respond to you, to address issues you identify, to further improve our website, or to forward the email to another agency for appropriate action.

Privacy Notice Contact

Colorado Department of Public Health and Environment
Privacy Officer, A5-OLRC
4300 Cherry Creek Drive South
Denver, CO 80246
Email:  joni.koenig@state.co.us