Connecticut Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Connecticut.
Connecticut medical practices operate under Conn. Gen. Stat. §36a-701b, which requires breach notification within 60 days of discovery and — unusually — requires simultaneous notification to the Connecticut Attorney General regardless of breach size. There is no resident-count threshold for AG notification. The Connecticut Unfair Trade Practices Act (CUTPA) supplies the enforcement teeth: civil penalties up to $5,000 per violation. The state's medical-record retention floor under Conn. Gen. Stat. §19a-14 is 7 years from last treatment, with pediatric records running until age of majority plus 7 years. The Connecticut PMP (administered as Connecticut PMP) requires every prescriber to query before every controlled-substance prescription, with carve-outs for hospice, cancer, ER 72-hour supplies, and inpatient/long-term care. Child-abuse reports route through the Department of Children and Families Careline under CGS §17a-101e, with a Class A misdemeanor for failure to report. Gunshot-wound reporting to local law enforcement is mandatory for all healthcare providers treating those injuries.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made no later than 60 days after discovery of the breach. AG must be notified simultaneously.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $5,000 per violation under CUTPA
Enforcement Posture
The Connecticut Attorney General is notably active in healthcare data-breach enforcement. Because §36a-701b requires AG notification on every breach — not just breaches above a threshold — the office has a continuous pipeline of incidents to review, and it has historically pursued CUTPA actions against healthcare organizations whose response timelines or safeguards fell short. The Department of Consumer Protection oversees the PDMP, and the Department of Public Health enforces the retention rule through licensure surveys. The combined effect is that Connecticut practices face one of the more attentive state enforcement environments in the Northeast. Practices that notify the AG within the 60-day window, document a four-factor harm analysis, and demonstrate written safeguards programs are well-positioned; practices that delay notification or lack a written security risk analysis face concrete CUTPA exposure.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Connecticut PMP)
The Connecticut PMP is administered by the Department of Consumer Protection and must be queried before every controlled-substance prescription. Exemptions cover hospice patients, cancer treatment, ER 72-hour supplies, and inpatient hospital or long-term care administration. Delegation to authorized staff is permitted. The licensing boards can impose discipline up to license revocation, and civil fines run up to $1,000 per violation with possible criminal penalties for pattern noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
License suspension or revocation; fines up to $1,000 per violation; possible criminal penalties
Exemptions
Hospice patients, cancer treatment, ≤72 hour supply in ER, inpatient hospital or long-term care facility administration
How Connecticut Rules Hit by Specialty
Pain management
Connecticut PMP queries are required before every controlled-substance prescription, including refills. Connecticut also limits adult acute-pain opioid prescriptions to 7 days under CGS §20-14p — pain practices need to document both the PDMP check and the duration limit at the point of prescribing.
Behavioral health
Connecticut's psychiatric record confidentiality rules under CGS §52-146e impose stricter consent requirements than HIPAA for most disclosures of mental-health records, and minors aged 13+ have independent consent rights for certain mental-health services.
Dental practices
Connecticut dental offices fall under the same 60-day breach rule and Connecticut PMP query duty for any controlled-substance prescribing — most general dentists prescribe enough Schedule II for post-op pain to need a workflow check at every prescription.
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, nurses, dentists, dental hygienists, psychologists, school employees, social workers, and all healthcare professionals
Report to
Department of Children and Families (DCF) Careline
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 1 year jail and/or $2,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under CGS 17a-101e
Mandated reporters
Physicians, nurses, dentists, psychologists, and all licensed healthcare professionals
Report to
Department of Social Services, Elderly Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $2,500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers when treating injuries reasonably believed to result from abuse
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, healthcare facilities, and infection control practitioners
Report to
Connecticut Department of Public Health
Timeline
Within 24 hours
Penalty for failure
Up to $1,000 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Connecticut Compliance FAQs
Yes. Conn. Gen. Stat. §36a-701b requires simultaneous notification to the Connecticut Attorney General whenever residents must be notified — there is no resident-count threshold. The 60-day clock runs from discovery.
Every prescriber must query the Connecticut PMP before every controlled-substance prescription. Exemptions cover hospice, cancer treatment, ER ≤72-hour supplies, and inpatient/long-term care administration. Delegation to staff is allowed.
Conn. Gen. Stat. §19a-14 sets 7 years from last treatment for adult records. Pediatric records run until the patient reaches age of majority plus 7 years.
All licensed healthcare professionals — physicians, surgeons, nurses, dentists, dental hygienists, psychologists, social workers — are mandated reporters under CGS §17a-101a. Reports go to the DCF Careline. Failure is a Class A misdemeanor up to 1 year jail and/or $2,000.
Up to $5,000 per violation under CUTPA. The Connecticut AG has separate enforcement authority under CUTPA and has historically used it in healthcare data-breach matters, and licensing boards can impose discipline in parallel.
Stay audit-ready in Connecticut
GuardWell tracks Connecticut-specific breach deadlines, retention periods, Connecticut PMP PDMP queries, and mandatory reporting obligations automatically.