Louisiana Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Louisiana.
Louisiana medical practices operate under La. R.S. §51:3074, the Louisiana Database Security Breach Notification Law, which imposes a 60-day notification deadline and requires Attorney General notification when more than 1,000 Louisiana residents are affected. That 1,000-resident AG-notification threshold is roughly average among Gulf-coast states, but Louisiana stands apart on the retention side: La. Admin. Code tit. 48 §9321 imposes a 10-year retention floor for hospital records measured from discharge, with pediatric records held until age of majority plus 10 years (effectively age 28). The Louisiana Department of Health and the Louisiana State Board of Medical Examiners run parallel licensure lanes, and practices in New Orleans, Baton Rouge, Shreveport, and Lafayette should also account for Louisiana's PMP AWARxE check-every-prescription mandate. Civil penalties under La. R.S. §51:3074 cap at $5,000 per violation, but practices facing a multi-thousand-record breach can stack violations quickly. The Louisiana Office of the Attorney General has historically pursued breach notification cases as part of broader consumer-protection portfolios rather than as standalone healthcare enforcement, which means the Department of Health licensure lane is usually where providers feel the friction first.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made within 60 days of discovery. AG must be notified if more than 1,000 Louisiana residents affected.
AG notification threshold
1000+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $5,000 per violation
Enforcement Posture
Louisiana's enforcement posture sits in the middle of the regional pack — more active than Mississippi or Alabama, less so than Florida or Virginia. The Attorney General's office has consumer-protection authority over breach notification and the Louisiana Department of Health holds licensure-discipline authority. Practices should expect that the 60-day deadline will be enforced strictly: missing it has been treated by the AG as a per-day continuing violation under analogous deceptive-trade-practices analyses in other states, and Louisiana courts give wide deference to AG enforcement discretion. The bigger compliance risk for most outpatient practices is not the AG — it is the Louisiana State Board of Medical Examiners pursuing parallel licensure discipline against the named privacy officer or designated security officer, particularly if PHI loss is paired with a PMP or controlled-substance issue.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 10 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (PMP AWARxE)
The Louisiana PMP AWARxE is administered by the Louisiana Board of Pharmacy and accessed at louisiana.pmpaware.net. Prescribers must check the database before issuing every Schedule II–V controlled-substance prescription, with delegation to office staff permitted. Penalties for willful noncompliance can reach $5,000 in civil fines plus licensing-board discipline; a pattern of noncompliance can attract criminal prosecution. Exemptions cover hospice, active cancer treatment, ≤5-day ER supplies, inpatient administration, and medication-assisted treatment for opioid use disorder.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil fines up to $5,000; possible criminal prosecution for pattern of noncompliance
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER, inpatient hospital administration, medication-assisted treatment for opioid use disorder
How Louisiana Rules Hit by Specialty
Pharmacy/compounding
Louisiana PMP AWARxE check-every-Rx requirement applies to all Schedule II–V prescriptions with exemptions for hospice, cancer treatment, short-supply ER, and medication-assisted treatment for opioid use disorder. Compounding pharmacies should layer Louisiana Board of Pharmacy compounding rules over USP <795>/<797> and document PMP queries against the patient's name on file.
Hospital systems
Hospital records carry a 10-year retention floor measured from discharge under La. Admin. Code tit. 48 §9321 — longer than the HIPAA 6-year minimum. Pediatric hospital records effectively need to be retained until age 28 (age of majority plus 10 years). Outpatient physician practices that do not operate inside a hospital can rely on the HIPAA 6-year floor for their own records.
Behavioral health
Louisiana behavioral-health providers face 42 CFR Part 2 segregation requirements on top of HIPAA, with the Louisiana Department of Health's Office of Behavioral Health imposing additional licensing-driven recordkeeping. Substance-use disorder treatment records require explicit patient consent for disclosure even to other treating providers in most cases.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals
Report to
Department of Children and Family Services (DCFS) or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine and/or 6 months jail; up to $3,000 fine and 2 years jail if knowingly and willfully
Immunity provision
Good faith reporters immune from civil and criminal liability under La. Ch.C. Art. 603
Mandated reporters
All healthcare professionals and any person who becomes aware of elder abuse
Report to
Governor's Office of Elderly Affairs, Adult Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine and/or 6 months jail
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal violence or domestic abuse
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Louisiana Department of Health, Office of Public Health
Timeline
Within 24 hours
Penalty for failure
Up to $500 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement or sheriff
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine and/or 6 months jail
Immunity provision
Good faith reporters immune from civil and criminal liability
Louisiana Compliance FAQs
Yes. La. R.S. §51:3074 sets a 60-day outer notification limit measured from discovery of the breach, with the Attorney General notified when more than 1,000 Louisiana residents are affected. The clock does not pause for forensic investigation — practices should treat day 1 as the day the breach is reasonably suspected, not the day the investigation concludes.
La. Admin. Code tit. 48 §9321 sets a 10-year retention floor for hospital records measured from discharge. Pediatric records should be retained until age 28 (age of majority plus 10 years). Outpatient physician practices that do not operate inside a hospital can rely on the federal HIPAA 6-year floor.
Louisiana practices must notify affected patients, the Louisiana Attorney General if more than 1,000 residents are affected, and the U.S. Department of Health and Human Services Office for Civil Rights through the HHS breach portal if more than 500 individuals are affected. Major-media notice is also required for HHS-portal-triggering events.
Yes. Every prescriber of controlled substances must register with PMP AWARxE through louisiana.pmpaware.net and check the database before issuing every Schedule II–V prescription. Hospice patients, active cancer treatment, and medication-assisted treatment for opioid use disorder are documented exemptions.
Hospital practices need documentation of 10-year retention measured from discharge, the Louisiana Board of Pharmacy PMP AWARxE query log, mandatory Department of Children and Family Services child-abuse reporting policies, and a 60-day breach notification template that names the Louisiana Attorney General with the >1,000-resident threshold trigger clearly described.
Stay audit-ready in Louisiana
GuardWell tracks Louisiana-specific breach deadlines, retention periods, PMP AWARxE PDMP queries, and mandatory reporting obligations automatically.