District of Columbia Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in District of Columbia.
District of Columbia medical practices operate under D.C. Code §28-3851 et seq., which requires breach notification "in the most expedient time possible and without unreasonable delay." The DC Attorney General must be notified along with affected individuals, and the AGO's Office of Consumer Protection is the primary enforcer. Penalties run up to $100 per notification failure with a $25,000 cap per breach — modest by federal-jurisdiction comparison but meaningful for smaller practices. Medical records carry one of the shorter state-floor retention windows: 3 years under D.C. Mun. Regs. tit. 22-B §2211, with pediatric records also at 3 years past age of majority. The HIPAA 6-year floor remains the operative minimum for most DC practices. The DC PMP requires every prescriber to query before every controlled-substance prescription, with carve-outs for hospice, cancer, ER 7-day supplies, and inpatient administration. Child-abuse reporting routes through the Child and Family Services Agency Hotline or the Metropolitan Police Department under D.C. Code §4-1321.02, and elder-abuse reporting carries a 24-hour clock to Adult Protective Services.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay. AG must be notified along with affected individuals.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $100 per notification failure, max $25,000
Enforcement Posture
The DC Attorney General's Office of Consumer Protection has an active consumer-protection focus and has historically pursued data-security matters under both D.C. Code §28-3851 et seq. and the District's Consumer Protection Procedures Act. The District's small geography and high concentration of federal healthcare entities create an enforcement environment where state, federal, and DC-specific regulators often interact on the same incident. Practices serving DC residents from out-of-state — common given the metro footprint — owe the same DC notification duties as practices physically located in the District. Department of Health licensure surveys provide a parallel enforcement track on the 3-year retention floor, though most practices follow HIPAA's longer 6-year window in practice. Practices that document a prompt notification timeline and notify both affected residents and the AGO simultaneously are well-positioned.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 3 years | Last treatment |
| Pediatric | 3 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (DC PMP)
The DC PMP must be queried before every controlled-substance prescription. Exemptions cover hospice patients, active cancer treatment, ER prescriptions of 7 days or less, and inpatient hospital administration. Delegation to authorized staff is permitted. Licensing-board discipline applies for noncompliance, and civil fines run up to $5,000 per violation.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil fines up to $5,000 per violation
Exemptions
Hospice patients, cancer treatment, inpatient hospital administration, ≤7 day supply in emergency
How District of Columbia Rules Hit by Specialty
Telehealth providers
DC's small geographic footprint means many telehealth practices serve DC residents from Maryland, Virginia, or further. Those practices owe full D.C. Code §28-3851 compliance for any DC-resident breach, regardless of physical location, and need a clear post-incident routing plan that includes the DC AGO Office of Consumer Protection.
Hospital systems
DC hospital systems face overlapping oversight from the DC Department of Health, federal regulators (given proximity to NIH and VA facilities), and the DC AGO. Coordinated breach response across all three is essential, and the 'most expedient time possible' standard means timeline documentation is critical.
Behavioral health
DC mental-health confidentiality under D.C. Code §7-1201.01 et seq. layers consent and disclosure requirements onto HIPAA, with separate authorization typically required for psychiatric record release.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all licensed healthcare professionals
Report to
Child and Family Services Agency (CFSA) Hotline or Metropolitan Police Department
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $1,000 fine and/or 180 days jail
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, Department of Disability Services
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries reasonably believed caused by domestic violence
Report to
Metropolitan Police Department
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, healthcare facilities, and infection control professionals
Report to
DC Department of Health, Division of Epidemiology
Timeline
Within 24 hours
Penalty for failure
Up to $5,000 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot or stab wounds
Report to
Metropolitan Police Department
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
District of Columbia Compliance FAQs
D.C. Code §28-3851 et seq. requires notification 'in the most expedient time possible and without unreasonable delay,' with no fixed day-count cap. The DC Attorney General must be notified along with affected individuals.
D.C. Mun. Regs. tit. 22-B §2211 sets 3 years from last treatment as the DC floor — one of the shortest state-level retention windows in the country. The HIPAA 6-year minimum applies in parallel and is the operative floor for most practices.
Every prescriber must query the DC PMP before every controlled-substance prescription, with exemptions for hospice, cancer treatment, ER ≤7-day supplies, and inpatient administration.
Under D.C. Code §4-1321.02, all healthcare professionals must report suspected child abuse to the Child and Family Services Agency Hotline or the Metropolitan Police Department. Failure is a misdemeanor with up to $1,000 in fines and/or 180 days jail.
Up to $100 per notification failure with a $25,000 cap per breach. The DC AGO's Office of Consumer Protection enforces under the breach rule and the Consumer Protection Procedures Act in parallel.
Stay audit-ready in District of Columbia
GuardWell tracks District of Columbia-specific breach deadlines, retention periods, DC PMP PDMP queries, and mandatory reporting obligations automatically.