Iowa Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Iowa.
Iowa healthcare compliance is governed by Iowa Code §715C.2, the state's Personal Information Security Breach Protection Act, enforced jointly by the Iowa Attorney General's Consumer Protection Division and the Iowa Insurance Division. Iowa is one of the few states that imposes a dual-track AG-notification structure: practices must notify Iowa residents in the most expeditious manner possible and no later than 90 days from discovery, then notify the AG within 5 business days of issuing the consumer notice. The 5-business-day clock is the operational pinch point — practices that focus on the 90-day consumer deadline and forget the 5-business-day AG deadline routinely surface in enforcement matters. The Iowa Insurance Division shares jurisdiction when insurer or health-plan-administered records are involved, adding a second regulator to coordinate with. Penalties under the Iowa Consumer Fraud Act reach $40,000 per violation. Hospital records must be retained 10 years from last treatment under Iowa Admin. Code 481-51.6, with pediatric records held until age of majority plus 10.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made in the most expeditious manner possible and without unreasonable delay, no later than 90 days. AG must be notified within 5 business days of notifying consumers.
AG notification threshold
500+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $40,000 per violation under Consumer Fraud Act
Enforcement Posture
The Iowa Attorney General's posture is moderate-to-active, with consistent enforcement of the 5-business-day AG-notify deadline. The Consumer Protection Division coordinates with the Iowa Insurance Division when a covered insurer is implicated, producing a two-regulator review that is more complex than the single-AG model used in neighboring South Dakota or Nebraska. Penalties under the Iowa Consumer Fraud Act can reach $40,000 per violation, and the AG has historically declined to settle for nominal penalties when notice timelines are missed. Des Moines, Cedar Rapids, and the Quad Cities generate most enforcement activity, with the University of Iowa Health system in Iowa City representing the largest single-system breach exposure. The AG's office publishes annual enforcement summaries, providing useful visibility into emphasis areas.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 10 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Iowa PMP)
The Iowa PMP requires queries before every controlled-substance prescription. Delegation is permitted to licensed staff. Exemptions cover hospice, cancer treatment, ER three-day supplies, and inpatient or long-term-care administration. Civil penalties reach $5,000 per violation in addition to Iowa Board of Medicine discipline. Register at iowa.pmpaware.net and capture the query in the chart. The Iowa Board has emphasized chart-level documentation of query results, not just registration evidence, in recent disciplinary actions.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $5,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient or long-term care administration
How Iowa Rules Hit by Specialty
Telehealth providers
Iowa requires telehealth providers serving Iowa patients to hold an Iowa Board of Medicine license or qualify under interstate compact rules. Breach response involving cross-border telehealth services must distinguish the licensing state from the patient-residence state — Iowa Code §715C.2 follows the patient's residence.
Rural primary care
Iowa's rural primary-care practices are heavily concentrated in critical-access hospitals across the state's 99 counties. The 5-business-day AG notice clock makes after-hours and weekend incident detection particularly risky for small practices without dedicated compliance staff.
Hospital systems
UnityPoint, MercyOne, and University of Iowa Health Care dominate the Iowa market with networks extending into Illinois, Wisconsin, and Missouri. Cross-border incidents must satisfy Iowa's 90-day-plus-5-business-day structure alongside neighboring state regimes.
Pediatrics
Iowa uniquely codifies pediatric retention at age-of-majority-plus-10-years (Iowa Admin. Code 481-51.6) — longer than the 7-year-past-majority used in many neighboring states. Pediatric breach response must account for older minor-patient records still within the retention window.
Mandatory Reporting Obligations
Mandated reporters
Healthcare professionals including physicians, nurses, dentists, psychologists, social workers, and EMTs
Report to
Department of Human Services or local law enforcement
Timeline
Within 24 hours
Penalty for failure
Simple misdemeanor for first offense; serious misdemeanor for subsequent offenses
Immunity provision
Good faith reporters immune from civil and criminal liability under Iowa Code 232.73
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
Department of Human Services, Adult Protective Services
Timeline
Within 24 hours
Penalty for failure
Simple misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries reasonably believed to be from domestic abuse
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Iowa Department of Public Health
Timeline
Within 24 hours
Penalty for failure
Simple misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or injuries from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Simple misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Iowa Compliance FAQs
Iowa Code §715C.2 requires consumer notice in the most expeditious manner possible and no later than 90 days from discovery. Separately, the AG must be notified within 5 business days of issuing the consumer notice. The 5-business-day window is the operational pinch point — calendar both deadlines on day one.
The Iowa AG must be notified within 5 business days of notifying Iowa consumers when the breach affects 500 or more Iowa residents. AG notice goes to the Consumer Protection Division. The Iowa Insurance Division also receives parallel notice when the breach involves insurer-administered records, doubling the regulatory touchpoints.
Iowa Code §715C.2 violations are enforced under the Iowa Consumer Fraud Act, with penalties up to $40,000 per violation. Recurring or willful violations can compound, and the AG has discretion to pursue restitution and injunctive relief in parallel. Document the investigation timeline contemporaneously to defend the chosen notice date.
Iowa Admin. Code 481-51.6 requires pediatric records to be retained until age of majority (18) plus 10 years — total retention can run beyond 28 years for records created in early childhood. The pediatric extension is longer than the 7-year-past-majority norm used in several neighboring states, and it shapes breach-response scope when older records are implicated.
Iowa generally requires providers furnishing care to Iowa-resident patients to hold an Iowa Board of Medicine license, with limited interstate compact pathways for IMLC-eligible specialties. Breach response involving cross-border telehealth must establish the licensing posture in addition to applying Iowa Code §715C.2 based on the patient's Iowa residence.
Guides & Articles
Neighboring State Compliance Guides
Stay audit-ready in Iowa
GuardWell tracks Iowa-specific breach deadlines, retention periods, Iowa PMP PDMP queries, and mandatory reporting obligations automatically.