Arizona Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Arizona.
Arizona healthcare compliance is anchored to A.R.S. §18-552, the state's data breach notification statute, which establishes a 45-day notification window after a covered entity determines a security breach has occurred — fifteen days tighter than the federal HIPAA Breach Notification Rule's 60-day outer limit. The Arizona Attorney General's office must be notified when a breach affects 1,000 or more Arizona residents, with civil penalties scaling up to $10,000 per violation and a $500,000 aggregate cap. Medical records retention is governed by A.R.S. §12-2297, requiring six years from last treatment for adults and a pediatric overlay that extends retention until age 21 (age of majority 18 plus three years). Layered on top, the Arizona Board of Pharmacy administers the Controlled Substances Prescription Monitoring Program, and the Arizona Department of Health Services handles communicable-disease reporting on a 24-hour timeline. For a Phoenix, Tucson, or Mesa primary-care practice, this means breach response, controlled-substance prescribing, and standard adult/pediatric retention all run on Arizona-specific clocks that diverge from HIPAA baseline in measurable, auditable ways.
Breach Notification Rules
Notification deadline
45 calendar days
Notification must be made within 45 days after determination of a security breach.
AG notification threshold
1000+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $10,000 per violation, $500,000 aggregate
Enforcement Posture
The Arizona Attorney General has historically taken a moderately active posture on healthcare-adjacent data breaches, pursuing actions under A.R.S. §18-552 and the Arizona Consumer Fraud Act when breach-notification timelines slip or when an entity's harm-analysis documentation is thin. Enforcement priorities have tended to cluster around large multi-state breaches that cross the 1,000-resident AG-notification threshold, ransomware events with delayed disclosure, and lost-device incidents where unencrypted PHI was reasonably foreseeable. The Arizona Medical Board separately pursues PDMP non-compliance through licensing discipline, and the Department of Child Safety prosecutes failure-to-report cases as Class 1 misdemeanors. Practices that document a contemporaneous four-factor harm analysis and notify within 45 days are rarely the target of standalone state action; the AG's office typically pairs slow breach response with deceptive-trade-practices theories rather than pursuing breach-notification timing in isolation.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 6 years | Last treatment |
| Pediatric | 3 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Arizona Board of Pharmacy PDMP)
The Arizona Board of Pharmacy PDMP requires a check on every controlled-substance prescription dispensed in Arizona, with delegation permitted to clinical staff (typically MAs, RNs, or LPNs) registered under the prescribing practitioner. Carve-outs apply for hospice patients, active cancer treatment, ≤3-day emergency supplies, and dispensing practitioners administering in-office. For a primary-care practice, the practical workflow is: register the prescriber and one or two delegates at pharmacypmp.az.gov, document the PDMP check in the chart at the point of prescribing, and exclude only the narrow scenarios in the exemption list. Willful noncompliance is a Class 1 misdemeanor in addition to Medical Board licensing discipline.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; Class 1 misdemeanor for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in emergency, dispensing practitioner administering in office
How Arizona Rules Hit by Specialty
Pediatrics
Arizona's pediatric retention rule extends to age 21 — age of majority (18) plus three years — which is shorter than the seven-to-ten-year overlays used in neighboring states. A Phoenix or Tucson pediatric practice should set destruction policies to hold pediatric charts until the patient's 21st birthday and treat any earlier purge as a documentation gap auditors will flag.
Pain management
Arizona's PDMP requires a check on every controlled-substance prescription, with limited exemptions for hospice, cancer treatment, and ≤3-day emergency supplies. Pain-management clinics in high-prescribing Arizona counties face heightened Medical Board scrutiny when the audit trail shows missing PDMP queries — Class 1 misdemeanor exposure attaches to willful noncompliance, not just licensing discipline.
Dental practices
Arizona dentists prescribing Schedule II-IV analgesics are full participants in the Board of Pharmacy PDMP and are mandated child-abuse reporters under A.R.S. §13-3620 — a dual obligation that frequently surfaces in pediatric dental visits. Failure to file a child-abuse report on reasonable suspicion is a Class 1 misdemeanor with up to $2,500 in fines plus six months in jail.
Telehealth providers
Telehealth providers prescribing to Arizona-resident patients must register with the Arizona Board of Pharmacy PDMP regardless of the provider's physical location, and any breach affecting Arizona residents triggers the A.R.S. §18-552 45-day clock even if the practice is headquartered out of state. The breach-notification long-arm is one of the more aggressive in the southwestern US.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, counselors, social workers, and all other healthcare professionals
Report to
Department of Child Safety (DCS) or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 1 misdemeanor, up to 6 months jail and/or $2,500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Physicians, nurses, and all healthcare practitioners with direct patient contact
Report to
Adult Protective Services, Department of Economic Security
Timeline
Immediately / as soon as possible
Penalty for failure
Class 1 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from domestic violence or criminal acts
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 1 misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, nurses, laboratory directors, healthcare facility administrators
Report to
Arizona Department of Health Services or local county health department
Timeline
Within 24 hours
Penalty for failure
Class 2 misdemeanor, up to $750 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Arizona Compliance FAQs
Arizona requires notification within 45 days after the covered entity determines a security breach has occurred — fifteen days tighter than the federal HIPAA 60-day outer limit. If the breach affects 1,000 or more Arizona residents, the Arizona Attorney General's office must also be notified. Civil penalties scale up to $10,000 per violation with a $500,000 aggregate cap, and harm-analysis documentation is required to support any decision not to notify.
Arizona requires pediatric record retention until the patient reaches age 21 — age of majority (18) plus three years — under A.R.S. §12-2297 and Board of Medical Examiners rules. Adult records must be retained six years from last treatment. Pediatric specialty practices should set destruction policies that hold charts until the 21st birthday rather than the date of last treatment, because the age-of-majority overlay frequently catches practices off-guard during a Board audit.
Yes. The Arizona Board of Pharmacy PDMP permits delegation to clinical staff, including medical assistants, registered nurses, and licensed practical nurses, provided each delegate registers under the supervising prescriber at pharmacypmp.az.gov. The prescriber remains accountable for the PDMP check on every controlled-substance prescription. Willful noncompliance — by the prescriber or the delegate — is a Class 1 misdemeanor in addition to Medical Board licensing discipline.
Failing to file a mandated child-abuse report in Arizona is a Class 1 misdemeanor under A.R.S. §13-3620, carrying up to six months in jail and/or a $2,500 fine. Healthcare professionals — physicians, nurses, dentists, psychologists, counselors, social workers — are mandated reporters and must report reasonable suspicion to the Department of Child Safety or local law enforcement. Good-faith reporters are immune from civil and criminal liability.
Yes. The Arizona Board of Pharmacy PDMP requires a check on every controlled-substance prescription, with narrow carve-outs for hospice patients, active cancer treatment, ≤3-day emergency supplies, and dispensing practitioners administering in-office. The check must be contemporaneous with the prescribing decision and documented in the chart. The Arizona Medical Board treats a missing PDMP query as Class 1 misdemeanor exposure on top of standard licensing discipline.
Guides & Articles
Stay audit-ready in Arizona
GuardWell tracks Arizona-specific breach deadlines, retention periods, Arizona Board of Pharmacy PDMP PDMP queries, and mandatory reporting obligations automatically.