Michigan Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Michigan.
Michigan's healthcare-compliance posture is shaped by MCL §445.72 — the state's Identity Theft Protection Act breach-notification provision — combined with the Public Health Code retention requirements at MCL §333.16213. The Identity Theft Protection Act requires notification "without unreasonable delay" and obligates the Michigan Attorney General to be notified when a breach affects 750 or more Michigan residents — a comparatively low threshold that catches most multi-site practice incidents. Penalties under the Act reach $250 per failure-to-disclose violation, capped at $750,000 per breach, which the Michigan AG's office has historically pursued through the Corporate Oversight Division. The Michigan Department of Licensing and Regulatory Affairs (LARA) handles licensing-board discipline through the Bureau of Professional Licensing, including Board of Medicine, Board of Pharmacy, and Board of Nursing actions related to MAPS (Michigan Automated Prescription System) noncompliance. Detroit-area and Grand Rapids–area health systems also engage routinely with the Michigan Department of Health and Human Services (MDHHS) on Children's Protective Services and Adult Protective Services mandatory reporting. The 750-resident AG threshold, the $750,000 breach cap, and a 7-year general retention rule together define a moderate but well-defined regulatory perimeter.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made without unreasonable delay. AG must be notified if breach affects 750+ Michigan residents.
AG notification threshold
750+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $250 per failure to disclose, max $750,000 per breach
Enforcement Posture
The Michigan Attorney General's office is moderately active on healthcare-privacy enforcement and pursues breach notifications through both the Corporate Oversight Division and the Health Care Fraud Division when Medicaid or Medicare touches the matter. Michigan does not have a BIPA-style private right of action, so plaintiffs'-bar pressure is lower than in Illinois, but the 750-resident AG-notification threshold and the $750,000 per-breach penalty cap mean that any multi-site or system-level incident draws AG scrutiny. Licensing-board discipline through LARA is the more common enforcement vector for individual practitioners — MAPS query patterns, scope-of-practice issues, and Public Health Code retention failures are routinely raised in board cases. Document your harm analysis, your MAPS query log, and your 7-year retention schedule.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (MAPS)
MAPS — the Michigan Automated Prescription System — requires a query before issuing any controlled-substance prescription. The system is delegable to licensed designees and integrates into most Michigan EHR platforms via the state's PMP gateway. Registration is mandatory for all DEA registrants prescribing in Michigan; the registration portal is at michigan.pmpaware.net. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, inpatient and nursing-facility administration, and medication-assisted treatment. Penalties run from licensing-board discipline through administrative fines up to $5,000 and possible misdemeanor charges for pattern noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; administrative fines up to $5,000; possible misdemeanor charges
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or nursing facility, medication-assisted treatment
How Michigan Rules Hit by Specialty
Hospital systems
The 750-resident AG-notification threshold catches almost every multi-hospital incident in Michigan; build your incident-response runbook to default to AG notification rather than treat it as a contingent step.
Pharmacy/compounding
MAPS delegation is permitted and Michigan Board of Pharmacy reviews dispensing patterns flagged in MAPS data; coordinate prescriber and pharmacy query logs against PMP reports.
Pediatrics
Pediatric records: age of majority plus 7 years under MCL §333.16213. Mandatory child-abuse reporting flows to MDHHS Children's Protective Services; failure to report is a misdemeanor with up to 93 days jail and civil liability for damages.
Mandatory Reporting Obligations
Mandated reporters
Physicians, dentists, nurses, psychologists, social workers, EMTs, and all licensed healthcare professionals
Report to
Department of Health and Human Services, Children's Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to 93 days jail and/or $500 fine; civil liability for damages
Immunity provision
Good faith reporters immune from civil and criminal liability under MCL 722.625
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
Adult Protective Services, Department of Health and Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers when treating injuries from suspected domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Michigan Department of Health and Human Services, local health department
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $200 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All physicians and healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to 93 days jail
Immunity provision
Good faith reporters immune from civil and criminal liability
Michigan Compliance FAQs
Under MCL §445.72, the Michigan Attorney General must be notified when a breach affects 750 or more Michigan residents. Patient notification is required without unreasonable delay regardless of resident count. Penalties run $250 per failure-to-disclose violation, capped at $750,000 per breach.
7 years from the date of last service under MCL §333.16213 of the Michigan Public Health Code. Pediatric records: until age of majority plus 7 years. The 7-year clock starts at the last service date, not the last billed encounter, so document your retention triggers carefully for patients who have been inactive for years.
Yes. The Michigan Automated Prescription System (MAPS) requires a query before issuing any controlled-substance prescription. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, inpatient or nursing-facility administration, and medication-assisted treatment. Delegation to licensed designees is permitted; the prescriber retains documentation responsibility in the chart.
No. Michigan does not have a BIPA-equivalent statute with a private right of action. Healthcare practices in Michigan deploying fingerprint or face-recognition timeclocks operate under general consumer-protection and HIPAA frameworks — Michigan exposure is materially lower than Illinois, but documenting consent and retention practices is still recommended.
Physicians, dentists, nurses, psychologists, social workers, EMTs, and all licensed healthcare professionals are mandatory reporters under MCL §722.623. Reports go to MDHHS Children's Protective Services. Failure to report is a misdemeanor with up to 93 days jail and/or a $500 fine, plus civil liability for damages; good-faith reporters are immune from civil and criminal liability under MCL §722.625.
Guides & Articles
Stay audit-ready in Michigan
GuardWell tracks Michigan-specific breach deadlines, retention periods, MAPS PDMP queries, and mandatory reporting obligations automatically.