Delaware Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Delaware.
Delaware medical practices operate under 6 Del. C. §12B-101 et seq., which requires breach notification within 60 days after determination of the breach. The Delaware Attorney General must be notified whenever 500 or more Delaware residents are affected, and the Consumer Protection Unit of the AGO is the primary enforcer with civil penalties up to $10,000 per violation. Medical records carry a 7-year retention floor from last contact under 24 Del. Admin. Code §4304. The Delaware PMP (administered through the PMP AWARxE platform) requires every prescriber to query before every controlled-substance prescription, with carve-outs for hospice, cancer, post-surgical 14-day supplies, and inpatient administration. Child-abuse reporting routes through the Division of Family Services Report Line or local law enforcement under 16 Del. C. §902, with serious penalties: a Class A misdemeanor for a first offense and a Class E felony for subsequent offenses — among the most punitive failure-to-report regimes in the Northeast.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made within 60 days after determination of the breach. AG must be notified if 500+ Delaware residents affected.
AG notification threshold
500+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $10,000 per violation
Enforcement Posture
Delaware's enforcement posture is moderate. The Attorney General's Consumer Protection Unit has clear authority under 6 Del. C. §12B-101 and has historically followed up on breach notifications, particularly those above the 500-resident AG-notification threshold. The 60-day notification deadline is a hard procedural cap, and the $10,000 per-violation penalty range gives the office meaningful leverage even in smaller cases. Delaware's Division of Professional Regulation provides parallel enforcement on the 7-year retention rule through licensure surveys. Practices that meet the 60-day clock, document a harm analysis, and notify the AG above the 500-resident threshold are well-positioned. The escalating child-abuse-reporting penalty structure (misdemeanor → felony for repeat offenders) makes documented training and clear reporting protocols essential.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
Controlled-Substance Prescription Monitoring (PMP AWARxE)
The Delaware PMP, accessed through the PMP AWARxE platform, must be queried before every controlled-substance prescription. Exemptions cover hospice patients, active cancer treatment, post-surgical prescriptions of 14 days or less, and inpatient facility administration. Delegation to authorized staff is permitted. Civil penalties run up to $10,000 per violation, with the relevant licensing board empowered to impose discipline and possible criminal prosecution for pattern noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $10,000; possible criminal prosecution
Exemptions
Hospice patients, patients in inpatient facilities, ≤14 day supply post-surgical, cancer treatment
How Delaware Rules Hit by Specialty
Pediatrics
Delaware's child-abuse reporting regime is among the strictest in the Northeast — a Class A misdemeanor for a first failure-to-report and a Class E felony for subsequent failures. Pediatric practices need documented annual training, clear protocols, and audit-ready records of every reportable suspicion encountered.
Pain management
Delaware PMP queries via PMP AWARxE are required before every controlled-substance prescription. Delaware also limits initial opioid prescriptions for acute pain to short durations — pain practices need the PDMP check and the duration limit captured at every prescription event.
Behavioral health
Delaware mental-health confidentiality rules under 16 Del. C. §5161 impose consent and disclosure requirements stricter than HIPAA for most psychiatric record disclosure. Substance-use confidentiality under 42 CFR Part 2 applies in parallel.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, any healthcare professional, and any person who knows or suspects child abuse
Report to
Division of Family Services (DFS) Report Line or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 1 year jail; Class E felony for subsequent offenses
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, Division of Services for Aging and Adults with Physical Disabilities
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers when treating injuries from suspected domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, nurses, laboratory directors, and healthcare facility administrators
Report to
Delaware Division of Public Health
Timeline
Within 24 hours
Penalty for failure
Up to $1,000 fine per day of violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Delaware Compliance FAQs
60 days from determination of the breach under 6 Del. C. §12B-101 et seq. The Delaware Attorney General must be notified whenever 500 or more Delaware residents are affected.
24 Del. Admin. Code §4304 sets 7 years from last contact for adult records. The HIPAA 6-year floor applies in parallel.
Every prescriber must query the Delaware PMP (via PMP AWARxE) before every controlled-substance prescription. Exemptions cover hospice, cancer treatment, post-surgical ≤14-day supplies, and inpatient administration.
Under 16 Del. C. §903, every person — including all healthcare professionals — who knows or suspects child abuse must report to the Division of Family Services Report Line or local law enforcement. Failure is a Class A misdemeanor for a first offense and escalates to a Class E felony for subsequent offenses.
Up to $10,000 per violation under 6 Del. C. §12B-101 et seq., enforced by the Attorney General's Consumer Protection Unit.
Stay audit-ready in Delaware
GuardWell tracks Delaware-specific breach deadlines, retention periods, PMP AWARxE PDMP queries, and mandatory reporting obligations automatically.