Vermont Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Vermont.
Vermont medical practices operate under the Security Breach Notice Act, codified at 9 V.S.A. §2435, which sets the strictest AG-notification timeline in the Northeast: the Vermont Attorney General must be notified within 14 business days of discovery, separate from the 45-day deadline for notifying affected individuals. The Vermont Consumer Protection Act provides enforcement teeth at up to $10,000 per violation. Medical records carry an unusually long 10-year retention floor from discharge under Vermont Hospital Licensing Regulations, with pediatric records running until age of majority plus 10 years — one of the longest pediatric retention windows in the country. The Vermont PMP (VPMS) requires every prescriber to query before every controlled-substance prescription, with carve-outs for hospice, cancer, ER 3-day supplies, and inpatient administration. Child-abuse reporting routes through the Department for Children and Families under 33 V.S.A. §4913, and gunshot-wound reporting is mandatory to local law enforcement or the Vermont State Police.
Breach Notification Rules
Notification deadline
45 calendar days
Notification must be made within 45 days of discovery. AG must be notified within 14 business days of discovery.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $10,000 per violation under Consumer Protection Act
Enforcement Posture
Vermont's enforcement posture is reactive rather than proactive — the Attorney General investigates breaches and complaints it receives, but the office does not maintain the large healthcare-focused enforcement bench of larger Northeastern states. The 14-business-day AG-notification window, however, is a hard procedural deadline that is easy to miss and easy for the AG's office to spot. Practices that miss the 14-day clock typically face a separate procedural violation regardless of how the underlying breach is ultimately resolved. The Department of Financial Regulation has parallel authority over insurance and financial entities; for medical practices, the AGO is the primary state-level enforcement counterparty. Department of Health licensing surveys provide a separate track for the 10-year retention rule.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 10 years | Last treatment |
| Pediatric | 10 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Vermont PMP)
The Vermont Prescription Monitoring System (VPMS) must be queried before every controlled-substance prescription. Exemptions cover hospice patients, active cancer treatment, ER prescriptions of 3 days or less, and inpatient hospital administration. Delegation to staff is permitted. Civil penalties run up to $1,000 per violation, with the relevant licensing board empowered to impose discipline for pattern noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $1,000 per violation
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital administration
How Vermont Rules Hit by Specialty
Pediatrics
Vermont's 10-year pediatric retention floor runs from age of majority — so a chart for a child first seen at age 4 must be retained until that patient turns 28. Practices migrating between EHR vendors need confirmed export capability for that 24-year window, including immunization history and growth charts.
Behavioral health
Vermont's mental-health confidentiality rules under 18 V.S.A. §7103 layer additional consent requirements onto HIPAA for psychiatric record disclosure, and Vermont also maintains an Adult Protective Services framework that mandates reporting by healthcare professionals.
Pain management
VPMS queries are required before every controlled-substance prescription. Vermont also limits opioid prescriptions for acute pain to short durations under Rule 21 — pain practices need both the PDMP check and the duration limit documented for every initial prescription.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals
Report to
Department for Children and Families (DCF)
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability under 33 V.S.A. 4913
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, Department of Disabilities, Aging and Independent Living
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers are not specifically mandated to report domestic violence in adults
Report to
Local law enforcement (voluntary reporting permitted with patient consent)
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Vermont Department of Health, Epidemiology Division
Timeline
Within 24 hours
Penalty for failure
Up to $500 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds
Report to
Local law enforcement or Vermont State Police
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Vermont Compliance FAQs
9 V.S.A. §2435 requires notification to the Vermont Attorney General within 14 business days of discovery of the breach — separate from the 45-day deadline for notifying affected residents. The 14-business-day clock is one of the strictest AG-notification windows in the country.
Vermont Hospital Licensing Regulations require 10 years from discharge for general records — one of the longest retention floors nationally. Pediatric records run until age of majority plus 10 years.
Every prescriber must query VPMS before every controlled-substance prescription, with exemptions for hospice, cancer treatment, ER ≤3-day supplies, and inpatient administration.
All healthcare professionals — physicians, nurses, dentists, psychologists, social workers — are mandated reporters under 33 V.S.A. §4913. Reports go to the Department for Children and Families. Good-faith reporters receive civil and criminal immunity; failure carries up to a $500 fine.
Yes. All healthcare providers treating gunshot wounds must report to local law enforcement or the Vermont State Police. Good-faith reporters are immune from civil and criminal liability; failure carries up to a $500 fine.
Stay audit-ready in Vermont
GuardWell tracks Vermont-specific breach deadlines, retention periods, Vermont PMP PDMP queries, and mandatory reporting obligations automatically.