Colorado Mental Health Record Privacy Laws: Your Rights and Provider Obligations

Colorado mental health record privacy laws work alongside federal protections to keep your sensitive information confidential. These rules define what counts as a mental health record, when it may be shared, and what happens if an unauthorized disclosure occurs. They also outline your rights and the policies providers and employers must maintain, including restricted access policies overseen by Colorado’s Behavioral Health Administration.

This guide explains how your information can be used for treatment, billing, and claim adjudication, where informed consent is required, and how special protections apply in contexts like workers’ compensation, where an administrative law judge may become involved.

Mental Health Record Definition

A mental health record is the information a behavioral health professional or facility creates and maintains about your care. It typically includes items that identify you and document your history, evaluations, diagnoses, treatment plans, progress notes, medications, care coordination, discharge summaries, and billing or claim adjudication data.

What is included

• Intake forms, assessments, diagnostic impressions, and treatment goals.
• Progress notes that document therapy sessions, interventions, and your response to care.
• Medication lists, lab results, test reports, and care coordination communications.
• Administrative and financial records tied to payment and claim adjudication.

What is treated differently

• Psychotherapy notes—your therapist’s separate, personal notes—are more strictly protected and usually require a distinct authorization to disclose.
• Substance use disorder records from federally assisted programs are covered by heightened confidentiality standards that sharply restrict sharing without specific consent or a qualifying order.

Disclosure of Mental Health Records

When disclosure can occur without your written authorization

• Treatment: sharing information with other providers involved in your care.
• Payment and health care operations: billing, utilization review, quality improvement, and claim adjudication with payers and administrators.
• Required by law: limited disclosures for public health, abuse or neglect reporting, or certain oversight and audits.
• Serious and imminent threats: narrowly tailored disclosures to prevent or lessen harm.
• Legal process with appropriate safeguards: court or administrative law judge orders that specifically authorize release of defined records.

Disclosures that require informed consent

Outside of the uses above, providers generally need your informed consent. A valid authorization should specify what will be shared, with whom, for what purpose, and when it expires. You may revoke it in writing. Psychotherapy notes and certain substance use disorder information typically require a separate, explicit authorization. Even with consent, providers should disclose only the minimum necessary information.

Provider duties during disclosure

• Verify the requester’s identity and authority before releasing information.
• Apply the minimum-necessary standard and exclude psychotherapy notes unless specifically authorized.
• Document releases and, when required, provide you an accounting of certain disclosures.

Restrictions on Disclosure

• Restricted access policies: providers must use role-based access, need-to-know limits, and audit logs to prevent unauthorized disclosure.
• Psychotherapy notes are not shared for most purposes without a distinct authorization.
• Substance use disorder information is subject to strict redisclosure prohibitions; recipients are warned not to share it further.
• Third parties such as schools, landlords, or family members do not receive records without a valid legal basis or your authorization, except in narrow emergencies or where law requires.
• When minors are allowed by law to consent to certain behavioral health services, providers carefully follow rules that protect the youth’s confidentiality while balancing safety and parental involvement.

Employer Obligations

Employers are not free to view your mental health records. If an employer sponsors a health plan—especially self-insured employers—access to protected health information must be strictly firewalled for plan administration and claim adjudication only, never for employment decisions such as hiring, firing, or discipline.

• Maintain written restricted access policies that identify who may handle plan PHI and for what limited purposes.
• Use business associate agreements with third-party administrators and train all personnel who handle PHI.
• Request only information necessary for plan functions; psychotherapy notes and detailed therapy records are rarely appropriate.
• Workers’ compensation requests must be targeted to the claim; disputes can be narrowed or resolved by an administrative law judge.
• Guard against unauthorized disclosure and implement breach response procedures if an incident occurs.

Third-Party Disclosure Restrictions

Attorneys, schools, landlords, digital app vendors, and even well-meaning relatives count as third parties. They generally need a valid authorization that clearly states what can be shared and for what purpose. A subpoena alone may be insufficient; providers often require either your authorization or a qualifying court or administrative law judge order.

• Health information exchanges and care-coordination networks must honor your choices to opt out or restrict sharing where available.
• Research, marketing, or non-treatment uses require special approvals or your explicit authorization.
• All recipients should be warned against redisclosure when heightened protections apply.

Record Retention Requirements

Colorado-licensed behavioral health professionals are generally required to keep adult client records for a multi-year period—commonly at least seven years after the last date of service. For minors, retention typically extends beyond adulthood (for example, often until at least age 25). Facilities such as hospitals or state-licensed programs may follow longer schedules.

• Retention policies must ensure records remain complete, legible, and retrievable for care continuity, audits, and claim adjudication.
• When the retention period ends, records must be securely destroyed (for example, shredding or secure electronic deletion).
• If a practice closes or a provider relocates, patients should receive notice on how to access or transfer their records.

Patient Rights in Behavioral Health Care

You have strong, actionable rights under Colorado mental health record privacy laws and federal rules, reinforced by standards from the state’s Behavioral Health Administration.

• Access and copies: review your records and obtain copies, with limited exceptions (for example, psychotherapy notes).
• Amendment: request corrections or add a statement of disagreement when you believe something is inaccurate or incomplete.
• Restrictions: ask providers or plans to limit certain disclosures and to communicate with you by alternate means or locations.
• Accounting: receive an accounting of certain non-routine disclosures.
• Notice: receive a clear Notice of Privacy Practices and be informed of breaches affecting your information.
• Consent: decide when informed consent is needed and revoke authorizations you no longer wish to honor.
• Grievances and complaints: use provider grievance processes and escalate concerns to state oversight bodies if needed.

Conclusion

Colorado mental health record privacy laws give you control and require providers and employers to protect your information. Understand what’s in your record, when informed consent is needed, how restricted access policies work, and how special rules apply in contexts like claim adjudication. When in doubt, ask the provider’s privacy contact to explain what will be shared, why, and with whom—before any disclosure occurs.

FAQs

What information is protected under Colorado mental health record privacy laws?

Protected information includes anything that identifies you and relates to your mental health care: assessments, diagnoses, treatment plans, progress notes, medications, coordination-of-care communications, and billing or claim adjudication details. Psychotherapy notes and many substance use disorder records receive extra protection and usually require distinct, explicit authorization to share.

How can mental health records be disclosed to employers?

Employers generally cannot access your records. If your employer sponsors a health plan—especially a self-insured employer—only designated plan administration personnel may receive limited information for claim adjudication and related plan functions. Broader disclosures require your informed consent or a qualifying legal order. In workers’ compensation cases, requests must be narrowly tailored and may be supervised or limited by an administrative law judge.

What are the retention requirements for mental health records in Colorado?

Licensed behavioral health professionals commonly retain adult records for at least seven years after the last service date. For minors, retention typically extends beyond adulthood (often until at least age 25). Hospitals and certain licensed facilities may follow longer retention schedules. Regardless of the timeline, records must be stored securely and destroyed safely when the retention period ends.

How can patients file a complaint regarding mental health record privacy violations?

Start with the provider’s privacy contact to request an internal investigation and written response. If you believe a violation occurred, you may escalate to state oversight bodies that regulate behavioral health providers, to professional licensing boards, or to federal civil rights authorities that enforce health privacy protections. Keep copies of relevant documents, note dates and people involved, and state clearly what you want done to resolve the issue.