Nebraska Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Nebraska.
Nebraska healthcare compliance is shaped by the Financial Data Protection and Consumer Notification of Data Security Breach Act, codified at Neb. Rev. Stat. §87-801 et seq. and enforced by the Nebraska Attorney General. The statute's name is telling: the original drafting focused on financial data, and its application to healthcare PHI is narrower than the omnibus health-records statutes used in Minnesota or California. There is no fixed day count — notice must be made "as soon as possible and without unreasonable delay" — and the AG must be notified for any breach affecting Nebraska residents, with no minimum-resident threshold. Penalties flow through the Nebraska Consumer Protection Act, giving the AG discretion to layer deceptive-practices claims atop breach-notice violations. Hospital records must be retained 10 years from discharge under 175 NAC 9-006.14C, and communicable-disease reports flow to the Nebraska Department of Health and Human Services within 24 hours. The Lincoln-based AG office leans on the Consumer Protection Division for case origination.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made as soon as possible and without unreasonable delay. AG must be notified.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Enforceable by AG under Consumer Protection Act
Enforcement Posture
The Nebraska Attorney General's posture on healthcare data breaches is moderate-to-reactive. The Consumer Protection Division has historically focused enforcement on financial-data breaches under Neb. Rev. Stat. §87-801's original scope, and healthcare matters tend to follow OCR involvement rather than originate independently. That said, the absence of a resident-count threshold for AG notice means even a 10-patient practice incident in Omaha or Grand Island will land on the AG's desk. The lack of a fixed day count gives the AG discretion to challenge any notice timeline that appears delayed, and the Consumer Protection Act allows the AG to seek injunctive relief plus civil penalties. Practices should treat "without unreasonable delay" as a 30-to-60-day operational ceiling.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Discharge |
Controlled-Substance Prescription Monitoring (Nebraska PDMP)
The Nebraska PDMP requires queries before every controlled-substance prescription, with delegation to licensed staff permitted. Exemptions cover hospice, cancer treatment, ER three-day supplies, and inpatient or long-term-care administration. Willful noncompliance is a Class III misdemeanor in addition to licensing-board discipline. Register at nebraska.pmpaware.net and document the every-prescription query in the chart. Nebraska is one of the few states that distinguishes negligent from willful noncompliance, so the contemporaneous record matters during a Board of Medicine audit.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; Class III misdemeanor for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration
How Nebraska Rules Hit by Specialty
Rural primary care
Nebraska's healthcare delivery in the western counties depends on critical-access hospitals and small primary-care clinics. The AG-notify obligation has no resident-count floor, so even a single-patient unauthorized-access incident in a rural clinic triggers AG notice — small practices should not assume threshold protection.
Hospital systems
CHI Health and Nebraska Medicine dominate the Lincoln-Omaha corridor with networks extending into Iowa and South Dakota. Cross-border incidents must satisfy Nebraska's no-threshold AG-notify rule alongside Iowa's 5-business-day AG-notify-after-consumer-notice rule.
Behavioral health
Nebraska's behavioral-health providers face overlapping obligations: Neb. Rev. Stat. §87-801 for general PHI, 42 CFR Part 2 for substance-use disorder records, and county-specific commitment statutes. Breach-response protocols should distinguish the three streams when characterizing the affected records.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals
Report to
Department of Health and Human Services or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class III misdemeanor for first offense; Class IIIA misdemeanor for subsequent
Immunity provision
Good faith reporters immune from civil and criminal liability under Neb. Rev. Stat. 28-718
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, Department of Health and Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class III misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers when treating injuries from suspected domestic abuse
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Nebraska Department of Health and Human Services, Division of Public Health
Timeline
Within 24 hours
Penalty for failure
Class III misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class III misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Nebraska Compliance FAQs
Neb. Rev. Stat. §87-801 requires notice "as soon as possible and without unreasonable delay." There is no fixed day count, but practices generally align with the HIPAA 60-day outer limit. Document the discovery date and every step of the investigation timeline to defend the chosen notice window during AG review.
Yes. Unlike many states that use a 250- or 500-resident threshold, Nebraska requires AG notification for any breach affecting Nebraska residents, regardless of count. Notice goes to the Consumer Protection Division of the Attorney General's office in Lincoln.
175 NAC 9-006.14C requires hospitals to retain general medical records for 10 years from the date of discharge. Pediatric records should be retained until age of majority plus the applicable adult retention period. Physician offices outside hospital regulatory scope should adopt the 10-year benchmark to align with litigation discovery expectations.
Willful noncompliance with Nebraska PDMP query requirements is a Class III misdemeanor under Neb. Rev. Stat. 71-2454 et seq., in addition to civil penalties and licensing-board discipline. Negligent noncompliance is handled administratively by the Board of Medicine. The distinction between negligent and willful matters; document every query.
Yes. All healthcare professionals must report suspected child abuse to the Department of Health and Human Services or local law enforcement under Neb. Rev. Stat. 28-711 et seq. First-offense failure to report is a Class III misdemeanor; subsequent offenses are Class IIIA. Good-faith reporters are immune from civil and criminal liability.
Guides & Articles
Neighboring State Compliance Guides
Stay audit-ready in Nebraska
GuardWell tracks Nebraska-specific breach deadlines, retention periods, Nebraska PDMP PDMP queries, and mandatory reporting obligations automatically.