West Healthcare Compliance Guide

The Western region is anchored by California's Confidentiality of Medical Information Act (CMIA), which imposes a 15-business-day breach notification window — the strictest in the country — alongside Civil Code §1798.82's parallel notification requirement and CCPA's separate consumer-data regime. Colorado's HB 18-1128 (30-day breach window) and Washington's RCW 19.255 (30-day window plus My Health My Data Act overlay) round out the Pacific Coast's tight-clock posture. Oregon's 45-day clock, Arizona's 45-day clock under A.R.S. §18-552, and New Mexico's 45-day NMSA §57-12C-1 framework follow as middle-tier deadlines. The Mountain West (ID, MT, WY, UT, NV) leans toward "without unreasonable delay" standards with reactive AG enforcement, but Idaho's 30-day deadline under Idaho Code Title 28 Chapter 51 is an outlier — stricter than HIPAA's 60-day federal ceiling. Pediatric retention rules in the West include some of the longest spans nationally — Oregon's age-26-or-10-years and Colorado's age-28 (age of majority plus 10) both produce 20+ year retention windows for early-childhood records. PDMP integration is deep across the region, with California's CURES 2.0, Washington's WA PMP, and Oregon's Oregon PDMP all requiring checks on every controlled-substance prescription with active enforcement.

West Compliance Guides & Articles