New Hampshire Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in New Hampshire.
New Hampshire medical practices operate under RSA §359-C:19, which requires breach notification "as soon as possible" and — distinctively — requires immediate notification to the New Hampshire Attorney General upon discovery, with no resident-count threshold. The NH Consumer Protection Act provides enforcement teeth at up to $10,000 per violation, with the AGO's Consumer Protection and Antitrust Bureau the primary enforcer. Medical records carry a 7-year retention floor under N.H. Admin. R. He-P 802.10, with pediatric records running until age of majority plus 7 years. The New Hampshire PDMP requires every prescriber to query before every controlled-substance prescription, with carve-outs for hospice, cancer, ER 3-day supplies, and inpatient/nursing facility administration. Child-abuse reporting routes through the Division for Children, Youth and Families under RSA §169-C:31, and gunshot-wound reporting to local law enforcement is mandatory for all healthcare providers.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made as soon as possible. AG must be notified immediately upon discovery.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $10,000 per violation under Consumer Protection Act
Enforcement Posture
New Hampshire's enforcement posture is moderate. The Attorney General's Consumer Protection and Antitrust Bureau is the primary state-level enforcer of the breach rule, and the immediate-notification requirement creates a high cadence of incident reports flowing into the office. The Department of Health and Human Services licensure framework provides parallel enforcement on the 7-year retention rule. New Hampshire does not have the large healthcare-focused enforcement bench of Massachusetts or New York, but the "as soon as possible" notification standard and immediate AG notification create clear bright lines that are easy for the office to act on when missed. Practices that document an immediate-discovery timeline and notify the AG promptly are well-positioned against procedural enforcement.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (NH PDMP)
The New Hampshire PDMP must be queried before every controlled-substance prescription. Exemptions cover hospice patients, active cancer treatment, ER prescriptions of 3 days or less, and inpatient hospital or nursing facility administration. Delegation to authorized staff is permitted. The relevant licensing board can impose discipline including license suspension, and civil penalties and possible misdemeanor charges apply for willful noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; possible misdemeanor charges
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or nursing facility administration
How New Hampshire Rules Hit by Specialty
Pain management
New Hampshire PDMP queries are required before every controlled-substance prescription. The state also limits opioid prescribing for acute pain under Board of Medicine rules — pain practices need the PDMP check and dose-and-duration documentation captured at every prescription event.
Behavioral health
New Hampshire mental-health confidentiality rules under RSA §135-C:19-a impose consent and disclosure requirements stricter than HIPAA for most psychiatric record disclosure. Substance-use treatment records under RSA §172-B layer additional confidentiality protections in parallel with 42 CFR Part 2.
Mandatory Reporting Obligations
Mandated reporters
Physicians, surgeons, nurses, dentists, psychologists, and all persons having reason to suspect child abuse
Report to
Division for Children, Youth and Families (DCYF)
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability under RSA 169-C:31
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Bureau of Elderly and Adult Services, Department of Health and Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers are not specifically mandated; may report when treating injuries from violence
Report to
Local law enforcement (voluntary reporting permitted)
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
New Hampshire Division of Public Health Services, Bureau of Infectious Disease Control
Timeline
Within 24 hours
Penalty for failure
Misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
New Hampshire Compliance FAQs
Yes. RSA §359-C:19 requires notification to the New Hampshire Attorney General immediately upon discovery of the breach, with no resident-count threshold. The standard for notifying affected residents is 'as soon as possible.'
N.H. Admin. R. He-P 802.10 sets 7 years from last service for adult records, with pediatric records running until age of majority plus 7 years.
Every prescriber must query the NH PDMP before every controlled-substance prescription, with exemptions for hospice, cancer treatment, ER ≤3-day supplies, and inpatient/nursing facility administration.
Under RSA §169-C:29, all healthcare professionals — and any person having reason to suspect child abuse — must report to the Division for Children, Youth and Families. Failure is a misdemeanor; good-faith reporters are immune from civil and criminal liability under RSA §169-C:31.
Up to $10,000 per violation under the New Hampshire Consumer Protection Act. The AGO's Consumer Protection and Antitrust Bureau is the primary enforcer.
Neighboring State Compliance Guides
Stay audit-ready in New Hampshire
GuardWell tracks New Hampshire-specific breach deadlines, retention periods, NH PDMP PDMP queries, and mandatory reporting obligations automatically.