Illinois Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Illinois.
Illinois imposes one of the most layered privacy frameworks in the country on medical practices. The Personal Information Protection Act (815 ILCS 530) requires breach notification "in the most expedient time possible and without unreasonable delay" and obligates the Illinois Attorney General to be notified — but PIPA is only one statute in a stack. The Biometric Information Privacy Act (BIPA, 740 ILCS 14) sits on top with a private right of action, written-consent rules, and statutory damages of $1,000–$5,000 per violation that have driven nine-figure class settlements against operators using fingerprint timeclocks and facial-recognition systems. The Illinois Genetic Information Privacy Act (410 ILCS 513) layers a third regime over genetic testing and family history. Behavioral-health and substance-use records carry yet a fourth: the Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110), which the courts have read as stricter than HIPAA. Medical practices operating in Cook County or DuPage County also see active oversight from the Illinois Department of Public Health (IDPH) and the Illinois Department of Children and Family Services on mandatory reporting. PIPA, BIPA, and the Confidentiality Act together mean Illinois is the most non-HIPAA-redundant state your compliance program has to cover.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expedient time possible and without unreasonable delay. AG must be notified. Note: BIPA (biometric data) has separate requirements.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $50,000 for initial violation, $100,000 for subsequent; BIPA: $1,000-$5,000 per violation
Enforcement Posture
The Office of the Illinois Attorney General is one of the more active state AGs on healthcare privacy and consumer-protection enforcement in the Midwest, and the AG's office regularly opens parallel investigations alongside OCR following large breach disclosures. BIPA enforcement has been driven largely through the plaintiffs' bar — the statute's private right of action means a single employee's biometric timeclock complaint can trigger class certification — but the AG's office also pursues PIPA actions under its Consumer Fraud and Deceptive Business Practices Act authority. Practices should assume that any breach notification filed with the AG will be reviewed against PIPA's harm-analysis requirement and that BIPA exposure on biometric equipment is independent of the PIPA breach posture. Document your written biometric consents, your BIPA retention schedule, and your PIPA risk-of-harm analysis separately.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 10 years | Patient turns 18 |
| Mental health | 12 years | Last treatment |
Controlled-Substance Prescription Monitoring (Illinois PMP)
The Illinois Prescription Monitoring Program (Illinois PMP) requires a query before issuing the initial prescription for a controlled substance and at least every 90 days thereafter for ongoing therapy. Delegation to licensed pharmacists, nurses, or PA/NP designees is permitted, which lets larger practices spread the query workload, but the prescriber remains accountable for documentation in the chart. Registration at ilpmp.org is mandatory for all DEA registrants prescribing in Illinois. Civil penalties up to $10,000 per violation and licensing-board discipline apply for failure to query.
Check required
initial_rx
Check frequency
Every 90 days
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $10,000 per violation; possible criminal charges
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient administration, medication-assisted treatment for substance use disorder
How Illinois Rules Hit by Specialty
Behavioral health
The Illinois Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110) is stricter than HIPAA on disclosures, requires written authorization for most releases beyond treatment, and carries a 12-year retention floor — longer than the 10-year general rule. Document your MHDDCA-specific release-of-information workflow.
Pediatrics
Pediatric records must be retained until age of majority plus 10 years (effectively age 28). The DCFS Hotline is the mandatory reporting channel for suspected child abuse, and failure to report is a Class A misdemeanor on first offense and a Class 4 felony on subsequent offenses.
Dental practices
Dental practices using biometric login on operatory workstations or fingerprint timeclocks for staff fall squarely within BIPA. Confirm written informed-consent forms are on file before any biometric template is captured, and verify your timeclock vendor's BIPA retention policy aligns with yours.
Telehealth providers
Genetic Information Privacy Act (410 ILCS 513) applies to any telehealth practice ordering genetic panels for Illinois residents; consent and disclosure rules layer over HIPAA and GINA.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, EMTs, pharmacists, and all healthcare professionals
Report to
Department of Children and Family Services (DCFS) Hotline
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor for first offense; Class 4 felony for subsequent offenses
Immunity provision
Good faith reporters immune from civil and criminal liability under 325 ILCS 5/9
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
Adult Protective Services, Department on Aging
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability under 320 ILCS 20/4
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence or criminal acts
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, healthcare facilities, and infection control practitioners
Report to
Illinois Department of Public Health or local health department
Timeline
Within 24 hours
Penalty for failure
Class A misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds, stab wounds, or injuries from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Illinois Compliance FAQs
Yes. BIPA (740 ILCS 14) applies to any private entity that collects, stores, or uses biometric identifiers (fingerprints, retina/iris scans, voiceprints, face geometry). Before capturing biometric data from staff or patients, you must obtain written informed consent, disclose your retention and destruction schedule in writing, and publish a written policy. Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation — per person, per incident — which has driven very large settlements against healthcare employers.
The Personal Information Protection Act (815 ILCS 530) does not set a hard day count; it requires notification 'in the most expedient time possible and without unreasonable delay.' In practice, courts and the Illinois Attorney General's office have treated anything beyond HIPAA's 60-day floor as presumptively unreasonable. The Illinois AG must also be notified when the breach is large enough to trigger HIPAA's HHS notification.
Adult records: 10 years from the date of last treatment under 210 ILCS 85/6.17 and 735 ILCS 5/8-2001. Pediatric records: until the patient reaches age of majority plus 10 years. Mental health records: 12 years from last treatment under the Mental Health and Developmental Disabilities Confidentiality Act — the longest retention floor for any record type in the state.
Not every prescription — the Illinois PMP requires a check at the initial prescription for a controlled substance and then at least every 90 days for ongoing therapy. Exemptions exist for hospice, active cancer treatment, ≤3-day ER supplies, inpatient administration, and medication-assisted treatment. Delegation to PA/NP/RN/pharmacist designees is allowed.
Healthcare professionals must report immediately to the DCFS Hotline upon forming a reasonable suspicion. Illinois statute does not set a fixed hour count, but case law treats 'immediately' as same-shift. Failure to report is a Class A misdemeanor for a first offense and a Class 4 felony for subsequent offenses; good-faith reporters are immune from civil and criminal liability under 325 ILCS 5/9.
Guides & Articles
Stay audit-ready in Illinois
GuardWell tracks Illinois-specific breach deadlines, retention periods, Illinois PMP PDMP queries, and mandatory reporting obligations automatically.