Colorado has enacted Senate Bill 25-276, establishing new requirements for healthcare facilities that receive state funding, including restrictions on collecting and disclosing patients' immigration status and personal identifying information.
What happened
The Colorado General Assembly enacted Senate Bill 25-276, which takes effect July 1, 2025. The Bill applies to Public Health-Care Facilities—defined as any Colorado-licensed facility that receives any amount of state funding, including Medicaid payments. The legislation prohibits these facilities and their employees from collecting information about patients' place of birth, immigration or citizenship status, or information from immigration documents like passports or permanent resident cards. Facilities must adopt new policies by September 1, 2025, that include procedures for handling federal immigration enforcement requests and requirements to notify patients when authorities request their information. Violations carry civil penalties up to $50,000 per violation, with penalty funds going to Colorado's Immigration Legal Defense Fund.
Going deeper
The Bill creates different restriction levels based on facility type. All state-funded healthcare facilities face collection restrictions, but facilities operated by political subdivisions face additional disclosure prohibitions. These facilities cannot share personal identifying information through databases or automated networks for federal immigration enforcement purposes. The restrictions include exceptions for information required by federal or state law, eligibility verification for government-funded programs, and releases authorized by federal court orders or patient consent. Third-party contractors managing data for political subdivisions also fall under these restrictions.
What was said
The Bill states it aims "to safeguard the civil rights and privacy of all persons in Colorado, regardless of immigration status, and to limit the role of state and local actors, including healthcare providers, in federal immigration enforcement." The legislation defines violations as causing "irreparable harm" and establishes that facilities must document specific information from federal immigration enforcement personnel, "including the name, employer, badge number, and a copy of the legal process authorizing access or information."
In the know
Public Health-Care Facilities under this law include any Colorado-licensed facility receiving state funding, which includes most healthcare providers since Medicaid and other state healthcare programs qualify as state funding sources. Political subdivisions refer to government-operated healthcare facilities like county hospitals or public health departments. The law creates a two-tiered system where privately-operated facilities receiving state funding face collection restrictions, while government-operated facilities face both collection and disclosure restrictions.
Why it matters
This law directly impacts healthcare operations for the majority of Colorado healthcare facilities, since most accept Medicaid or other state program payments. The broad definition of state funding means even private facilities that occasionally receive state payments must overhaul their data collection practices. Healthcare facilities now face compliance burdens beyond existing HIPAA requirements, including staff retraining, policy rewrites, and new documentation requirements for immigration enforcement interactions. While HIPAA already protects patient health information from unauthorized disclosure, SB 25-276 creates additional state-level restrictions specifically targeting immigration-related data collection and sharing. The $50,000 per violation penalty creates substantial financial risk that compounds potential HIPAA penalties for facilities that mishandle protected health information.
The bottom line
Colorado healthcare facilities receiving any state funding must immediately begin updating their policies and training staff to comply with SB 25-276's immigration data restrictions. Facilities should review their current data collection practices, establish procedures for handling federal immigration requests, and ensure compliance by the September 1, 2025 deadline to avoid substantial penalties.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
Does SB 25-276 apply to private healthcare providers that only occasionally receive state funding?
Yes, even facilities that receive minimal state funds, such as Medicaid payments, fall under the law.
How does this law interact with HIPAA requirements already in place?
It adds additional restrictions on immigration-related data collection and disclosure beyond HIPAA protections.
Are there exceptions to the restrictions on collecting immigration information?
Yes, exceptions exist for compliance with federal or state law, eligibility checks for public programs, and patient consent.
What are the compliance deadlines for healthcare facilities?
Facilities must adopt policies by September 1, 2025, ahead of the law’s July 1, 2025 effective date.
What documentation must facilities collect when federal immigration authorities make requests?
They must record details such as the officer’s name, employer, badge number, and the legal process authorizing the request.
