Pennsylvania Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Pennsylvania.
Pennsylvania medical practices operate under the Breach of Personal Information Notification Act (73 Pa. Stat. §2303), which requires notification "without unreasonable delay" after discovery of any breach of unencrypted computerized data. Unlike states with a hard clock, Pennsylvania puts the burden on the practice to defend its timeline if the Pennsylvania Attorney General later investigates. On the records side, 28 Pa. Code §115.23 sets a 7-year retention floor from last treatment, and the Mental Health Procedures Act layers additional confidentiality protections onto behavioral-health charts for the same 7-year window. Pennsylvania's PDMP rules require every prescriber to query the Pennsylvania PDMP before issuing any controlled-substance prescription, with carve-outs for hospice, cancer, ER 3-day supplies, and medication-assisted treatment for opioid use disorder. Mandated reporters route child-abuse referrals through ChildLine and elder-abuse referrals through the Area Agency on Aging. Gunshot-wound reporting to local law enforcement is mandatory for any physician or healthcare provider treating injuries from suspected criminal violence. Pennsylvania does not require AG notification in the statute, but practices handling breaches above 500 records still trigger the HIPAA media-notice rule and the HHS OCR portal filing.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made without unreasonable delay. AG notification not explicitly required but strongly recommended.
AG notification threshold
Not explicitly required
Harm analysis required
Penalty range
Enforceable by AG; private right of action for actual damages
Enforcement Posture
The Pennsylvania Attorney General has authority to pursue civil enforcement under the breach notification act, and the office's Bureau of Consumer Protection has historically used its parens patriae authority to investigate notification delays. Pennsylvania's posture is best described as moderate: less aggressive than New York or Massachusetts, but the AG's office has joined multistate settlements involving healthcare data breaches and follows up on consumer complaints filed through the state's online portal. State Department of Health licensing actions add a second pressure point — sustained 28 Pa. Code violations can trigger plan-of-correction surveys. Practices that document their breach-decision timeline, perform a four-factor harm analysis, and notify residents promptly are well-positioned. Practices that delay notification while "investigating internally" attract scrutiny.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
| Mental health | 7 years | Last treatment |
Controlled-Substance Prescription Monitoring (Pennsylvania PDMP)
The Pennsylvania PDMP is administered by the Department of Health and requires every prescriber to query before each controlled-substance prescription. Exemptions cover hospice patients, active cancer treatment, ER prescriptions of 3 days or less, inpatient and long-term care administration, and medication-assisted treatment for opioid use disorder. Delegation to staff is permitted; civil penalties run up to $1,000 per violation, with the State Board of Medicine empowered to impose licensure discipline for repeated willful noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $1,000 per violation; possible criminal prosecution for repeated willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration, medication-assisted treatment for opioid use disorder
How Pennsylvania Rules Hit by Specialty
Behavioral health
The Mental Health Procedures Act and 55 Pa. Code Ch. 5100 impose confidentiality protections that exceed HIPAA — separate written authorization is required for most disclosures of psychiatric records, and minimum-necessary determinations are stricter for psychotherapy notes.
Pain management
Pennsylvania's Achieving Better Care by Monitoring All Prescriptions Act layers query-frequency expectations onto the Pennsylvania PDMP for chronic-pain regimens — every refill, not just the first prescription, should be documented as a PDMP check.
Pediatrics
The 7-year retention floor runs from age of majority, so a chart for a patient first seen at age 6 must be retained through their 25th birthday at minimum. Practices using cloud EHRs should verify export and litigation-hold capabilities cover that 19-year window.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, EMTs, and all licensed healthcare professionals
Report to
ChildLine, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Third-degree misdemeanor for first offense; second-degree misdemeanor for subsequent; first-degree misdemeanor if child suffers serious injury
Immunity provision
Good faith reporters immune from civil and criminal liability under 23 Pa.C.S. 6318
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals providing services to older adults
Report to
Area Agency on Aging, Older Adults Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Summary offense, up to $2,500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability under Protection from Abuse Act
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Pennsylvania Department of Health, Bureau of Epidemiology, or local health department
Timeline
Within 24 hours
Penalty for failure
Summary offense, up to $300 fine per day
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All physicians and healthcare providers treating gunshot wounds or injuries from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Summary offense
Immunity provision
Good faith reporters immune from civil and criminal liability
Pennsylvania Compliance FAQs
The statute does not explicitly require AG notification, but the AG retains civil enforcement authority and the Bureau of Consumer Protection welcomes voluntary notifications. For breaches affecting 500 or more Pennsylvania residents, HIPAA's parallel media-notice rule is triggered regardless.
28 Pa. Code §115.23 sets a 7-year minimum from the date of last treatment or discharge. Mental-health records follow the same 7-year clock but carry additional confidentiality protections under the Mental Health Procedures Act.
Pennsylvania PDMP queries are required before every controlled-substance prescription, with exemptions for hospice, cancer treatment, ER ≤3-day supplies, inpatient/long-term care administration, and medication-assisted treatment for opioid use disorder.
Under 23 Pa.C.S. §6311, all licensed healthcare professionals — including physicians, nurses, dentists, psychologists, social workers, and EMTs — must report suspected child abuse to ChildLine. Failure escalates from a third-degree misdemeanor for a first offense up to a first-degree misdemeanor when a child suffers serious injury.
Yes. All physicians and healthcare providers treating gunshot wounds or injuries from suspected criminal violence must report to local law enforcement. Good-faith reporters receive civil and criminal immunity; failure is a summary offense.
Neighboring State Compliance Guides
Stay audit-ready in Pennsylvania
GuardWell tracks Pennsylvania-specific breach deadlines, retention periods, Pennsylvania PDMP PDMP queries, and mandatory reporting obligations automatically.