Virginia Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Virginia.
Virginia healthcare practices operate under Va. Code §18.2-186.6, the Virginia data breach notification statute, with a 60-day outer notification limit and Attorney General notification required without a population threshold. Virginia is one of the first states to enact a comprehensive consumer-data-protection regime, the Virginia Consumer Data Protection Act (VCDPA, Va. Code §59.1-575 et seq.), effective January 1, 2023. VCDPA does not directly apply to most HIPAA-covered entities for PHI processing, but it creates layered obligations for non-PHI consumer data (marketing, website analytics, employee data) that healthcare practices increasingly handle. Penalties under §18.2-186.6 reach $150,000 per breach with VCDPA adding up to $7,500 per violation. Medical record retention sits at 6 years from last treatment under 18 VAC 85-20-26 — matching the HIPAA floor — with pediatric records held until age of majority plus 6 years. Practices in Richmond, Virginia Beach, Norfolk, Arlington, and Alexandria should account for the Virginia PMP every-Rx check administered by the Virginia Department of Health Professions, and the VCDPA's data-subject-rights regime (access, deletion, correction, opt-out) for non-PHI consumer data.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made without unreasonable delay but no later than 60 days after discovery. AG and affected individuals must be notified. VCDPA provides additional rights for consumer data.
AG notification threshold
All breaches
Notify: AG
Harm analysis required
Penalty range
Up to $150,000 per breach; VCDPA: up to $7,500 per violation
Enforcement Posture
Virginia is among the more active state enforcers of consumer data and healthcare breach rules. The Virginia Attorney General's Consumer Protection Section has been engaged on both Va. Code §18.2-186.6 breach cases and VCDPA enforcement, and the office is one of the few state AG offices with a dedicated cyber-enforcement unit. The Virginia Board of Medicine, Virginia Board of Pharmacy, and Virginia Board of Nursing run parallel licensure-discipline lanes. VCDPA enforcement is exclusive to the Virginia Attorney General (no private right of action), but the office has shown willingness to pursue compliance investigations even absent consumer complaints. Practices should expect that VCDPA's 30-day cure-period regime applies to non-PHI consumer data violations and that the Attorney General can pursue civil penalties up to $7,500 per intentional violation under §59.1-580 if the cure is not completed.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 6 years | Last treatment |
| Pediatric | 6 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (Virginia PMP)
The Virginia PMP is administered by the Virginia Department of Health Professions and accessed at virginia.pmpaware.net. Prescribers must register and check before every Schedule II–V controlled-substance prescription, with delegation permitted. Exemptions cover hospice, cancer treatment, ≤14-day post-surgical supplies, ≤3-day ER supplies, and inpatient or long-term care administration. Penalties include licensing-board discipline, civil penalties up to $5,000, and possible criminal charges for willful noncompliance.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $5,000; possible criminal charges for willful noncompliance
Exemptions
Hospice patients, cancer treatment, ≤14 day supply post-surgical, ≤3 day supply in ER, inpatient hospital or long-term care administration
How Virginia Rules Hit by Specialty
Telehealth providers
Virginia regulates telehealth under Va. Code §54.1-2939 et seq. and requires out-of-state telehealth providers to obtain a Virginia license to practice with Virginia residents. VCDPA's data-subject-rights regime applies to non-PHI consumer data collected through telehealth marketing or website analytics, even when the underlying telehealth encounter is HIPAA-covered.
Behavioral health
Virginia behavioral-health providers face 42 CFR Part 2, HIPAA, and Virginia Department of Behavioral Health and Developmental Services licensing requirements. The Community Services Board (CSB) network creates additional data-sharing and documentation obligations for Medicaid-participating providers. VCDPA may apply to non-PHI consumer data even within behavioral-health entities.
Hospital systems
Virginia hospitals operate under both §18.2-186.6 breach rules and VCDPA's broader consumer-data regime for non-PHI data (employee data, marketing analytics, donor data). The Virginia Department of Health licenses hospitals with parallel inspection authority over records-management practices.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, and all healthcare professionals acting in professional capacity
Report to
Local Department of Social Services or Child Protective Services Hotline
Timeline
Immediately / as soon as possible
Penalty for failure
Fine only for first offense; Class 1 misdemeanor for subsequent offenses
Immunity provision
Good faith reporters immune from civil and criminal liability under VA Code 63.2-1512
Mandated reporters
Physicians, nurses, and all healthcare professionals
Report to
Adult Protective Services, local Department of Social Services
Timeline
Immediately / as soon as possible
Penalty for failure
Fine only for first offense; Class 1 misdemeanor for subsequent
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected criminal acts or domestic violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Virginia Department of Health, local health department
Timeline
Within 24 hours
Penalty for failure
Class 1 misdemeanor
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All physicians and healthcare providers treating gunshot wounds or stab wounds
Report to
Local law enforcement or sheriff
Timeline
Immediately / as soon as possible
Penalty for failure
Class 3 misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Virginia Compliance FAQs
VCDPA (Va. Code §59.1-575 et seq.) generally exempts HIPAA-covered entities for their PHI processing, but it can apply to non-PHI consumer data that healthcare practices handle — marketing lists, website analytics, employee data, donor records. Practices should map their data flows to identify what falls inside HIPAA versus what falls inside VCDPA's scope.
Yes. Va. Code §18.2-186.6 requires notification 'without unreasonable delay but no later than 60 days after discovery.' The Virginia Attorney General must be notified along with affected individuals, with no population threshold for AG notification — every breach reaches the AG.
VCDPA grants consumers data-subject rights (access, deletion, correction, opt-out of targeted advertising) over non-PHI personal data. HIPAA grants patients access, amendment, and accounting rights over PHI. For most clinical interactions VCDPA is preempted by HIPAA, but VCDPA applies to website analytics, marketing CRMs, donor relations, and employee data even within healthcare practices.
18 VAC 85-20-26 sets a 6-year retention floor measured from last treatment — matching the federal HIPAA minimum. Pediatric records must be retained until age of majority plus 6 years (effectively age 24).
The Virginia Attorney General's Consumer Protection Section enforces both Va. Code §18.2-186.6 (up to $150,000 per breach) and VCDPA (up to $7,500 per intentional violation after the 30-day cure period). The Virginia Board of Medicine, Board of Pharmacy, and Board of Nursing can pursue parallel licensure discipline.
Guides & Articles
Neighboring State Compliance Guides
MD
Maryland
45-day breach · 5-yr retention
WV
West Virginia
Expedient breach notice · 10-yr retention
KY
Kentucky
Expedient breach notice · 5-yr retention
TN
Tennessee
60-day breach · 10-yr retention
NC
North Carolina
Expedient breach notice · 11-yr retention
DC
District of Columbia
Expedient breach notice · 3-yr retention
Stay audit-ready in Virginia
GuardWell tracks Virginia-specific breach deadlines, retention periods, Virginia PMP PDMP queries, and mandatory reporting obligations automatically.