Tennessee Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Tennessee.
Tennessee healthcare practices operate under Tenn. Code §47-18-2107, the Tennessee data breach notification statute, layered with the Tennessee Identity Theft Deterrence Act. The statute imposes a 60-day outer notification limit and enforcement runs through the Tennessee Attorney General under the Tennessee Consumer Protection Act — violations are treated as unfair or deceptive acts subject to the AG's full investigative subpoena power. Medical record retention sits at 10 years from last treatment under Tenn. Comp. R. & Regs. 1200-08-01-.08, with pediatric records held until age of majority plus 10 years. Tennessee is also a national leader in pharmacy-compounding regulation, with the Tennessee Board of Pharmacy enforcing rules that go beyond USP <795>/<797> for sterile and non-sterile compounding. Practices in Nashville, Memphis, Knoxville, and Chattanooga should account for the TN CSMD (Tennessee Controlled Substance Monitoring Database) every-Rx check requirement administered by the Tennessee Department of Health, and pain-management practices face additional Pain Management Clinic licensure requirements under the Tennessee Department of Health post-opioid-crisis regulatory framework. The Tennessee Bureau of Investigation handles certain healthcare-fraud investigations alongside the AG.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made without unreasonable delay but no later than 60 days after discovery.
AG notification threshold
Not explicitly required
Harm analysis required
Penalty range
Enforceable by AG; violations treated as unfair or deceptive acts under Consumer Protection Act
Enforcement Posture
Tennessee sits in the more-active end of the regional pack for healthcare enforcement, though primarily through licensure rather than AG action. The Tennessee Board of Medical Examiners and the Tennessee Board of Pharmacy run active discipline lanes, particularly around pain-management and controlled-substance issues post-opioid crisis. The Tennessee Attorney General's office enforces breach notification under the Consumer Protection Act with no statutory penalty cap — civil penalties accrue per violation under the deceptive-acts framework. Pain Management Clinic licensure under Tenn. Code §63-1-301 et seq. is the area where most outpatient practices feel the heaviest regulatory pressure, with the Tennessee Department of Health able to suspend licensure for documentation failures alone. Practices should expect that a PHI breach involving a controlled-substance prescription record will trigger both AG and licensure-board inquiries simultaneously.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 10 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (TN CSMD)
The TN CSMD (Tennessee Controlled Substance Monitoring Database) is administered by the Tennessee Department of Health and accessed through tn.gov/health. Prescribers must register and check the database before issuing every Schedule II–V controlled-substance prescription, with delegation permitted. Penalties for willful noncompliance can reach $10,000 in civil fines plus Class A misdemeanor exposure. Exemptions cover hospice, cancer treatment, ≤3-day ER supplies, inpatient administration, and medication-assisted treatment.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $10,000; Class A misdemeanor for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration, medication-assisted treatment
How Tennessee Rules Hit by Specialty
Pharmacy/compounding
Tennessee is one of the country's most-regulated states for compounding pharmacy. The Tennessee Board of Pharmacy enforces rules going beyond USP <795>/<797> including specific licensure for sterile compounding and outsourcing-facility registration. Every-Rx CSMD check applies to all Schedule II–V prescriptions.
Pain management
Tennessee Pain Management Clinic licensure under Tenn. Code §63-1-301 et seq. imposes additional medical-director, prescribing-protocol, and patient-evaluation requirements beyond standard medical-practice rules. Post-opioid-crisis enforcement is among the most active in the country, with Tennessee Department of Health able to suspend licensure for documentation failures alone.
Behavioral health
Tennessee behavioral-health providers face 42 CFR Part 2, HIPAA, and Tennessee Department of Mental Health and Substance Abuse Services licensing requirements. The state's mandatory reporting attaches to every person who suspects child abuse, with up to 11 months 29 days jail and $2,500 in fines for failure to report under TCA 37-1-410.
Mandatory Reporting Obligations
Mandated reporters
Any person including physicians, nurses, dentists, psychologists, and all healthcare professionals
Report to
Department of Children's Services (DCS) or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor, up to 11 months 29 days jail and/or $2,500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under TCA 37-1-410
Mandated reporters
All persons including healthcare professionals who suspect abuse of a vulnerable adult
Report to
Adult Protective Services, Department of Human Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence or criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Tennessee Department of Health, Communicable and Environmental Disease Services
Timeline
Within 24 hours
Penalty for failure
Class C misdemeanor, up to $50 fine
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or wounds inflicted by a weapon
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class C misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Tennessee Compliance FAQs
Yes. Tenn. Code §47-18-2107 requires notification 'without unreasonable delay but no later than 60 days after discovery.' Enforcement is by the Tennessee Attorney General under the Tennessee Consumer Protection Act as an unfair or deceptive act, with no statutory penalty cap.
Tenn. Comp. R. & Regs. 1200-08-01-.08 sets a 10-year retention floor for hospital records measured from discharge. Pediatric records should be held until age of majority plus 10 years. Outpatient physician practices typically follow the same 10-year floor as a practical matter.
The TN CSMD (Tennessee Controlled Substance Monitoring Database) is Tennessee's own PDMP, administered by the Tennessee Department of Health rather than Appriss Health's PMP AWARxE platform used by Arkansas, Louisiana, Mississippi, and Alabama. Every-Rx checks are required for Schedule II–V prescriptions.
Tenn. Code §63-1-301 et seq. requires pain-management clinics to obtain separate state licensure from the Tennessee Department of Health, with medical-director requirements, prescribing-protocol documentation, and patient-evaluation rules that go beyond standard medical-practice regulation. Documentation failures alone can trigger licensure suspension.
The Tennessee Attorney General's office under the Consumer Protection Act, with no statutory penalty cap. The Tennessee Board of Medical Examiners and Tennessee Board of Pharmacy can pursue parallel licensure discipline. The Tennessee Bureau of Investigation may participate in fraud-adjacent cases.
Neighboring State Compliance Guides
Stay audit-ready in Tennessee
GuardWell tracks Tennessee-specific breach deadlines, retention periods, TN CSMD PDMP queries, and mandatory reporting obligations automatically.