Maryland Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Maryland.
Maryland medical practices operate under the Maryland Personal Information Protection Act, codified at Md. Comm. Law §14-3504, which requires breach notification as soon as reasonably practicable but no later than 45 days after the investigation concludes. The Maryland Attorney General must be notified before any affected individuals are notified — a sequencing requirement that distinguishes Maryland from most other states. The AGO's Health Education and Advocacy Unit oversees healthcare-related consumer protection, and PIPA penalties run up to $1,000 per affected individual with a $100,000 cap per event. Maryland is one of the states where the breach rule is explicitly stricter than HIPAA. Medical records carry a 5-year retention floor under COMAR 10.07.01, with the HIPAA 6-year floor as the operative minimum for most practices. The Maryland PDMP requires every prescriber to query before every controlled-substance prescription, with carve-outs for hospice, cancer, ER 3-day supplies, post-surgical 14-day supplies, and inpatient/long-term care administration. Child-abuse reporting under Md. Family Law §5-708 routes through the Department of Social Services with serious penalties for failure.
Breach Notification Rules
Notification deadline
45 calendar days
Notification must be made as soon as reasonably practicable but no later than 45 days after the investigation is concluded. AG must be notified before notifying individuals.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $1,000 per affected individual, max $100,000 per event
Enforcement Posture
The Maryland Attorney General maintains an active healthcare enforcement posture. The AGO's Health Education and Advocacy Unit is unusual nationally — it sits inside the Attorney General's office and handles healthcare-specific consumer-protection matters including PIPA enforcement. The AG-before-residents notification sequencing is a clear procedural bright line, and the AGO has historically pursued matters where practices notified residents first and the AG later. The per-affected-individual penalty structure (up to $1,000 per individual, $100,000 cap) creates meaningful exposure even for mid-sized breaches. Department of Health licensure surveys add a parallel enforcement track on the 5-year retention rule under COMAR 10.07.01. Practices that document an investigation timeline, sequence notification correctly (AG first), and demonstrate written safeguards are well-positioned against PIPA enforcement.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 5 years | Last treatment |
Controlled-Substance Prescription Monitoring (Maryland PDMP)
The Maryland PDMP must be queried before every controlled-substance prescription. Exemptions cover hospice patients, active cancer treatment, ER prescriptions of 3 days or less, post-surgical prescriptions of 14 days or less, and inpatient hospital or long-term care administration. Delegation to authorized staff is permitted. The licensing board can impose discipline including license suspension, and civil penalties and possible misdemeanor charges apply for willful noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; misdemeanor for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤14 day supply post-surgical, inpatient hospital or long-term care facility, ≤3 day supply in ER
How Maryland Rules Hit by Specialty
Pain management
Maryland PDMP queries are required before every controlled-substance prescription, with exemptions for short ER and post-surgical supplies. Maryland also imposes opioid-prescribing limits under HB 1432 — pain practices need PDMP documentation, duration limits, and CME completion records for ongoing controlled-substance prescribing privileges.
Behavioral health
Maryland's Health-General Article §4-301 et seq. layers psychiatric record confidentiality requirements onto HIPAA, requiring separate authorization for most disclosures of mental-health records and imposing stricter rules on disclosure to law enforcement.
Telehealth providers
Maryland's telehealth licensure framework under COMAR 10.32.05 requires out-of-state telehealth providers serving Maryland residents to comply with PIPA — including the AG-first notification sequencing — regardless of where the practice is physically located.
Mandatory Reporting Obligations
Mandated reporters
Healthcare practitioners including physicians, nurses, dentists, psychologists, social workers, and emergency medical providers
Report to
Department of Social Services, local child protective services, or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $10,000 fine and/or 5 years jail
Immunity provision
Good faith reporters immune from civil and criminal liability under Md. Family Law 5-708
Mandated reporters
Healthcare practitioners, police officers, and human services workers
Report to
Adult Protective Services, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $5,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal acts or domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, healthcare facilities, and infection control practitioners
Report to
Maryland Department of Health, local health department
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $500 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement or Maryland State Police
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Maryland Compliance FAQs
Md. Comm. Law §14-3504 requires notification as soon as reasonably practicable but no later than 45 days after the investigation concludes. The Maryland Attorney General must be notified before any affected residents are notified — a sequencing requirement enforced separately from the 45-day cap.
COMAR 10.07.01 sets 5 years from last treatment as the state floor. The HIPAA 6-year minimum applies in parallel and is the operative floor for most practices.
Every prescriber must query the Maryland PDMP before every controlled-substance prescription, with exemptions for hospice, cancer, ER ≤3-day supplies, post-surgical ≤14-day supplies, and inpatient/long-term care administration.
Under Md. Family Law §5-704, all healthcare practitioners — physicians, nurses, dentists, psychologists, social workers, EMTs — must report suspected child abuse to the Department of Social Services or local law enforcement. Failure is a misdemeanor with up to $10,000 in fines and/or 5 years jail.
Up to $1,000 per affected individual with a $100,000 cap per breach event. The AGO's Health Education and Advocacy Unit handles healthcare-related PIPA matters.
Guides & Articles
Stay audit-ready in Maryland
GuardWell tracks Maryland-specific breach deadlines, retention periods, Maryland PDMP PDMP queries, and mandatory reporting obligations automatically.