Virginia Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Virginia.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made without unreasonable delay but no later than 60 days after discovery. AG and affected individuals must be notified. VCDPA provides additional rights for consumer data.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $150,000 per breach; VCDPA: up to $7,500 per violation
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 6 years | Last treatment |
| Pediatric | 6 years | Patient turns 18 |
PDMP Requirements — Virginia PMP
Check required
All controlled substances
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $5,000; possible criminal charges for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤14 day supply post-surgical, ≤3 day supply in ER, inpatient hospital or long-term care administration
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals acting in professional capacity
Report to
Local Department of Social Services or Child Protective Services Hotline
Timeline
Immediately / as soon as possible
Penalty for failure
Fine only for first offense; Class 1 misdemeanor for subsequent offenses
Immunity provision
Good faith reporters immune from civil and criminal liability under VA Code 63.2-1512
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, local Department of Social Services
Timeline
Immediately / as soon as possible
Penalty for failure
Fine only for first offense; Class 1 misdemeanor for subsequent
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal acts or domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Virginia Department of Health, local health department
Timeline
Within 24 hours
Penalty for failure
Class 1 misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All physicians and healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement or sheriff
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Stay compliant in Virginia
GuardWell tracks Virginia-specific breach deadlines, PDMP requirements, retention periods, and mandatory reporting obligations automatically.