Rhode Island Healthcare Compliance Requirements

State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Rhode Island.

Expedient notification5-year retentionRI PMPStricter than HIPAA

Breach Notification Rules

Notification deadline

Most expedient time possible

Notification must be made within 30 calendar days of confirmation of the breach. AG must be notified.

AG notification threshold

500+ affected individuals

Notify: AG

Harm analysis required

Yes — breach presumed unless risk assessment shows low probability of compromise

Penalty range

Up to $100 per individual, max $25,000 per breach

Stricter than federal HIPAA

View statute

Medical Records Retention

Record type	Retention period	Measured from	Notes
General medical	5 years	Discharge	R.I. Gen. Laws §5-37.3-4 — 5 years from discharge; HIPAA 6-year floor also applies.
Pediatric	5 years	Patient turns 18	Until age 23 or 5 years from last treatment, whichever is later.

PDMP Requirements — RI PMP

Check required

All controlled substances

Check frequency

Every prescription

Delegation allowed

Yes — authorized staff can check on provider's behalf

Penalty range

Licensing board discipline; civil penalties up to $5,000 per violation

Exemptions

Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or nursing facility administration

Mandatory Reporting Obligations

Mandated reporters

Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals

Report to

Department of Children, Youth and Families (DCYF)

Timeline

Within 24 hours

Penalty for failure

Misdemeanor, up to $500 fine and/or 1 year jail

Immunity provision

Good faith reporters immune from civil and criminal liability under RIGL 40-11-6

Mandated reporters

Physicians, nurses, and all healthcare professionals

Report to

Department of Elderly Affairs

Timeline

Within 24 hours

Penalty for failure

Misdemeanor, up to $500 fine

Immunity provision

Good faith reporters immune from civil and criminal liability

Mandated reporters

Healthcare providers when treating injuries from suspected domestic violence

Report to

Local law enforcement

Timeline

Immediately / as soon as possible

Immunity provision

Good faith reporters immune from civil liability

Mandated reporters

Physicians, laboratories, and healthcare facility administrators

Report to

Rhode Island Department of Health

Timeline

Within 24 hours

Penalty for failure

Misdemeanor, up to $500 fine

Immunity provision

Good faith reporters immune from civil liability

Mandated reporters

All healthcare providers treating gunshot wounds or stab wounds

Report to

Local law enforcement or state police

Timeline

Immediately / as soon as possible

Penalty for failure

Misdemeanor

Immunity provision

Good faith reporters immune from civil and criminal liability

Guides & Articles

HIPAA

How to Prepare for a HIPAA Audit: A Practice Manager's Guide

Stay compliant in Rhode Island

GuardWell tracks Rhode Island-specific breach deadlines, PDMP requirements, retention periods, and mandatory reporting obligations automatically.

Free compliance score See a demo

View all state compliance guides — HIPAA Compliance • OSHA Compliance • DEA Compliance

Rhode Island Healthcare Compliance Requirements

Breach Notification Rules

Medical Records Retention

PDMP Requirements — RI PMP

Mandatory Reporting Obligations

Guides & Articles

HIPAA Compliance Checklist for Small Medical Practices in 2026

HIPAA Breach Notification: Rules, Timelines, and Penalties

Bloodborne Pathogens Exposure Control Plan: What Every Practice Needs

How to Prepare for a HIPAA Audit: A Practice Manager's Guide

Stay compliant in Rhode Island