Skip to main content
GuardWell Compliance

South Healthcare Compliance Guide

Breach notification deadlines, medical records retention rules, PDMP requirements, and AG-notification thresholds across the 17 states in the South region.

17 state guides

The Southern region produces the country's tightest breach-notification window (Florida's 30-day FIPA under Fla. Stat. §501.171) alongside Texas's multi-agency enforcement stack (HB 300 + Identity Theft Enforcement and Protection Act + Texas Medical Board + DFPS). Virginia's Consumer Data Protection Act layered consumer-data obligations atop the standard breach regime; North Carolina and South Carolina pursue breach-notification enforcement actively through their respective AG consumer protection units. Kentucky operates KASPER — one of the oldest PMPs in the United States, established 1998 — with a Class D felony penalty for failure to check; West Virginia's CSMP and Tennessee's CSMD enforce similarly aggressively in post-opioid-crisis specialties. Maryland's Personal Information Protection Act and the District of Columbia's consumer-protection framework apply within the Capital region. The Southern region's pediatric retention rules vary widely (Texas: age 25, Florida: age 26, Tennessee: 10 years post-majority) — practices serving residents of multiple Southern states should retain to the strictest applicable rule. Pain-management practices face the most concentrated regulatory scrutiny in this region, with KY/WV/TN/FL among the strictest PDMP regimes in the country.

South State Compliance Guides

ALStricter

Alabama

Expedient breach · 6-yr retention

PMP AWARxE

AR

Arkansas

Expedient breach · 10-yr retention

PMP AWARxE

DE

Delaware

60-day breach · 7-yr retention

PMP AWARxE

DC

District of Columbia

Expedient breach · 3-yr retention

DC PMP

FLStricter

Florida

30-day breach · 7-yr retention

E-FORCSE

GA

Georgia

Expedient breach · 10-yr retention

Georgia PDMP

KY

Kentucky

Expedient breach · 5-yr retention

KASPER

LA

Louisiana

60-day breach · 10-yr retention

PMP AWARxE

MDStricter

Maryland

45-day breach · 5-yr retention

Maryland PDMP

MS

Mississippi

Expedient breach · 7-yr retention

PMP AWARxE

NC

North Carolina

Expedient breach · 11-yr retention

NC Controlled Substances Reporting System

OK

Oklahoma

Expedient breach · 7-yr retention

Oklahoma PMP

SC

South Carolina

Expedient breach · 10-yr retention

SC SCRIPTS

TN

Tennessee

60-day breach · 10-yr retention

TN CSMD

TX

Texas

60-day breach · 7-yr retention

Texas PMP

VA

Virginia

60-day breach · 6-yr retention

Virginia PMP

WV

West Virginia

Expedient breach · 10-yr retention

WV CSMP

South Compliance Guides & Articles

Regulatory

Your State AG Opened a HIPAA Investigation: Practice Rights and Response Strategy

HIPAA

Ransomware Hit Your Practice: The HIPAA Breach Response Checklist

Regulatory

DEA Controlled Substance Compliance for Medical Practices

HIPAA

HIPAA Breach Notification: Rules, Timelines, and Penalties

Other regions

Northeast Region (9 states)Midwest Region (12 states)West Region (13 states)All 50 states

Stay audit-ready across the South

GuardWell tracks state-specific breach deadlines, retention periods, PDMP queries, and mandatory reporting obligations for all 17 states in the South region.

Free compliance scoreSee a demo

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI