Indiana Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Indiana.
Indiana's healthcare-privacy framework is anchored in Ind. Code §24-4.9 — the state's disclosure statute — and administered through the Office of the Indiana Attorney General, with healthcare-specific oversight coordinated through the Indiana Department of Health (IDOH) and the Medicaid Fraud Control Unit's coordination with the federal Office of Inspector General. The breach statute requires notification "without unreasonable delay" and obligates the AG to be notified of any breach reaching that disclosure threshold. Penalties under §24-4.9-3-3.5 reach $150,000 per deceptive act — a per-act exposure that has shaped how Indiana hospitals and physician groups frame their breach-response playbooks. The Indiana Professional Licensing Agency (IPLA) coordinates board discipline across the Medical Licensing Board, the Board of Pharmacy, and the State Board of Nursing for compliance failures touching INSPECT (Indiana's PDMP) or scope-of-practice issues. Indianapolis-area health systems also work routinely with IDOH's Long-Term Care Division on mandatory abuse reporting through Adult Protective Services. Indiana's framework is closer to HIPAA-baseline than Illinois's, but the AG notification obligation and the $150,000-per-act penalty exposure make it more rigorous than the reactive-only postures of some neighbors.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made without unreasonable delay. AG must be notified.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $150,000 per deceptive act
Enforcement Posture
The Indiana Attorney General's Data Privacy & Identity Theft Unit is reactive but credible: it opens investigations on breach notifications, particularly when filings are incomplete or arrive late, and it has used the $150,000-per-deceptive-act ceiling to drive settlements. Most enforcement against healthcare practices is licensing-board-driven rather than AG-driven — the Indiana Professional Licensing Agency's Medical Licensing Board and Board of Pharmacy handle INSPECT-related compliance failures directly. Practices should not expect the proactive plaintiffs'-bar pressure seen in BIPA-style states, but should treat the AG notification obligation as substantive: incomplete §24-4.9 notifications are a recurring trigger for follow-up inquiry. Document your harm-analysis worksheet for every covered incident.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (INSPECT)
INSPECT — Indiana's Scheduled Prescription Electronic Collection and Tracking program — requires a query before every controlled-substance prescription, making Indiana one of the more rigorous states on PDMP cadence. Delegation to licensed designees is permitted. Registration at inspect.in.gov is mandatory for all DEA registrants prescribing Schedule II–V controlled substances in Indiana. Exemptions cover hospice, inpatient administration, ≤3-day ER supplies, and licensed-facility cancer treatment. Willful noncompliance is a Class A infraction; the Medical Licensing Board can suspend or revoke prescribing authority independently.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; Class A infraction for willful noncompliance
Exemptions
Hospice patients, inpatient hospital administration, ≤3 day supply in ER, cancer treatment in licensed facility
How Indiana Rules Hit by Specialty
Pharmacy/compounding
INSPECT delegation is permitted but the prescriber-of-record retains discipline exposure; the Indiana Board of Pharmacy actively investigates dispensing patterns flagged in INSPECT and uses pattern data for licensing review.
Pediatrics
Pediatric records must be retained until age of majority plus 7 years. Mandatory child-abuse reporting in Indiana applies to 'any person' — not just professionals — but the Class B misdemeanor penalty for failure to report escalates to a Class A misdemeanor when the reporter has knowledge of sexual abuse.
Telehealth providers
Cross-border telehealth practices serving Indiana residents must register with INSPECT if prescribing controlled substances and must abide by Indiana's check-every-prescription requirement — Indiana is among the strictest states on PDMP cadence.
Mandatory Reporting Obligations
Mandated reporters
Any person including healthcare professionals who has reason to believe a child is a victim of abuse or neglect
Report to
Department of Child Services (DCS) or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor; Class A misdemeanor if person has knowledge of sexual abuse
Immunity provision
Good faith reporters immune from civil and criminal liability under IC 31-33-6-1
Mandated reporters
Any person including healthcare professionals who believes an endangered adult is a victim of abuse
Report to
Adult Protective Services, Division of Aging
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Indiana State Department of Health or local health department
Timeline
Within 24 hours
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or wounds from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class B misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Indiana Compliance FAQs
Yes. Under Ind. Code §24-4.9, breaches affecting Indiana residents must be reported to the Office of the Indiana Attorney General without unreasonable delay. There is no resident-count threshold — the AG-notification obligation applies whenever the disclosure statute is triggered. Penalties for noncompliance reach $150,000 per deceptive act.
Yes. Indiana requires a query for every prescription of a Schedule II–V controlled substance. Exemptions apply for hospice, inpatient administration, ≤3-day ER supplies, and active cancer treatment in a licensed facility. Delegation to PA/NP/RN/pharmacist designees is permitted. Willful noncompliance is a Class A infraction with potential Medical Licensing Board discipline.
Hospitals must retain records for 7 years from the last date of treatment under IC 16-39-7. Independent physician practices follow HIPAA's 6-year minimum, but most carriers and the Indiana Medical Licensing Board recommend matching the 7-year hospital floor. Pediatric records: until age of majority plus 7 years.
Indiana's mandatory reporting statute (IC 31-33) applies to 'any person' with reason to believe a child is a victim of abuse or neglect — healthcare professionals included, but the obligation is universal. Reports go to the Department of Child Services or local law enforcement. Failure to report is a Class B misdemeanor; Class A if the reporter has knowledge of sexual abuse.
Yes. HIPAA breach notifications go to HHS/OCR on the federal timeline; patient notifications and Indiana AG notification flow under §24-4.9. The AG filing is in addition to HHS notification, and incomplete filings have been a recurring driver of follow-up inquiry from the AG's Data Privacy Unit.
Guides & Articles
Stay audit-ready in Indiana
GuardWell tracks Indiana-specific breach deadlines, retention periods, INSPECT PDMP queries, and mandatory reporting obligations automatically.