Arkansas Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Arkansas.
Arkansas healthcare practices operate under Ark. Code §4-110-105, the state's data breach notification statute, with enforcement vested in the Arkansas Attorney General under the Deceptive Trade Practices Act. Unlike Florida or Colorado, Arkansas does not impose a hard-coded notification deadline — the statute requires disclosure "in the most expedient time and manner possible and without unreasonable delay." That ambiguity cuts both ways: it gives practices breathing room to complete a forensic investigation, but it also means a slow-walked notification can be second-guessed in hindsight. Medical records carry one of the country's longest retention floors at 10 years from last treatment under Ark. Reg. 2.10, with the master patient index retained permanently. Practices in Little Rock, Fayetteville, Bentonville, and Fort Smith should also note the Arkansas PMP AWARxE check-every-prescription rule for controlled substances, the state's mandatory Child Abuse Hotline run by the Department of Human Services, and 24-hour reporting to the Arkansas Department of Health for communicable diseases. The compounding rule of thumb: HIPAA sets the federal floor, and Arkansas's 10-year retention plus DTPA-driven AG enforcement is what stretches the ceiling.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time and manner possible and without unreasonable delay.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Enforceable by AG under Deceptive Trade Practices Act
Enforcement Posture
The Arkansas Attorney General's office has historically taken a moderate, reactive posture on healthcare data breaches — enforcing through the Deceptive Trade Practices Act rather than a dedicated data-privacy regime. That said, "reactive" is not "absent": once a breach reaches consumer-complaint volume or makes regional news, the AG's Consumer Protection Division can investigate, request documentation, and pursue civil penalties. The penalty exposure is open-ended in the sense that DTPA damages stack per violation, so a multi-thousand-patient breach can scale quickly. Practices should expect that any notification delay longer than 60 days will be examined more critically. The Arkansas State Medical Board and the Arkansas State Board of Pharmacy run parallel licensure-discipline lanes, which is where most providers will feel the friction first if a PDMP or controlled-substance issue is involved.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
Controlled-Substance Prescription Monitoring (PMP AWARxE)
The Arkansas PMP AWARxE database is operated under the Arkansas State Board of Pharmacy and accessed at arkansas.pmpaware.net. Prescribers must register and check the database before issuing a Schedule II–V prescription, with delegation to office staff permitted. Exemptions cover hospice, active cancer treatment, inpatient hospital administration, and ≤14-day supplies for surgical procedures. Penalties for willful noncompliance can reach $10,000 in fines plus licensing-board discipline. Document each PDMP query in the chart — board investigations routinely turn on whether the check was performed and not just whether the drug was indicated.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Disciplinary action by licensing board; fines up to $10,000
Exemptions
Hospice patients, cancer patients receiving ongoing treatment, ≤14 day supply for surgical procedures, inpatient hospital administration
How Arkansas Rules Hit by Specialty
Pharmacy/compounding
Arkansas requires PMP AWARxE checks before every Schedule II–V prescription, with limited exemptions for hospice, cancer treatment, and short-supply post-surgical orders up to 14 days. Compounding pharmacies fall under the Arkansas State Board of Pharmacy's compounding rules and should layer USP <795>/<797> compliance on top of the PDMP regime.
Pediatrics
Pediatric records inherit the 10-year retention floor but practically need to be held until the patient is at least 21 (age of majority plus statute-of-limitations buffer). Arkansas's mandatory Child Abuse Hotline reporting attaches to all healthcare workers, including dental hygienists and behavioral-health staff, with Class C misdemeanor exposure for failure to report.
Behavioral health
Substance-use treatment records in Arkansas are subject to both HIPAA and 42 CFR Part 2, with Arkansas Medicaid layering additional documentation requirements. Behavioral-health providers should treat Part 2 segregation as a default architectural decision in their EHR rather than an afterthought.
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, nurses, dentists, dental hygienists, mental health professionals, and all healthcare workers
Report to
Arkansas Child Abuse Hotline, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class C misdemeanor, up to 30 days jail and/or $500 fine; Class B misdemeanor for subsequent offenses
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
Adult Protective Services, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 1 year jail and/or $2,500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal activity
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, nurses, laboratory personnel, and healthcare facility administrators
Report to
Arkansas Department of Health
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or injuries from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Arkansas Compliance FAQs
No. Ark. Code §4-110-105 requires notification 'in the most expedient time and manner possible and without unreasonable delay,' but does not set a numerical day count. Practices should treat 60 days as a soft outer limit because that aligns with the federal HIPAA Breach Notification Rule under 45 CFR §164.404; any longer delay invites Attorney General scrutiny.
Arkansas Regulation 2.10 sets a 10-year retention floor for clinical records measured from the date of last treatment, with the master patient index retained permanently. Pediatric records should be held until the patient reaches 21 to cover statute-of-limitations tail.
The Arkansas Attorney General's Consumer Protection Division enforces breach notification violations under the Deceptive Trade Practices Act. Licensing-board sanctions (Arkansas State Medical Board, Board of Nursing, Board of Pharmacy) can run in parallel for the provider involved.
Yes. Every prescriber of controlled substances must register with PMP AWARxE and check the database before issuing a Schedule II–V prescription. Delegation to office staff is permitted, but the prescriber remains accountable. Documented exemptions cover hospice, active cancer treatment, and short-supply post-surgical orders.
Document the 10-year retention policy with explicit chart destruction procedures, retain PMP AWARxE query evidence in the chart, maintain Arkansas Child Abuse Hotline reporting policies for every clinical role, and have a Deceptive Trade Practices Act–aware breach notification template ready that names the Arkansas Attorney General as a notification recipient.
Guides & Articles
Neighboring State Compliance Guides
Stay audit-ready in Arkansas
GuardWell tracks Arkansas-specific breach deadlines, retention periods, PMP AWARxE PDMP queries, and mandatory reporting obligations automatically.