Skip to main content

South Healthcare Compliance Guide

Breach notification deadlines, medical records retention rules, PDMP requirements, and AG-notification thresholds across the 17 states in the South region.

17 state guides

The Southern region produces the country's tightest breach-notification window (Florida's 30-day FIPA under Fla. Stat. §501.171) alongside Texas's multi-agency enforcement stack (HB 300 + Identity Theft Enforcement and Protection Act + Texas Medical Board + DFPS). Virginia's Consumer Data Protection Act layered consumer-data obligations atop the standard breach regime; North Carolina and South Carolina pursue breach-notification enforcement actively through their respective AG consumer protection units. Kentucky operates KASPER — one of the oldest PMPs in the United States, established 1998 — with a Class D felony penalty for failure to check; West Virginia's CSMP and Tennessee's CSMD enforce similarly aggressively in post-opioid-crisis specialties. Maryland's Personal Information Protection Act and the District of Columbia's consumer-protection framework apply within the Capital region. The Southern region's pediatric retention rules vary widely (Texas: age 25, Florida: age 26, Tennessee: 10 years post-majority) — practices serving residents of multiple Southern states should retain to the strictest applicable rule. Pain-management practices face the most concentrated regulatory scrutiny in this region, with KY/WV/TN/FL among the strictest PDMP regimes in the country.

Stay audit-ready across the South

GuardWell tracks state-specific breach deadlines, retention periods, PDMP queries, and mandatory reporting obligations for all 17 states in the South region.

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's AI sales assistant (automated, not a human).

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI