Hawaii Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Hawaii.
Hawaii's healthcare compliance regime is anchored by HRS Chapter 487N — the state's security-breach-of-personal-information law — and is uniquely routed not through the Attorney General but the Hawaii Office of Consumer Protection, the state's primary enforcement arm for unfair-trade-practice complaints under HRS § 480. Hawaii requires breach notification "without unreasonable delay, consistent with law enforcement needs," with civil penalties up to $2,500 per violation. Medical-records retention sits at 7 years under Hawaii Admin. Rules § 11-93. The state's PDMP — the Hawai'i Prescription Monitoring Program at hawaii.pmpaware.net — must be queried on every controlled-substance prescription. Hawaii's geographic isolation across the Hawaiian Islands creates a particular operational pattern: small island-based practices, often the only provider for hundreds of square miles, must demonstrate the same compliance rigor as mainland multi-location systems, and a breach affecting residents on multiple islands triggers single coordinated notification through the Department of Commerce and Consumer Affairs.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made without unreasonable delay, consistent with law enforcement needs and measures to determine scope of breach.
AG notification threshold
All breaches
Notify: Hawaii Office of Consumer Protection
Harm analysis required
Penalty range
Up to $2,500 per violation under consumer protection law
Enforcement Posture
Hawaii's enforcement posture is moderate and largely complaint-driven. The Office of Consumer Protection, housed within the Department of Commerce and Consumer Affairs, handles most healthcare-data complaints under HRS § 480 and Chapter 487N. The Hawaii Department of Health's Office of Health Care Assurance separately licenses healthcare facilities and can suspend or revoke licensure for breach-related failures. Historically the Office of Consumer Protection has favored corrective-action agreements over adversarial litigation, but the statutory penalty cap ($2,500 per violation) allows aggregation across affected residents in ways that can produce substantial recoveries in large breaches. Mandatory child-abuse reports under HRS Chapter 350 carry petty-misdemeanor exposure for failure to report, with immunity under HRS § 350-3 for good-faith reporters.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
Controlled-Substance Prescription Monitoring (Hawai'i PMP)
The Hawai'i Prescription Monitoring Program (hawaii.pmpaware.net), administered through the Department of Public Safety's Narcotics Enforcement Division, requires queries on every controlled-substance prescription. Delegation to licensed staff is permitted. Exemptions cover hospice patients, cancer treatment, inpatient administration, and in-office ≤3-day supplies. Out-of-state telehealth prescribers issuing controlled-substance prescriptions for Hawaii residents must register and check the database. Licensing-board discipline plus possible misdemeanor charges form the enforcement backstop.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; possible misdemeanor charges
Exemptions
Hospice patients, cancer treatment, inpatient hospital administration, ≤3 day supply administered in office
How Hawaii Rules Hit by Specialty
Telehealth providers
Hawaii's geography makes telehealth foundational. Out-of-state providers serving Hawaii residents fall under HRS 487N for breaches involving Hawaii data and must comply with Hawai'i PMP rules for any controlled-substance prescription. The Hawaii Medical Board requires a Hawaii license or recognized telehealth registration.
Behavioral health
Behavioral-health records follow the standard 7-year retention under Hawaii Admin. Rules § 11-93, but practitioners should note that the petty-misdemeanor penalty for failure to report suspected child abuse under HRS 350 applies regardless of therapeutic privilege. Document mandated-reporter training annually.
Pediatrics
Hawaii's general 7-year retention has no codified pediatric extension. Pediatric best practice argues for retention until age of majority (18) plus 7 years — effectively 25 years from birth — to align with malpractice statutes of limitations and continuity-of-care needs across the islands.
Pharmacy/compounding
Hawaiian pharmacies and compounding sites must register with the Hawai'i PMP and report dispensing data on a defined schedule. Mandatory communicable-disease reporting (HRS 325) to the Disease Outbreak Control Division runs on a 24-hour clock for designated conditions.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals
Report to
Department of Human Services, Child Welfare Services
Timeline
Immediately / as soon as possible
Penalty for failure
Petty misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability under HRS 350-3
Mandated reporters
Physicians, nurses, and all licensed healthcare professionals
Report to
Adult Protective Services, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Petty misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers when treating injuries reasonably suspected to result from domestic abuse
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Hawaii Department of Health, Disease Outbreak Control Division
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Petty misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Hawaii Compliance FAQs
Under HRS Chapter 487N, you must notify affected Hawaii residents and the Hawaii Office of Consumer Protection (the AG's role in most states is filled here by OCP within the Department of Commerce and Consumer Affairs). Notification is required 'without unreasonable delay'; there is no fixed day count.
Yes. Hawai'i PMP allows licensed staff to perform queries under a documented standing order from the prescriber, who remains responsible for reviewing the result before issuing the prescription. Unlicensed front-desk staff cannot perform the query.
Hawaii Admin. Rules § 11-93 requires 7 years of retention from the last treatment date. Pediatric records have no separate codified extension, but best practice is to retain until age 25 (age of majority plus 7 years) to align with statute-of-limitations and continuity needs.
Civil penalties under HRS Chapter 487N reach $2,500 per violation, enforced by the Office of Consumer Protection. Aggregated across hundreds or thousands of affected residents, totals can be substantial. Licensing boards can separately suspend or revoke facility licenses for breach-related failures.
Yes. HRS Chapter 325 and supporting administrative rules require reporting designated communicable diseases to the Hawaii Department of Health's Disease Outbreak Control Division within 24 hours for most reportable conditions. Failure to report is a misdemeanor with fines up to $1,000.
Stay audit-ready in Hawaii
GuardWell tracks Hawaii-specific breach deadlines, retention periods, Hawai'i PMP PDMP queries, and mandatory reporting obligations automatically.