GuardWell Compliance

North Carolina Healthcare Compliance Requirements

State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in North Carolina.

Expedient notification11-year retentionNC Controlled Substances Reporting System

Breach Notification Rules

Notification deadline

Most expedient time possible

Notification must be made without unreasonable delay. AG must be notified if 1,000+ North Carolina residents affected.

AG notification threshold

1000+ affected individuals

Notify: AG + Consumer Protection Division

Harm analysis required

Yes — breach presumed unless risk assessment shows low probability of compromise

Penalty range

Up to $5,000 per violation under Unfair and Deceptive Trade Practices Act

Comparable to federal HIPAA
View statute

Medical Records Retention

Record typeRetention periodMeasured from
General medical11 yearsLast treatment
Pediatric11 yearsPatient turns 18

PDMP Requirements — NC Controlled Substances Reporting System

Check required

All controlled substances

Check frequency

Every prescription

Delegation allowed

Yes — authorized staff can check on provider's behalf

Penalty range

Licensing board discipline; civil penalties; possible misdemeanor charges

Exemptions

Hospice patients, cancer treatment, ≤5 day supply in ER, inpatient hospital or long-term care administration

Register for NC Controlled Substances Reporting System

Mandatory Reporting Obligations

Mandated reporters

Any person or institution who has cause to suspect child abuse (universal mandatory reporting)

Report to

County Department of Social Services

Timeline

Immediately / as soon as possible

Penalty for failure

Class 1 misdemeanor

Immunity provision

Good faith reporters immune from civil and criminal liability under N.C.G.S. 7B-309

Mandated reporters

Any person who has reasonable cause to believe a disabled adult has been abused

Report to

County Department of Social Services, Adult Protective Services

Timeline

Immediately / as soon as possible

Penalty for failure

Class 1 misdemeanor

Immunity provision

Good faith reporters immune from civil and criminal liability

Mandated reporters

Healthcare providers treating injuries from suspected domestic violence or criminal acts

Report to

Local law enforcement

Timeline

Immediately / as soon as possible

Immunity provision

Good faith reporters immune from civil liability

Mandated reporters

Physicians, laboratories, and healthcare facility administrators

Report to

North Carolina Division of Public Health, local health department

Timeline

Within 24 hours

Penalty for failure

Class 2 misdemeanor

Immunity provision

Good faith reporters immune from civil liability

Mandated reporters

All healthcare providers treating gunshot wounds or stab wounds

Report to

Local law enforcement

Timeline

Immediately / as soon as possible

Penalty for failure

Class 3 misdemeanor

Immunity provision

Good faith reporters immune from civil and criminal liability

Guides & Articles

HIPAA

HIPAA Compliance Checklist for Small Medical Practices in 2026

OSHA

OSHA Requirements for Medical Offices: A Complete Guide

HIPAA

HIPAA Breach Notification: Rules, Timelines, and Penalties

Training

How to Build a Healthcare Compliance Training Program

Stay compliant in North Carolina

GuardWell tracks North Carolina-specific breach deadlines, PDMP requirements, retention periods, and mandatory reporting obligations automatically.

Free compliance scoreSee a demo

View all state compliance guides HIPAA Compliance OSHA Compliance DEA Compliance

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI