North Carolina Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in North Carolina.
North Carolina healthcare practices operate under N.C. Gen. Stat. §75-65, part of the North Carolina Identity Theft Protection Act, with notification required "without unreasonable delay" and AG plus Consumer Protection Division notification when 1,000 or more North Carolina residents are affected. The North Carolina Attorney General has historically been one of the more active state enforcers of healthcare breach rules, and the office maintains a public breach-notification database that creates real reputational exposure for practices. Penalties run under the Unfair and Deceptive Trade Practices Act at up to $5,000 per violation, with damages stacking per affected resident. Medical record retention is 11 years from discharge under 10A NCAC 13B .4406 for hospitals — one of the longer retention floors in the country — with pediatric records held until age of majority plus 11 years or 30 years from discharge, whichever is less. Practices in Charlotte, Raleigh, Greensboro, Durham, and Winston-Salem should also account for the NC Controlled Substances Reporting System (CSRS) every-Rx check administered by the North Carolina Department of Health and Human Services, and the universal mandatory child-abuse reporting duty under N.C.G.S. 7B-309 that attaches to all persons, not just licensed clinicians.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made without unreasonable delay. AG must be notified if 1,000+ North Carolina residents affected.
AG notification threshold
1000+ affected individuals
Notify: AG + Consumer Protection Division
Harm analysis required
Penalty range
Up to $5,000 per violation under Unfair and Deceptive Trade Practices Act
Enforcement Posture
North Carolina is one of the more active state enforcers of healthcare breach rules in the Southeast — the Attorney General's office has historically pursued multi-practice investigations and maintains a public breach-notification database. The 1,000-resident AG-notification threshold may sound permissive, but in practice the public-disclosure obligation means even sub-threshold breaches face market-driven scrutiny. The North Carolina Medical Board, North Carolina Board of Nursing, and North Carolina Board of Pharmacy run parallel licensure-discipline lanes. The 11-year retention floor for hospitals is among the longest in the country and creates significant data-minimization tension for practices that would otherwise destroy records earlier. Practices should expect that breach notification timing and the AG's public-disclosure regime are the two areas of greatest visibility risk.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 11 years | Last treatment |
| Pediatric | 11 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (NC Controlled Substances Reporting System)
The NC Controlled Substances Reporting System (CSRS) is administered by the North Carolina Department of Health and Human Services and accessed at csrs.nc.gov. Prescribers must register and check before every Schedule II–V controlled-substance prescription, with delegation permitted. Exemptions cover hospice, cancer treatment, ≤5-day ER supplies, and inpatient or long-term care administration. Penalties include licensing-board discipline, civil penalties, and possible misdemeanor charges for willful noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; possible misdemeanor charges
Exemptions
Hospice patients, cancer treatment, ≤5 day supply in ER, inpatient hospital or long-term care administration
How North Carolina Rules Hit by Specialty
Hospital systems
North Carolina hospital records carry an 11-year retention floor from discharge under 10A NCAC 13B .4406 — among the longest in the country. Pediatric records must be retained until age of majority plus 11 years or 30 years from discharge, whichever is less. The North Carolina Hospital Association and DHHS coordinate joint records-management inspections.
Pediatrics
Pediatric records inherit the 11-year retention floor with the age-of-majority-plus-11-years extension under 10A NCAC 13B .4406. Universal mandated child-abuse reporting under N.C.G.S. 7B-309 attaches to every person, not just licensed clinicians. The County Department of Social Services is the recipient for reports.
Behavioral health
North Carolina behavioral-health providers face 42 CFR Part 2, HIPAA, and North Carolina DHHS Division of Mental Health licensing requirements. The Local Management Entity / Managed Care Organization (LME/MCO) system creates additional documentation and data-sharing obligations for Medicaid-participating providers.
Mandatory Reporting Obligations
Mandated reporters
Any person or institution who has cause to suspect child abuse (universal mandatory reporting)
Report to
County Department of Social Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class 1 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability under N.C.G.S. 7B-309
Mandated reporters
Any person who has reasonable cause to believe a disabled adult has been abused
Report to
County Department of Social Services, Adult Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class 1 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence or criminal acts
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
North Carolina Division of Public Health, local health department
Timeline
Within 24 hours
Penalty for failure
Class 2 misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
North Carolina Compliance FAQs
North Carolina does not impose a hard numerical deadline under N.C. Gen. Stat. §75-65 — notification must be made 'without unreasonable delay.' Attorney General and Consumer Protection Division notification is required when 1,000 or more residents are affected. The AG maintains a public breach-notification database, so practical timing pressure exceeds the statute's text.
10A NCAC 13B .4406 sets an 11-year retention floor for hospital records measured from discharge — one of the longest in the country. Pediatric records must be retained until age of majority plus 11 years or 30 years from discharge, whichever is less.
The NC Controlled Substances Reporting System (CSRS) is North Carolina's PDMP, administered by the North Carolina Department of Health and Human Services and accessed at csrs.nc.gov. Registration is mandatory for every controlled-substance prescriber, with every-Rx checks required for Schedule II–V prescriptions.
N.C.G.S. 7B-309 imposes universal mandated reporting — every person with reasonable cause to suspect child abuse must report to the County Department of Social Services. Failure to report is a Class 1 misdemeanor. The duty attaches to non-clinical staff as well as licensed clinicians.
The North Carolina Attorney General's Consumer Protection Division enforces N.C. Gen. Stat. §75-65 under the Unfair and Deceptive Trade Practices Act, with civil penalties up to $5,000 per violation. The NC Medical Board, Board of Nursing, and Board of Pharmacy can pursue parallel licensure discipline. A public breach-notification database creates additional reputational risk.
Guides & Articles
Stay audit-ready in North Carolina
GuardWell tracks North Carolina-specific breach deadlines, retention periods, NC Controlled Substances Reporting System PDMP queries, and mandatory reporting obligations automatically.