Colorado’s Latest Privacy Law: What Schools, Hospitals and Libraries Need To Know

Key Takeaways for Colorado Businesses and Institutions

• Broad Coverage: The law applies to a wide range of entities, including child care centers, K-12 schools, colleges/universities, hospitals, health care facilities and libraries, that receive money from the state “in any amount.”
• Prohibited Data Collection: Covered Institutions cannot collect information such as place of birth, citizenship or immigration status, or passport details; residency documents like permanent resident or alien identification cards; or work authorization documents unless they are specifically necessary to perform the duties of the institution or as required by state or federal law for program eligibility verification.
• Policy Requirement as of September 1: Covered Institutions must adopt or update policies that address:
  • Procedures for disclosure of personal information (PI) of students, patients, patrons or parents/guardians thereof (Protected Individuals) to third parties for any reason
  • Designation of an employee responsible for handling immigration-related requests for PI of Protected Individuals
  • Documentation requiring that the entity record, for any federal immigration enforcement requests, the name, agency and badge number of the person leading the federal immigration enforcement as well as a copy of a valid subpoena/order/warrant requesting the PI of Protected Individuals
  • Procedures to notify, as appropriate, Protected Individuals who are the subject of the request for PI by federal immigration enforcement officers
  • Conditions pursuant to which the Covered Institutions will allow access to nonpublic areas of their grounds or facilities
• Strict Release Conditions: Information may only be released with consent or pursuant to a valid subpoena, order or warrant issued by a federal judge or magistrate.
• Public Transparency: Required policies must be published or available upon request.
• Enforcement and Penalties: Each intentional violation may result in an injunction and a civil penalty of up to $50,000. Funds go to the Immigration Legal Defense Fund.

Key Definitions

• Employee: A person in the service of a Covered Institution while acting in the person’s employment capacity. “Employee” does not include volunteers.
• Federal Immigration Enforcement: An effort to investigate, enforce, or assist in the investigation or enforcement of a federal civil immigration law or a federal criminal immigration law that penalizes a person’s presence in, entry or reentry to, or employment in the United States.
• Local Education Provider: A school district, a charter school, or a board of cooperative services that operates one or more public schools.
  • Charter School: A public school that enters into a charter contract.
  • Board of Cooperative Services: A regional educational service unit designed to provide supporting, instructional, administrative, facility, community, or any other services contracted by participating members.
• Public Child Care Center: A child care center that has received money in the past five state fiscal years, in any amount, from the state and that provides part- or whole-day care for five or more children who are under the age of 18. This applies even when the child care center is operated without compensation.
• Public Health Care Facility: A health care facility or an essential community provider that receives money, in any amount, from the state. This includesgeneral hospitals, hospital units, freestanding emergency departments, critical access hospitals, psychiatric hospitals, community clinics, rehabilitation hospitals, convalescent centers, facilities for persons with intellectual and developmental disabilities, nursing care facilities, hospice care centers, assisted living residences, dialysis treatment clinics, ambulatory surgical centers, birthing centers, home care agencies, and other facilities of a like nature.
• Public Institution of Higher Education: A state institution of higher education, a local district college, an area technical college or a private institution of higher education that receives college opportunity funding for an eligible undergraduate student.
• Public School: A school of a school district, a district charter school authorized by a school district, an institute charter school authorized by the state charter school institute, an approved facility school, the Colorado School for the Deaf and the Blind or a school operated by a board of cooperative services.
• Publicly Supported Library: A library supported principally with money derived from taxation. Publicly supported libraries shall include all public libraries and may include academic libraries, school libraries, and special libraries.

Overview

On September 1, 2025, the final pieces of a new Colorado law went into effect to limit how Colorado K-12 schools and institutions of higher education (including private and technical colleges), public health care facilities, child care centers that receive state money, and publicly supported libraries (Covered Institutions) may share information about individuals’ national origin (among other things). There are two aspects to the law. The first, which went into effect on July 1, prohibits Covered Institutions from requesting information from their patrons, such as place of birth, immigration or citizenship status, or identification documents like passports and green cards, unless required by law or necessary for government program eligibility.

The second piece of the law, which went into effect on September 1, 2025, requires Covered Institutions to implement policies and procedures documenting the conditions under which they will release identifying information about their patrons, their patients, or the parents/guardians of their patrons or patients and allow access to nonpublic areas of their property. Covered Institutions that intentionally violate the law can face penalties of up to $50,000 per violation, with funds directed to Colorado’s Immigration Legal Defense Fund.

This legislation signals Colorado’s broader effort to strengthen privacy protections for residents, including immigrants, who rely on public services, while providing institutions with clear compliance obligations.

Impact Within the Health Care Industry

The Colorado law is really aimed at ensuring that Covered Institutions are not voluntarily providing information about Protected Individuals to third parties without a sufficient legal basis for doing so. For HIPAA-covered health care providers, most of the required policies are already required by HIPAA. In some circumstances, information about a patient’s parent or guardian is not considered protected health information (PHI) subject to HIPAA and thus would not be within the scope of the entities’ HIPAA policies that are otherwise duplicative of the Colorado law’s requirements. Thus, Colorado health care entities should determine whether current policies need to be revised to include parent/guardian information or whether a separate non-HIPAA information release policy set should be created.

The law’s only deviations from HIPAA are:

1. Prohibiting the collection of place of birth information, immigration status, and documents like passports and permanent resident or alien registration cards unless required by law or to validate eligibility
2. The requirement to designate an employee to alert if the Covered Institution receives an immigration-related request for PI about Protected Individuals
3. Procedures for alerting, “as appropriate,” the Protected Individual who is the subject of the immigration request that such a request was made
4. Procedures for allowing access to parts of the Covered Institution’s grounds that are not open to the public
5. Mandating that the Covered Institution make available these policies and procedures upon request

Health care providers in Colorado should assess their patient intake questions to ensure that the demographic questions asked related to place of birth, immigration status or documents are not required unless a determination is made that such information is required (for instance, to verify insurance). This may require coordination with their electronic health record vendor.

The requirement that health care providers inform the patient or parent “as appropriate” is perhaps vague enough to require no change. Entities do not routinely notify patients when the entities fulfill HIPAA-permissible records requests, though these requests are documented in the patient’s record when required by HIPAA. With respect to the identification of an employee to alert about immigration requests, this again may not require any real change, as HIPAA-covered entities generally have release-of-information policies that state that their health information management employees will be responsible for and receive all such requests.

The requirement to provide the mandated policies on request is one that, while likely fairly easy to accommodate, may come as a surprise to HIPAA-covered entities, as patients do not have that right under HIPAA. Given the ability for the state to collect a civil penalty of up to $50,000 per violation, it would be prudent for Colorado health care providers to ensure that this requirement is known to employees and that the in-scope policies are in a shareable form.

Finally, the requirement to have a documented procedure for granting access to nonpublic portions of the entities’ facilities or grounds is, in some cases, covered by HIPAA – which requires entities to restrict physical access to areas that contain PHI – but may not be documented for non-PHI areas. Although many HIPAA-covered entities likely have a documented physical security plan, entities should review those plans to ensure that physical access is addressed.

Impact on Schools

As described above, this new law applies to K-12 public schools and publicly funded colleges and universities in Colorado. Those schools should review their policies and procedures regarding the handling of student information; however, it is likely that schools already have an infrastructure in place to comply with Colorado’s new law.

As an initial matter, as set forth in the U.S. Supreme Court’s decision in Plyler v. Doe, 457 U.S. 202, K-12 public schools are required to provide education to all children, and they may not deny enrollment based on citizenship or immigration status. Thus, there is no reason for K-12 public schools to collect information about their students’ (or their students’ parents’/guardians’) immigration status. Colleges and universities, however, are required to request proof of citizenship as a prerequisite to disbursing financial aid. Colleges and universities in Colorado should make sure that to the extent that they are requesting any of the information covered by Colorado’s new law there is a law or government program (i.e., Federal Student Aid) that requires them to do so.

Schools should also already have policies and procedures in place documenting the conditions under which they will release information about students. Indeed, to the extent that schools possess information about students’ citizenship or immigration status, that information would be subject to the protections set forth in FERPA. FERPA prohibits schools from disclosing such information without prior written consent from the student or the student’s parent/guardian. Schools should already have policies and procedures in place regarding FERPA compliance. Likewise, schools already have (or should have) policies documenting the conditions pursuant to which they allow access to the nonpublic areas of their property.

In sum, it is likely that K-12 public school districts and publicly funded colleges/universities in Colorado are already in compliance with Colorado’s new law given that the law is largely duplicative of requirements that were already in place, at least in regard to these institutions. It is always a good idea, however, for schools to regularly review their policies and procedures related to data collection to make sure that they comply with all applicable laws.

Next Steps for Covered Institutions

Covered Institutions across Colorado should take this opportunity to review their policies and procedures to confirm they align with the new law. Even where existing HIPAA or FERPA frameworks already provide strong protection, reviewing compliance with these laws may highlight current gaps in data collection and handling. Covered Institutions that are uncertain about their compliance obligations should consider seeking guidance to ensure they are fully prepared and to avoid the penalties that can result from noncompliance.

[View source.]