California Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in California.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay. CMIA (medical data) requires notification within 15 business days. AG must be notified if 500+ California residents affected.
AG notification threshold
500+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Civil penalties up to $7,500 per violation under CCPA; CMIA statutory damages $1,000-$25,000 per patient
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
| Mental health | 7 years | Last treatment |
PDMP Requirements — CURES 2.0
Check required
All controlled substances
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board citation and fine; possible license suspension for repeated violations; fines up to $4,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER or post-surgical, dispensing practitioner administering in office, patients in comprehensive pain management program
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, psychiatrists, psychologists, dentists, nurses, dental hygienists, optometrists, chiropractors, podiatrists, EMTs, paramedics, clinical social workers, marriage and family therapists
Report to
County child protective agency or local law enforcement (cross-report required)
Timeline
Within 36 hours
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine; up to 1 year if willful
Immunity provision
Good faith reporters immune from civil and criminal liability under Penal Code 11172
Mandated reporters
All healthcare practitioners, clinicians, and any person who provides health services
Report to
Adult Protective Services or local law enforcement; Long-Term Care Ombudsman for facility residents
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine; up to 1 year if great bodily injury or death results
Immunity provision
Good faith reporters immune from civil and criminal liability under Welfare & Institutions Code 15634
Mandated reporters
All healthcare practitioners who provide medical services for a physical condition (mandatory when assaultive or abusive injuries observed)
Report to
Local law enforcement immediately by phone and written report within 2 business days
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under Penal Code 11161.9
Mandated reporters
Physicians, laboratories, healthcare facilities, and health officers
Report to
Local Health Officer or California Department of Public Health
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Every person, firm, or corporation managing any hospital, pharmacy, or clinic, and every physician
Report to
Local law enforcement immediately by phone
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to 6 months jail and/or $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Stay compliant in California
GuardWell tracks California-specific breach deadlines, PDMP requirements, retention periods, and mandatory reporting obligations automatically.