Maine Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Maine.
Maine medical practices operate under 10 M.R.S.A. §1346 et seq., which requires breach notification "as expediently as possible but no later than 30 days after determination of breach." The Maine Attorney General and state regulators must both be notified, and the Unfair Trade Practices Act supplies enforcement authority at up to $500 per violation. Medical records carry a 7-year retention floor under 10-144 CMR Ch. 112, with pediatric records running until age 24 or 7 years from service, whichever is later. The Maine PMP requires every prescriber to query before every controlled-substance prescription, with carve-outs for hospice, cancer, ER 3-day supplies, and inpatient administration. Maine takes an unusual approach to domestic-violence reporting — healthcare providers are not mandated to report adult domestic-violence cases (referrals are encouraged but voluntary), while child-abuse reports route through the Department of Health and Human Services Office of Child and Family Services under 22 MRSA §4011-A. Gunshot wounds must be reported to local law enforcement under 25 MRSA §3851.
Breach Notification Rules
Notification deadline
30 calendar days
Notification must be made as expediently as possible but no later than 30 days after determination of breach. State regulator must be notified.
AG notification threshold
All breaches
Notify: AG + State Regulators
Harm analysis required
Penalty range
Up to $500 per violation under Unfair Trade Practices Act
Enforcement Posture
Maine's enforcement posture is moderate. The Attorney General's office has authority under 10 M.R.S.A. §1346 et seq. and the Unfair Trade Practices Act, but the per-violation penalty cap of $500 limits the financial exposure for a single notification failure. The 30-day notification deadline is a clear procedural bright line, and the dual-notification duty (AG plus state regulators) creates two simultaneous pressure points. Maine's licensing boards under the Department of Professional and Financial Regulation provide a parallel enforcement track for healthcare practitioners. Practices that meet the 30-day clock, document a four-factor harm analysis, and notify both the AG and the applicable regulator are well-positioned; practices that miss the 30-day window or skip one of the two required notification recipients face a straightforward procedural enforcement case.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 6 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (PMP AWARxE)
The Maine Prescription Monitoring Program must be queried before every controlled-substance prescription. Exemptions cover hospice patients, active cancer treatment, ER prescriptions of 3 days or less, and inpatient administration. Delegation to authorized staff is permitted. Civil penalties run up to $1,000 per violation, and the relevant licensing board can impose discipline for pattern noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $1,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient administration
How Maine Rules Hit by Specialty
Pain management
Maine PMP queries are required before every controlled-substance prescription. Maine also has nation-leading opioid morphine-milligram-equivalent (MME) caps for chronic pain under 32 MRSA §2210 — pain practices need PDMP documentation, MME documentation, and exception documentation captured at every prescription event.
Pediatrics
Pediatric retention runs to age 24 (the patient's 18th birthday plus 6 years) or 7 years from service, whichever is later — a hybrid rule that practices need to track per-patient. Practices using cloud EHRs should verify the export window covers the full age-24 horizon.
Behavioral health
Maine mental-health confidentiality rules under 34-B MRSA §1207 require separate authorization for most psychiatric record disclosures and impose stricter rules than HIPAA on disclosure to law enforcement and family members.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all licensed healthcare professionals
Report to
Department of Health and Human Services, Office of Child and Family Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class E crime (misdemeanor), up to 6 months jail and/or $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under 22 MRSA 4014
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, Department of Health and Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class E crime
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers are not mandated to report domestic violence in adults; encouraged to provide referrals
Report to
Local law enforcement (voluntary reporting permitted)
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Maine Center for Disease Control and Prevention
Timeline
Within 24 hours
Penalty for failure
Class E crime
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class E crime
Immunity provision
Good faith reporters immune from civil and criminal liability
Maine Compliance FAQs
30 days from determination of the breach under 10 M.R.S.A. §1346 et seq. Both the Maine Attorney General and applicable state regulators must be notified. The standard is 'as expediently as possible' within that 30-day cap.
10-144 CMR Ch. 112 sets 7 years from last service for adult records. Pediatric records run until age 24 (age of majority + 6 years) or 7 years from service, whichever is later.
Every prescriber must query the Maine PMP before every controlled-substance prescription. Exemptions cover hospice, cancer treatment, ER ≤3-day supplies, and inpatient administration.
No — Maine does not specifically mandate healthcare providers to report adult domestic violence. Referrals and patient counseling are encouraged but voluntary. Child abuse, elder abuse, communicable disease, and gunshot wounds are mandatory reportable events.
Affected individuals, the Maine Attorney General, and applicable state regulators (e.g., the Bureau of Insurance for insurance entities; the Department of Professional and Financial Regulation for licensed practices). HHS OCR under HIPAA is a separate federal notification.
Stay audit-ready in Maine
GuardWell tracks Maine-specific breach deadlines, retention periods, PMP AWARxE PDMP queries, and mandatory reporting obligations automatically.