Mississippi Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Mississippi.
Mississippi healthcare practices operate under Miss. Code §75-24-29, the Mississippi data breach notification statute, with a notably low 250-resident threshold for Attorney General notification — half of California's CMIA floor and a quarter of Louisiana's. The Mississippi Attorney General's Consumer Protection Division has authority under the Mississippi Consumer Protection Act to pursue breach-notification violations with civil penalties up to $10,000 per violation. Mississippi has traditionally taken a reactive enforcement posture, with the AG's office focusing on complaints reaching consumer-volume thresholds rather than proactive auditing. Medical record retention sits at 7 years from last treatment under Miss. Code Ann. §41-9-69, matching the HIPAA-plus-margin baseline that most Southeast states adopt. Practices in Jackson, Gulfport, Hattiesburg, and Tupelo should also account for the Mississippi PMP AWARxE check-every-Rx rule operated by the Mississippi State Board of Pharmacy, the Mississippi State Department of Health's 24-hour communicable disease reporting deadline, and universal mandated reporting of child abuse and elder abuse — Mississippi extends the duty to every person, not just licensed clinicians. That universal duty matters: a non-licensed front-desk staffer who suspects abuse and fails to report can face the same misdemeanor exposure as a physician.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made without unreasonable delay. AG must be notified if 250+ Mississippi residents affected.
AG notification threshold
250+ affected individuals
Notify: AG + Consumer Protection Division
Harm analysis required
Penalty range
Up to $10,000 per violation under Consumer Protection Act
Enforcement Posture
Mississippi has historically been one of the more reactive AG offices in the Southeast — enforcement is driven by complaint volume and breach-portal reports rather than proactive audit programs. That does not mean breaches go unnoticed: the 250-resident AG-notification threshold is intentionally low, and the Consumer Protection Division has investigative subpoena power. The Mississippi State Department of Health and the Mississippi State Board of Medical Licensure run parallel licensure-discipline lanes that providers will usually encounter first if a PHI loss is paired with a PMP or controlled-substance issue. Practices should not interpret "reactive" as "slow" — once a breach is reported through the HHS portal and crosses the 250-resident state threshold, the AG's office can move quickly on document requests. Civil penalty exposure under the Mississippi Consumer Protection Act can stack at up to $10,000 per violation.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
Controlled-Substance Prescription Monitoring (PMP AWARxE)
The Mississippi PMP AWARxE is administered by the Mississippi State Board of Pharmacy and accessed at mississippi.pmpaware.net. Prescribers must check the database before every Schedule II–V controlled-substance prescription, with delegation to office staff permitted. Exemptions cover hospice, active cancer treatment, ≤3-day ER supplies, and inpatient administration. Penalties include licensing-board discipline, civil penalties, and possible criminal charges for willful noncompliance. Retain PMP query timestamps with each prescription record.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; possible criminal charges for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient administration
How Mississippi Rules Hit by Specialty
Pharmacy/compounding
Mississippi PMP AWARxE checks are required before every Schedule II–V prescription, with delegation to office staff permitted. Compounding pharmacies should layer Mississippi State Board of Pharmacy compounding rules over USP <795>/<797> and retain PMP query evidence with the prescription record.
Behavioral health
Mississippi extends universal mandated reporting to all persons for both child abuse and elder abuse — including front-desk and administrative staff, not just licensed clinicians. Behavioral-health practices should train all staff on the Mississippi Department of Child Protection Services hotline and the Adult Protective Services intake process.
Pediatrics
Pediatric records inherit the 7-year retention floor under Miss. Code Ann. §41-9-69. Universal mandated reporting attaches to every staff member who suspects abuse, with misdemeanor exposure of up to $5,000 in fines and one year in jail for failure to report — the highest in the region.
Mandatory Reporting Obligations
Mandated reporters
All persons including healthcare professionals (universal mandated reporting)
Report to
Department of Child Protection Services or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $5,000 fine and/or 1 year jail
Immunity provision
Good faith reporters immune from civil and criminal liability under Miss. Code 43-21-353
Mandated reporters
All persons including healthcare professionals
Report to
Adult Protective Services, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $5,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Mississippi State Department of Health
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $500 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $1,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mississippi Compliance FAQs
Mississippi requires Attorney General notification when 250 or more Mississippi residents are affected by a breach — one of the lowest thresholds in the Southeast under Miss. Code §75-24-29. The Consumer Protection Division of the Attorney General's office is the recipient.
Miss. Code Ann. §41-9-69 sets a 7-year retention floor measured from the date of discharge or last treatment. There is no separate longer rule for pediatric records under the Mississippi statute, but practices should still retain pediatric records until the patient is at least 21 to cover statute-of-limitations tail.
Mississippi imposes universal mandated reporting under Miss. Code §43-21-353 — every person, not just licensed clinicians, who has reasonable cause to suspect child abuse must report to the Mississippi Department of Child Protection Services or local law enforcement. Failure to report is a misdemeanor with up to $5,000 in fines and one year in jail.
The Mississippi Attorney General's Consumer Protection Division typically takes a reactive posture, responding to consumer complaints and HHS portal reports rather than running proactive audit programs. Once a breach crosses the 250-resident state threshold, the AG can issue document requests and pursue civil penalties up to $10,000 per violation.
Yes. All controlled-substance prescribers must register with PMP AWARxE through mississippi.pmpaware.net and check the database before each Schedule II–V prescription. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, and inpatient administration.
Guides & Articles
Stay audit-ready in Mississippi
GuardWell tracks Mississippi-specific breach deadlines, retention periods, PMP AWARxE PDMP queries, and mandatory reporting obligations automatically.