South Carolina Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in South Carolina.
South Carolina healthcare practices operate under S.C. Code §39-1-90, the South Carolina Financial Identity Fraud and Identity Theft Protection Act, with notification required "without unreasonable delay" and AG plus Consumer Protection Division notification when 1,000 or more South Carolina residents are affected. South Carolina is one of the few states with an additional Insurance Data Security Act (S.C. Code §38-99-10 et seq.) modeled on the NAIC model law, which imposes specific cybersecurity-program and breach-notification duties on licensed insurers, agents, and producers — relevant for healthcare entities that operate captive insurers or that handle health-insurance information. Penalties under the breach statute reach $1,000 per affected resident with a per-breach cap of $500,000. Medical record retention is 10 years from discharge under S.C. Code Regs. 61-16 §601.7 for hospitals, with pediatric records held until age of majority plus 10 years. Practices in Columbia, Charleston, Greenville, Spartanburg, and Myrtle Beach should also account for the SC SCRIPTS PDMP every-Rx check administered through the South Carolina Department of Health and Environmental Control (DHEC), and DHEC's 24-hour communicable-disease reporting requirement.
Breach Notification Rules
Notification deadline
Most expedient time possible
Notification must be made without unreasonable delay. AG and Consumer Protection Division must be notified if 1,000+ South Carolina residents affected.
AG notification threshold
1000+ affected individuals
Notify: AG + Consumer Protection Division
Harm analysis required
Penalty range
Up to $1,000 per resident affected, max $500,000 per breach under Insurance Data Security Act
Enforcement Posture
South Carolina's enforcement posture is moderate-to-active — the AG's Consumer Protection Division has been engaged on breach notification cases and the Insurance Data Security Act adds a secondary enforcement track for insurance-related healthcare entities. The South Carolina Board of Medical Examiners and the South Carolina Board of Pharmacy carry the bulk of licensure-discipline activity, and the South Carolina Department of Health and Environmental Control (DHEC) operates both as a public-health regulator and as the PDMP administrator. The 1,000-resident AG-notification threshold is on the higher end among regional peers, but practices should not interpret that as a relaxed enforcement posture — the per-resident penalty structure ($1,000 per resident, $500,000 cap) means a multi-thousand-record breach can stack to the cap quickly. Insurance Data Security Act compliance is the area most likely to surprise practices that operate captive insurance or that share data with insurance affiliates.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Discharge |
| Pediatric | 10 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (SC SCRIPTS)
SC SCRIPTS (South Carolina Reporting & Identification Prescription Tracking System) is administered by the South Carolina Department of Health and Environmental Control (DHEC) and accessed at southcarolina.pmpaware.net. Prescribers must register and check before every Schedule II–V controlled-substance prescription, with delegation permitted. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, and inpatient or long-term care administration. Penalties include licensing-board discipline and possible misdemeanor charges.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties; possible misdemeanor charges
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration
How South Carolina Rules Hit by Specialty
Hospital systems
South Carolina hospital records carry a 10-year retention floor from discharge under S.C. Code Regs. 61-16 §601.7. The South Carolina Hospital Association and DHEC operate joint inspection programs that include records-management review. Pediatric hospital records require retention until age of majority plus 10 years.
Behavioral health
South Carolina behavioral-health providers face 42 CFR Part 2 and DHEC licensing requirements. The South Carolina Department of Mental Health operates its own facility network with overlapping documentation obligations. Universal mandated child-abuse reporting under SC Code 63-7-390 attaches to all healthcare professionals.
Pharmacy/compounding
SC SCRIPTS every-Rx checks apply to all Schedule II–V prescriptions through southcarolina.pmpaware.net. Compounding pharmacies should layer South Carolina Board of Pharmacy compounding rules over USP <795>/<797> and retain PDMP query evidence with the prescription record.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals
Report to
Department of Social Services, county office, or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $500 fine and/or 6 months jail
Immunity provision
Good faith reporters immune from civil and criminal liability under SC Code 63-7-390
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, Department of Social Services
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence or criminal acts
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
South Carolina Department of Health and Environmental Control (DHEC)
Timeline
Within 24 hours
Penalty for failure
Misdemeanor, up to $200 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or wounds from criminal violence
Report to
Local law enforcement or sheriff
Timeline
Immediately / as soon as possible
Penalty for failure
Misdemeanor, up to $200 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
South Carolina Compliance FAQs
South Carolina requires Attorney General and Consumer Protection Division notification when 1,000 or more South Carolina residents are affected under S.C. Code §39-1-90. The threshold is higher than Mississippi's 250 or Florida's 500.
S.C. Code §38-99-10 et seq. is South Carolina's adoption of the NAIC Insurance Data Security Model Law, imposing specific cybersecurity-program and breach-notification duties on licensed insurers, agents, and producers. Healthcare entities operating captive insurance or sharing data with insurance affiliates may have layered obligations.
S.C. Code Regs. 61-16 §601.7 sets a 10-year retention floor for hospital records measured from discharge. Pediatric records must be retained until age of majority plus 10 years (effectively age 28). Outpatient physician practices typically default to the same 10-year retention as a practical matter.
SC SCRIPTS requires every prescriber of controlled substances to register through southcarolina.pmpaware.net and check the database before each Schedule II–V prescription. DHEC administers the program with delegation permitted to office staff but with the prescriber remaining accountable.
The South Carolina Attorney General's Consumer Protection Division enforces S.C. Code §39-1-90, with civil penalties up to $1,000 per affected resident and a $500,000 per-breach cap. The Insurance Data Security Act adds a secondary enforcement track through the South Carolina Department of Insurance for insurance-related entities.
Stay audit-ready in South Carolina
GuardWell tracks South Carolina-specific breach deadlines, retention periods, SC SCRIPTS PDMP queries, and mandatory reporting obligations automatically.