Pop quiz: are medical records “confidential,” “privileged,” or both? Answer: yes. Here, Defendant, a state agency, required licensed drug and alcohol treatment programs to submit forms with confidential patient information. In the trial court, Plaintiff claimed the forms violated state and federal statutes. The court of appeals first held the doctor-patient “privilege” under CRS 13-90-107 only protects testimonial witnesses. Federal law protects the “confidentiality” of medical records (42 U.S.C. § 290dd-2; 42 C.F.R. §§ 2.1, 2.2), except for entities with “direct administrative control” over a program. The court held the agency lacked that control, but the forms could be required for an audit or evaluation if there were a data retention and destruction policy. Here, there was no evidence of a data policy; until there was, Plaintiff was not required to submit the forms.