Privacy Policy

Main Content

Health First Colorado Enrollment Website Privacy Policy

Effective January 30, 2019

Our Commitment to Privacy

Thank you for visiting the Health First Colorado website (the “Site”). MAXIMUS Health Services, Inc. (“MAXIMUS” or “We”) operates the Site for the Colorado Department of Health Care Policy and Financing. The Site is located at Enroll.HealthFirstColorado.com. It is available 24 hours a day, 7 days a week. 

The Site is designed to make it easier and more efficient for you to interact with the Health First Colorado program. It allows you to find and compare health plans and providers, enroll in a health plan online, and check the status of a case online. Please read this privacy notice before you access and use the Site.

This privacy notice applies to personal information We collect about you. It describes the types of information collected. It explains how it is used. It gives choices you have about collection and use of this information. This privacy notice does not govern privacy practices for offline activities, other websites, or products and services not available or enabled through this Site, unless written in this privacy notice.

Consent to Electronic Transactions

The user and MAXIMUS acknowledge and agree that all electronic transactions made during the term of this Agreement are binding by law. Users understand that consent, when given by use of personal information or passwords, has the same authority as a written signature and is binding by law.

Information We Collect

Much of the Site is available without giving personal information. Users may be asked for personal information to use some Site features, such as submitting an enrollment application online. Users give this personal information voluntarily. They do so in order to participate or register for a product or service or to communicate with MAXIMUS or the Site. You give this personal information voluntarily when you:

  • Enroll in a health plan online
  • Update enrollment and case information online
  • Choose a provider online
  • Complete a health assessment online

We clearly identify data you must give so We can deliver the services or information you want. For example, MAXIMUS may ask you to give or verify your:

  • First and last name
  • Mailing address
  • Telephone number
  • Email address
  • Date of birth
  • State ID or Case Number
  • Health information

While visiting the Site you may complete a transaction, such as an enrollment application. MAXIMUS uses the information, including personal information you volunteer when you complete the transaction, to operate the Health First Colorado program. This includes providing goods, services and information.

Information and Choice

MAXIMUS does not collect any personal information about you unless you give that information voluntarily. You do that by completing an online enrollment application, updating your enrollment information, choosing a provider, or completing a health assessment online. You may choose not to complete enrollment activities online.

Your choice not to participate in these activities may limit your ability to receive specific services or products through the Site. It will not normally affect your ability to use other Site features, including browsing or downloading information. Choosing to provide personal information to MAXIMUS, whether We request it or not, constitutes consent to the collection and sharing of the information with the Colorado Department of Health Care Policy and Financing for the reasons you shared the information with MAXIMUS.

MAXIMUS may give the information it collects to the Colorado Department of Health Care Policy and Financing. This is for those purposes that may be reasonably ascertained from the nature and terms of the transaction in which the information was submitted.

Disclosure of Information Collected Through This Website  

Collection and disclosure of information through the Site are subject to the provisions of the Health Insurance Portability and Accountability Act (HIPAA) (Public Law 104-191) and the Colorado Open Records Act (CORA) (C.R.S. § 24-72-201 to 206).

To learn more about Health Information Privacy, visit HHS.gov at US Department of Health & Human Service Health Information Privacy.

To learn more about the Colorado Open Records Act, visit the Colorado Revised Statutes at Colorado General Assembly.

MAXIMUS will only collect or disclose personal information collected through the Site if the user has consented to the collection or disclosure of such personal information. Voluntary disclosure of personal information to MAXIMUS by the user, whether MAXIMUS asks for the information or not, constitutes consent to the collection and disclosure of the information to the Colorado Department of Health Care Policy and Financing. It can only be used for the purposes for which the user disclosed the information to MAXIMUS as a contractor to the Colorado Department of Health Care Policy and Financing, as was reasonably ascertainable from the nature and terms of the disclosure.

MAXIMUS may collect or disclose personal information without consent if the collection or disclosure is:

  • Needed to perform the statutory duties of the Colorado Department of Health Care Policy and Financing;
  • Needed for MAXIMUS to operate the Health First Colorado program as authorized by law or by state or federal statute or regulation;
  • Made pursuant to a court order or by law;
  • For the purpose of validating the user’s identity; or
  • To be used solely for statistical purposes in a form that cannot be used to identify any person.

MAXIMUS may disclose personal information to its agents, affiliates and subcontractors to allow them to perform certain functions relating to your appeal.

MAXIMUS may also disclose personal information to federal or state law enforcement authorities to enforce its rights against unauthorized access or attempted unauthorized access to MAXIMUS information technology assets.

MAXIMUS does not share your personal information with unaffiliated third parties. We may use your information to improve the content, navigation and efficiency of the website.

To improve the Site, We may use and share with others information We have compiled about our users. This includes aggregated or anonymous (not personally identifiable) information We collect based on web usage data, surveys or statistical information. The disclosure of information, including personal information, collected through the Site is subject to the provisions of HIPAA and the Colorado Open Records Act.

Retention of Information Collected Through this Website  

MAXIMUS keeps the information collected through the Site in accordance with its contract with the Colorado Department of Health Care Policy and Financing. MAXIMUS keeps information for ten years in accordance with the records retention and disposition schedule. The schedule was set up for the records of the program unit to which you submitted the information. This includes personal information you submit by sending an email or completing an online enrollment application. You may get information about these records retention and disposition schedules through the contact methods listed below.

Information Disclaimer

Information on this website is intended to allow the public immediate access to public information. While all attempts are made to provide accurate, current and reliable information, MAXIMUS recognizes the possibility of human and mechanical error. MAXIMUS, its employees, officers and agents make no representations as to the accuracy, completeness, currency or suitability of the information on the Site, and deny any expressed or implied warranty as to the same.

Web Privacy

Our web servers automatically collect and log web usage data from you when you visit the Site. Usage data includes your Internet Protocol (IP) address, referring sites, pages viewed, browser type, operating system, CPU speed, referring or exit webpages, and length of visit. This data tells us how visitors use and navigate the Site.

MAXIMUS collects the above information from your visit to the Site only for these purposes. It also collects it for purposes related to the services We provide for the Colorado Department of Health Care Policy and Financing.

Cookies and WebAnalytics

Like most websites, We use “cookies,” “web beacons,” and similar devices to help you use the Site more efficiently and to track your activities. A cookie is small amount of data transferred to your browser by a web server. Only the server that gave you cookies can read them. Cookies are your identification card. They let MAXIMUS record your activities and preferences. Cookies cannot be used as code. They cannot deliver viruses.

A web beacon is a small transparent gif image embedded in an HTML page or email. Web beacons track when the page or email was viewed. MAXIMUS uses them to track your use of the Site, types of products and services viewed, and information downloaded. We also use them to count daily visitors to the Site. Our web servers automatically log your computer’s IP/Internet address. MAXIMUS does not generally use this information to identify you personally.

Our website uses Webtrends Analytics. It is a service that sends website traffic data to Webtrends servers in the United States. Webtrends Analytics does not identify individual users. It does not associate your IP address with any other data Webtrends holds. We use reports from Webtrends Analytics to help us understand website traffic and webpage usage. You can read the Webtrends Privacy Statement at https://www.webtrends.com/terms-policies/privacy/privacy-statement/.

Opt Out of Cookies

If you do not want your browser to accept cookies, you can change the cookie option in your browser’s settings. Some Site features or services may not function properly or be accessible without cookies. To learn more about opting out of tracking cookies, visit Webtrends at https://kb.webtrends.com/articles/Information/Opting-out-of-Tracking-Cookies-1365447872915.

“Do Not Track” Signals 

Do Not Track is a preference you can set in your web browser. It lets the websites you visit know that you do not want them to collect information about you. The Site does not currently respond to a Do Not Track or similar signals.

Website Time Out

For security purposes, your URL online session is set to end after ten minutes of user inactivity. You will get a session timeout warning after nine minutes of inactivity. This allows you to end or continue the session. If you do not choose either, your session will end after ten minutes of inactivity.


MAXIMIUS is strongly committed to protecting personal information collected through the Site. We protect against unauthorized access, use or disclosure. MAXIMUS limits employee access to personal information collected through this website. Access is to only those employees who need the information to perform their official duties. Employees who have access to this information follow rules for disclosures of personal information.

As developer and manager of this Site, MAXIMUS has implemented commercially reasonably technical, administrative and physical security measures. These measures are to protect the integrity of its communications and computing infrastructure. They are also to protect your personally identifiable information from unauthorized access, changes or use.

We have documented information security and privacy policies to address data. We regularly provide information security and privacy awareness training to our employees. Because the Internet is open and unsecured, MAXIMUS cannot be responsible for the security of transmissions of personal information over the Internet. We have prepared a formal incident response plan in case of a data breach.

To protect your communications through the Site, We authenticate, monitor, audit and encrypt activity. You can tell when the Site is secure by looking at the location field (URL). If the URL begins with https:// (instead of http ://), the document comes from a secure server. This means that unauthorized persons cannot read or decipher your personally identifiable information. This is part of our continuing commitment to protecting your information. Despite our efforts, no security measures are completely secure. Use of this system is consent to such monitoring and auditing.


MAXIMUS is committed to complying with the Children’s Online Privacy Protection Act. The Site is not directed at children under age 13. We do not knowingly collect information from children under age 13.


Our Site may have links to other sites. Links do not imply MAXIMUS endorsement. Other sites are not subject to the MAXIMUS privacy notice. We are not responsible for the privacy practices of other sites. We recommend that you read the privacy policies of those sites when you visit them.

Reviewing and Correcting Your Information

You have the right to access personal information that MAXIMUS and Colorado Department of Health Care Policy and Financing keep about you. If there are errors in your information, you may ask that your records be corrected. To request access to your personal information or ask for a correction, see “How to Contact Us” below.

Changes to this Privacy Notice

We will update this privacy notice. When We do, We will change the “last updated” date at the top of the privacy notice. Please check the Site from time to time for the latest version of our privacy notice. Your continued use of the Site after We have notified you of changes as described above means you accept the changes.

How to Contact Us

If you have questions about Health First Colorado, please contact us by:

Phone: Toll-free at 1-888-367-6557 (State Relay 711) or 303-839-2120

Health First Colorado Enrollment
4500 Cherry Creek South Drive
Glendale, CO 80246

If you have questions or concerns about our privacy notice, please contact us by:


MAXIMUS Privacy Office
1891 Metro Center Drive
Reston, VA 20190 USA