Oregon Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Oregon.
Oregon's healthcare compliance posture is shaped by the Oregon Consumer Identity Theft Protection Act (ORS 646A.600 et seq.), which requires breach notification within 45 days of discovery and simultaneous notification to the Oregon Attorney General when 250 or more Oregon residents are affected. Penalties under the Unlawful Trade Practices Act (ORS 646.605) reach $25,000 per violation. Retention under OAR 847-012-0000 is 10 years from last treatment — among the longer baselines in the country — with pediatric records running until age 25 or 10 years from last treatment, whichever is later. The Oregon PDMP (oregon.pmpaware.net) requires queries on every controlled-substance prescription, with delegation permitted to licensed staff. Oregon notably does not impose a mandatory adult-domestic-violence reporting duty on healthcare providers (ORS 419B addresses child abuse only), making it one of the few states to leave adult-IPV reporting voluntary with patient consent — a distinction with significant operational implications for ER and primary-care workflows.
Breach Notification Rules
Notification deadline
45 calendar days
Notification must be made within 45 days of discovering the breach. AG must be notified if 250+ Oregon residents affected.
AG notification threshold
250+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $25,000 per violation under Unlawful Trade Practices Act
Enforcement Posture
The Oregon Attorney General's Civil Enforcement Division and the Oregon Department of Justice's Consumer Protection Section together handle breach-notification matters under ORS 646A. The AG has historically pursued assurance-of-voluntary-compliance settlements that include corrective-action plans, mandatory security audits, and multi-year reporting obligations. The Oregon Department of Consumer and Business Services and the Oregon Health Authority can layer separate licensing action for facilities. Practices should expect AG inquiries about the reasonableness of breach-discovery timelines and the practical steps to prevent recurrence. Oregon's 45-day clock and 250-resident AG threshold make small-practice breaches more likely to attract AG attention than in jurisdictions with 500-resident thresholds.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Oregon PDMP)
The Oregon Prescription Drug Monitoring Program (oregon.pmpaware.net), administered by the Oregon Health Authority, requires queries on every controlled-substance prescription. Delegation to licensed staff (RNs, LPNs, MAs under a documented standing order) is permitted. Exemptions cover hospice, cancer treatment, ER ≤3-day supplies, inpatient administration, and medication-assisted treatment. Civil penalties reach $5,000 per violation in addition to license-board discipline. Out-of-state prescribers writing for Oregon patients must register before issuing prescriptions.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $5,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital administration, medication-assisted treatment
How Oregon Rules Hit by Specialty
Pediatrics
Oregon's OAR 847-012-0000 retention pediatric rule — until age 25 or 10 years from last treatment, whichever is later — produces some of the longest retention spans nationally. A chart opened at birth with a last encounter at age 16 runs to age 26 (16 + 10 years). Encode the 'whichever is later' branch in your retention engine.
Behavioral health
Behavioral-health records sit on the same 10-year retention baseline. Oregon's choice to not mandate adult-IPV reporting (ORS 419B addresses child abuse only) means therapists working with adult survivors face a permissive — not mandatory — reporting framework, but Oregon mandated reporting for child abuse still names psychologists and licensed counselors as reporters.
Pharmacy/compounding
Oregon pharmacies and compounders face PDMP dispensing-report obligations and Oregon Board of Pharmacy oversight. Civil penalties of up to $5,000 per PDMP violation and possible criminal charges for pattern noncompliance make weekly delegation audits worth the operational overhead.
Telehealth providers
Out-of-state telehealth providers serving Oregon residents fall under ORS 646A for breaches affecting Oregon residents and must register with the Oregon PDMP before issuing any controlled-substance prescription. The Oregon Medical Board requires either Oregon licensure or telemedicine-specific registration.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, EMTs, and all healthcare professionals
Report to
Department of Human Services, Child Welfare, or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A violation (civil); Class B misdemeanor if knowingly failed to report
Immunity provision
Good faith reporters immune from civil and criminal liability under ORS 419B.025
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
Department of Human Services, Adult Protective Services, or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A violation
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers are not specifically mandated to report domestic violence in adults
Report to
Local law enforcement (voluntary reporting permitted with patient consent)
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, healthcare facilities, and infection control practitioners
Report to
Oregon Health Authority, Public Health Division, or local health department
Timeline
Within 24 hours
Penalty for failure
Class C misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or injuries from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A violation
Immunity provision
Good faith reporters immune from civil and criminal liability
Oregon Compliance FAQs
ORS 646A.604 requires notification within 45 days of discovery. If 250 or more Oregon residents are affected, the Oregon AG must be notified simultaneously. This 250-resident threshold is materially lower than the 500-resident threshold many other states use, making small-practice breaches more likely to trigger AG involvement.
OAR 847-012-0000 requires pediatric retention until age 25 (age of majority 18 + 7) or 10 years from last treatment, whichever is later. This 'whichever is later' clause produces some of the longest retention spans nationally — a chart with an encounter at age 16 runs to age 26.
No. Oregon's mandatory-reporting framework under ORS 419B addresses child abuse; reporting of suspected adult intimate-partner violence is voluntary and typically requires patient consent. Healthcare providers should screen and refer, but are not subject to criminal penalty for non-reporting of adult IPV.
Yes. Oregon PDMP permits licensed staff to perform queries under a documented standing order. The prescriber retains responsibility for reviewing and documenting the result. Civil penalties up to $5,000 per violation enforce compliance, alongside licensing-board discipline.
250 or more affected Oregon residents triggers mandatory AG notification under ORS 646A.604. The notification must be simultaneous with consumer notification. The Oregon Department of Justice publishes breach data, and 250 is notably lower than the 500-resident threshold used in California, Washington, and other states.
Stay audit-ready in Oregon
GuardWell tracks Oregon-specific breach deadlines, retention periods, Oregon PDMP PDMP queries, and mandatory reporting obligations automatically.