South Dakota Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in South Dakota.
South Dakota healthcare compliance is anchored in SDCL §22-40-21, the state's breach-notification statute, enforced by the South Dakota Attorney General through the Consumer Protection Division in Pierre. South Dakota is one of the few states that pairs an explicit 60-day deadline with low AG-notification triggers: any breach affecting 250 or more South Dakota residents requires direct AG notice, and the 60-day clock starts at discovery rather than confirmation. Penalties run up to $10,000 per day of violation under the state's Deceptive Trade Practices Act — a per-day structure that escalates exposure dramatically for practices that delay disclosure while completing an internal investigation. Hospital records must be kept 10 years from discharge under ARSD 44:04:09:08, and child-abuse reporting failures are charged as Class 1 misdemeanors under SDCL 26-8A-14, carrying up to a year in jail. The state's enforcement style is reactive but punitive when activated, particularly when consumer notice lags federal OCR involvement.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made within 60 days of discovery. AG must be notified if 250+ South Dakota residents affected.
AG notification threshold
250+ affected individuals
Notify: AG
Harm analysis required
Penalty range
Up to $10,000 per day of violation under Deceptive Trade Practices Act
Enforcement Posture
The South Dakota Attorney General's posture on healthcare data is largely reactive — the office tends to wait for OCR resolution agreements, multi-state actions, or consumer complaints before opening matters of its own. The Deceptive Trade Practices Act gives the AG a powerful lever when activated: $10,000 per day of violation can accumulate quickly during a months-long investigation, especially if consumer notice is delayed beyond the statutory 60-day window. South Dakota's smaller healthcare market means the AG's actual case load is modest, but the per-day penalty structure means a single delayed notice incident can produce six-figure exposure. Practices in Sioux Falls, Rapid City, and Aberdeen should treat the 60-day deadline as a hard wall, not a target.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Discharge |
Controlled-Substance Prescription Monitoring (South Dakota PMP)
The South Dakota PMP requires queries before every controlled-substance prescription. Delegation to licensed staff is allowed but must be documented in the prescribing policy. Exemptions cover hospice, cancer treatment, ER three-day supplies, and inpatient administration. Civil penalties reach $1,000 per violation, with licensing-board discipline available in parallel. Register prescribers at southdakota.pmpaware.net and capture the query timestamp in the chart — a Board of Medical and Osteopathic Examiners audit will look for both the registration record and the chart documentation.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $1,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital administration
How South Dakota Rules Hit by Specialty
Rural primary care
South Dakota's healthcare delivery leans on critical-access hospitals and federally qualified health centers across the state's western counties. SDCL §22-40-21's 60-day deadline runs from discovery at the practice, not at the federally connected EHR vendor — so detect-to-notify timelines should be measured at the local entry point.
Hospital systems
Avera, Sanford, and Monument Health dominate the South Dakota market with cross-border networks. A regional EHR incident may need to satisfy SDCL §22-40-21's 60-day window simultaneously with North Dakota and Minnesota counterparts that use different clocks — build per-state notice templates in advance.
Pharmacy/compounding
Compounding pharmacies operating across the I-90 corridor must navigate South Dakota Board of Pharmacy rules alongside SDCL §22-40-21. PMP queries are required before every controlled-substance dispense; civil penalties reach $1,000 per violation.
Mandatory Reporting Obligations
Mandated reporters
Physicians, dentists, nurses, psychologists, social workers, and all healthcare professionals
Report to
Department of Social Services, Child Protective Services, or State's Attorney
Timeline
Immediately / as soon as possible
Penalty for failure
Class 1 misdemeanor, up to 1 year jail and/or $2,000 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under SDCL 26-8A-14
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class 1 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
South Dakota Department of Health
Timeline
Within 24 hours
Penalty for failure
Class 2 misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class 2 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
South Dakota Compliance FAQs
SDCL §22-40-21 requires notification within 60 days of discovery of the breach. The clock starts at discovery rather than confirmation, so practices should treat the date of incident detection — not the date of forensic confirmation — as day one. Document the discovery date in writing on day one to defend the calculation later.
The South Dakota Attorney General must be notified if a breach affects 250 or more South Dakota residents. AG notice should be submitted to the Consumer Protection Division and should mirror the substantive content of the consumer letter. Failure to notify the AG is independently actionable under the Deceptive Trade Practices Act.
SDCL §22-40-21 violations are enforced under the Deceptive Trade Practices Act, which allows penalties up to $10,000 per day of violation. Per-day accumulation means a 30-day late notice can produce $300,000 in exposure before consumer claims. Document every step of the investigation timeline to defend the chosen notice date.
ARSD 44:04:09:08 requires hospitals to retain general medical records for 10 years from the date of discharge. Pediatric records should be retained until age of majority plus the adult retention period. Practice-level providers outside the hospital regulatory scheme should adopt the 10-year benchmark to avoid disparities during litigation or board investigations.
Yes. SDCL 23-13-10 requires all healthcare providers treating gunshot wounds or stab wounds to notify local law enforcement. Failure to report is a Class 2 misdemeanor. Good-faith reporters are immune from civil and criminal liability. The duty applies whether the patient identifies the assailant or not.
Neighboring State Compliance Guides
ND
North Dakota
Expedient breach notice · 10-yr retention
MN
Minnesota
Expedient breach notice · 7-yr retention
IA
Iowa
Expedient breach notice · 10-yr retention
NE
Nebraska
Expedient breach notice · 10-yr retention
WY
Wyoming
Expedient breach notice · 10-yr retention
MT
Montana
Expedient breach notice · 10-yr retention
Stay audit-ready in South Dakota
GuardWell tracks South Dakota-specific breach deadlines, retention periods, South Dakota PMP PDMP queries, and mandatory reporting obligations automatically.