Colorado Breach Notification Law for Healthcare: 30-Day Deadline, AG Reporting, and HIPAA Alignment

Colorado 30-Day Breach Notification Requirement

When the 30-day clock starts

Colorado requires you to notify affected Colorado residents “in the most expedient time possible and without unreasonable delay,” but no later than 30 days after you determine that a security breach occurred. The notice is not required if your investigation concludes misuse has not occurred and is not reasonably likely to occur. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

Who is covered and what data triggers notice

The law applies to any covered entity that maintains, owns, or licenses personal information of Colorado residents—including healthcare providers and their business associates. Personal information explicitly includes medical information, a health insurance identification number, biometric data, and certain account credentials. ([content.leg.colorado.gov](https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf))

Encrypted data and access credentials

Encrypted or otherwise secured data does not avoid notice if the encryption key or confidential process was also acquired or reasonably believed to have been acquired. If login credentials are involved, you must direct impacted individuals to promptly change passwords and, for a breached email account you provide, you may not send the notice to that compromised address. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

Attorney General Reporting Obligations

500+ resident threshold and timing

If a breach is reasonably believed to have affected 500 or more Colorado residents, you must notify the Colorado Attorney General (AG) in the most expedient time possible and without unreasonable delay, but no later than 30 days after determining the breach occurred—unless your investigation shows misuse has not occurred and is not likely to occur. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

What the AG expects

The AG’s online reporting form collects key details (e.g., breach dates, types of personal information, breach type including “Malware: Ransomware”) and notes that certain submissions may be public records. Even if you follow a federal regulator’s procedures, Colorado still requires AG notice and, if timelines conflict, the shortest deadline controls. ([coag.gov](https://coag.gov/data-breach-notification-report-form/?utm_source=openai))

Consumer Reporting Agencies Notification

If you must notify more than 1,000 Colorado residents, you must also notify all nationwide consumer reporting agencies of the anticipated date of consumer notification and the approximate number of residents to be notified. You do not provide names or other personal details, and entities subject to Title V of GLBA are exempt from this CRA notice. ([content.leg.colorado.gov](https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf))

Notification Content and Format

Required content

• Date (or estimated range) of the breach.
• Description of the personal information involved.
• How affected residents can contact you.
• Toll‑free numbers, addresses, and websites for the consumer reporting agencies.
• Toll‑free number, address, and website for the Federal Trade Commission.
• A statement that residents can obtain information from the FTC and credit bureaus about fraud alerts and security freezes.

These elements are mandatory minimums for Colorado notices. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

Permitted delivery methods

Permitted notice methods include written, telephonic, or electronic notice. Substitute notice is allowed if the cost would exceed $250,000, the affected class exceeds 250,000 Colorado residents, or you lack sufficient contact information; substitute notice consists of email (if available), a conspicuous posting on your website, and statewide media notice. ([content.leg.colorado.gov](https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf))

Comparison with HIPAA Breach Notification

Deadlines and recipients

HIPAA requires notice to individuals without unreasonable delay and no later than 60 days after discovery; breaches affecting 500+ individuals also require notice to HHS and to prominent media in the affected state or jurisdiction. Colorado’s statute mandates a faster 30‑day deadline to individuals and adds AG notice for 500+ residents and CRA notice when >1,000 residents are notified. If timelines conflict, Colorado’s shorter 30‑day timeframe controls for individual notice, and AG notice still applies. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Content differences

HIPAA notices must include a description of what happened (including breach and discovery dates), types of unsecured PHI involved, steps individuals should take, mitigation efforts, and contact methods (e.g., toll‑free number or email). Colorado prescribes its own content elements (above), including required FTC and credit bureau resources. You should satisfy both sets in a single, clear notice. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))

Ransomware incident reporting

Under HIPAA, ransomware generally triggers breach notification unless you can show a low probability that PHI was compromised. Colorado treats ransomware as a reportable breach type on the AG’s form; if personal information of residents was acquired or likely acquired, state notice obligations apply alongside HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/ransomware-fact-sheet/index.html?utm_source=openai))

Penalties for Non-Compliance

Violations of Article 1 of the Colorado Consumer Protection Act can lead to civil penalties of up to $20,000 per violation, and up to $50,000 per violation when the victim is an elderly person; each affected consumer may count as a separate violation. The AG may also seek injunctions and recover direct economic damages for violations of the breach statute. ([law.justia.com](https://law.justia.com/codes/colorado/title-6/fair-trade-and-restraint-of-trade/article-1/part-1/section-6-1-112/))

Beyond breach notice failures, lapses in personal information security (e.g., not maintaining reasonable security or failing to bind vendors to such measures) create additional enforcement risk under Colorado law. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-713.5))

Enforcement Procedures and Delayed Notification

Attorney General enforcement

The Attorney General may bring actions in law or equity to ensure compliance, seek injunctions, and recover direct economic damages for violations of Colorado’s breach and personal information security provisions. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

Delayed notification for law enforcement

Notice may be delayed if a law enforcement agency determines that notice would impede a criminal investigation. Once law enforcement advises that notice will no longer impede the investigation, you must provide notice in good faith and without unreasonable delay, and no later than 30 days after that determination. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

Third-party vendor breaches

When a third‑party service provider experiences a breach of data it maintains for you, it must notify and cooperate with you without unreasonable delay and share relevant breach information (without disclosing trade secrets). Separately, Colorado requires you to implement reasonable security procedures and to require your service providers to do the same. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

Conclusion

For healthcare organizations, Colorado’s framework is clear: deliver individual notice within 30 days of determining a breach, notify the AG when 500+ residents are affected, notify CRAs if more than 1,000 residents will receive notice, and align your content and timing with both Colorado and HIPAA—using the shorter deadline where they differ. Strong vendor controls and reasonable security practices reduce exposure and support swift, compliant response. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

FAQs.

What triggers the 30-day notification requirement under Colorado law?

The 30-day deadline begins once you determine a security breach occurred. You must notify affected residents in the most expedient time possible and without unreasonable delay, unless your investigation finds misuse has not occurred and is not likely to occur. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

How does Colorado law differ from HIPAA notification rules?

HIPAA allows up to 60 days to notify individuals and requires HHS (and sometimes media) notice, while Colorado requires individual notice within 30 days and adds AG notice for 500+ residents and CRA notice when >1,000 residents are notified. If timelines conflict, Colorado’s shorter 30-day period controls for individual notice, and AG notice still applies. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

When must a healthcare entity notify the Colorado Attorney General?

Notify the AG within 30 days of determining that a breach occurred if it is reasonably believed to have affected 500 or more Colorado residents, unless the investigation determines misuse has not occurred and is not likely to occur. ([colorado.public.law](https://colorado.public.law/statutes/crs_6-1-716))

What penalties apply for failing to comply with breach notification laws?

Under the Colorado Consumer Protection Act, the AG or a district attorney may seek civil penalties up to $20,000 per violation (and up to $50,000 per violation involving an elderly person), in addition to injunctive relief and recovery of direct economic damages for breach‑notification violations. Each impacted consumer can constitute a separate violation. ([law.justia.com](https://law.justia.com/codes/colorado/title-6/fair-trade-and-restraint-of-trade/article-1/part-1/section-6-1-112/))