Medical Office Compliance Quick Guide

Access essential compliance resources, best practices, and guidelines to help your medical office stay aligned with HIPAA, billing regulations, and industry standards.

Jump to your state

Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
Iowa
Kansas
Kentucky
Louisiana
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming

State-by-State Medical Compliance Resources

Each state directory is designed to help medical offices, billing teams, and administrators stay compliant with local and federal regulations. Explore state-specific Medicaid requirements, payer policies, documentation standards, and compliance guidelines to reduce risk, avoid penalties, and ensure smooth operations.

Alabama Medical Office Compliance

Records retention: Adults 7 years; minors 2 years after majority or 7 years from last contact, whichever is longer.
Surprise billing: Alabama mainly relies on federal No Surprises Act protections; see Alabama DOI guidance.
Telehealth: No general private-payer payment parity law; Alabama Medicaid allows audio-only and pays approved telehealth at parity.
Workers’ comp: Fee schedules are posted by the Alabama Department of Labor; professional claims commonly use CMS-1500.
Data breach: Notify without unreasonable delay and within 45 days; notify the AG if more than 1,000 residents are affected.

Stay compliant in Alabama

Alaska Medical Office Compliance

Records retention: Hospitals generally retain patient-care records 7 years after discharge; physician offices should also follow board closure/transfer guidance.
Surprise billing: Alaska mainly relies on federal No Surprises Act protections; see Alaska DOI guidance for covered situations.
Telehealth: Commercial plans must cover telehealth; no general private pay-parity law. Alaska Medicaid pays covered telehealth like in-person, including telephone.
Workers’ comp: Alaska posts its Workers’ Comp medical fee schedules online; physician services may be billed on CMS-1500 or 837P.
Data breach: Notify affected residents in the most expeditious time possible and without unreasonable delay; AG notice applies to certain no-harm determinations.

Stay compliant in Alaska

Arizona Medical Office Compliance

Records retention: Adults 6 years; minors 3 years after age 18 or 6 years after last service, whichever is longer.
Surprise billing: Arizona has a state surprise out-of-network dispute process; federal No Surprises Act rules also apply in covered cases.
Telehealth: Commercial plans cover telehealth and generally pay equivalent services at the same level; audio-only is allowed when video is not reasonably available.
Workers’ comp: Arizona’s Industrial Commission posts physician fee schedules online; billing must follow Commission-prescribed workers’ comp forms and codes.
Data breach: Notify affected individuals within 45 days; notify the Arizona AG if more than 1,000 residents are affected.

Stay compliant in Arizona

Arkansas Medical Office Compliance

Records retention: Medical records 10 years after last discharge; minors 2 years after age of majority.
Surprise billing: Arkansas primarily applies the federal No Surprises Act, with state implementation and enforcement support for covered disputes.
Telehealth: Private plans cannot impose higher telehealth cost-sharing; Arkansas law recognizes real-time audio-only telemedicine in certain cases.
Workers’ comp: The AWCC posts medical fee schedules online; use Commission workers’ comp forms and billing resources as applicable.
Data breach: Notify without unreasonable delay; report to the Arkansas AG when more than 1,000 individuals are affected in reportable cases.

Stay compliant in Arkansas

California Medical Office Compliance

Records retention: At least 7 years after discharge; unemancipated minors at least 1 year after age 18, and never less than 7 years.
Surprise billing: California AB 72 protects many non-emergency services at contracting facilities; federal No Surprises Act protections also apply.
Telehealth: California has private-payer payment parity; Medi-Cal reimburses covered audio-only telehealth when program rules are met.
Workers’ comp: California DWC posts the OMFS online; paper professional workers’ comp bills generally use the CMS-1500 form.
Data breach: Notify affected persons in the most expedient time possible without unreasonable delay; submit a sample notice to the AG if more than 500 residents are affected.

Stay compliant in California

Colorado Medical Office Compliance

Records retention: Colorado Medical Board guidance recommends 7 years after last treatment; minors 7 years after turning 18.
Surprise billing: Colorado has state surprise-billing protections for covered care; federal No Surprises Act protections also apply.
Telehealth: Colorado requires commercial coverage parity; Health First Colorado covers telemedicine, including some audio-only services.
Workers’ comp: CDLE posts Rule 18 medical fee schedules online; professional workers’ comp billing commonly uses CMS-1500.
Data breach: Notify affected residents within 30 days; notify the Colorado AG if 500+ Colorado residents are affected.

Stay compliant in Colorado

Connecticut Medical Office Compliance

Records retention: Keep medical records 7 years from last treatment, or 3 years after death.
Surprise billing: Connecticut bans many surprise bills for emergency and certain non-emergency out-of-network services; federal protections also apply.
Telehealth: Connecticut maintains payment parity for many telehealth services and permits audio-only telehealth in defined circumstances.
Workers’ comp: The WCC posts official practitioner fee schedules and forms online for Connecticut workers’ compensation billing.
Data breach: Notify affected residents and the Connecticut AG not later than 60 days after discovery.

Stay compliant in Connecticut

Delaware Medical Office Compliance

Records retention: Physicians generally retain records 7 years from the date of the last entry.
Surprise billing: Delaware mainly follows federal No Surprises Act protections; state DOI guidance supports implementation and enforcement.
Telehealth: Delaware requires telehealth coverage parity, and telemedicine may include audio-only when video is not available.
Workers’ comp: Delaware posts workers’ comp fee schedules online; professional billing commonly uses the CMS-1500 form.
Data breach: Notify affected residents without unreasonable delay and no later than 60 days; notify DOJ if 500+ residents are affected.

Stay compliant in Delaware

Florida Medical Office Compliance

Records retention: Physicians generally retain records at least 5 years from last patient contact; longer retention may be prudent for minors.
Surprise billing: Florida has state balance-billing protections for certain Florida-issued plans, and federal No Surprises Act rules also apply.
Telehealth: No general Florida payment-parity law; Florida Medicaid supports telehealth by phone, tablet, or computer, but simple telephone-only billing is limited.
Workers’ comp: Florida DFS posts workers’ comp reimbursement manuals and fee schedules online; provider medical billing rules apply to professional claims.
Data breach: Notify affected individuals as expeditiously as practicable, no later than 30 days; notify Florida Legal Affairs if 500+ residents are affected.

Stay compliant in Florida

Georgia Medical Office Compliance

Records retention: Providers generally retain key patient records at least 10 years from creation; hospitals follow separate hospital-retention rules.
Surprise billing: Georgia’s Surprise Billing Consumer Protection Act applies in covered cases; federal No Surprises Act protections may also apply.
Telehealth: No broad private-payer payment parity; Georgia law recognizes telehealth broadly, but standard telephone alone is not telemedicine.
Workers’ comp: Georgia SBWC posts medical fee schedules online; workers’ comp claims and disputes commonly use Board forms such as WC-14.
Data breach: Notify affected individuals without unreasonable delay; if 10,000+ residents are affected, also notify nationwide consumer reporting agencies.

Stay compliant in Georgia

Hawaii Medical Office Compliance

Records retention: Keep records at least 7 years after last entry; minors’ records during minority plus 7 years after majority.
Surprise billing: Hawaii mainly relies on federal No Surprises Act protections; check Hawaii Insurance Division resources for plan-specific rules.
Telehealth: Hawaii has payment parity; audio-only reimbursement is allowed in defined circumstances and is currently extended through Dec. 31, 2027.
Workers’ comp: Hawaii workers’ comp fee schedules are tied to Hawaii Medicare-based rates plus the supplemental medical fee schedule.
Data breach: Notify affected individuals following discovery without unreasonable delay; Hawaii’s general law does not set a fixed-day deadline.

Stay compliant in Hawaii

Idaho Medical Office Compliance

Records retention: Idaho has no single statewide physician-office rule; hospitals generally retain patient-care records 10 years, with some subrecords shorter.
Surprise billing: Idaho mainly relies on federal No Surprises Act protections; see Idaho DOI provider resources and disclosure guidance.
Telehealth: No general Idaho payment-parity rule identified; Idaho Medicaid/provider guidance supports virtual care, but audio-only coverage varies by program.
Workers’ comp: Idaho Industrial Commission posts the medical fee schedule online; professional workers’ comp claims commonly use CMS-1500.
Data breach: Idaho requires notice in the most expedient time possible and without unreasonable delay; AG notice is permitted, not generally mandatory.

Stay compliant in Idaho

Illinois Medical Office Compliance

Records retention: Hospitals must preserve medical records at least 10 years; many physician practices use a similar baseline and extend for minors.
Surprise billing: Illinois expanded state surprise-billing protections to align with federal No Surprises Act requirements in covered situations.
Telehealth: Illinois requires payment parity for many telehealth services through Jan. 1, 2028; Illinois Medicaid also allows audio-only in appropriate cases.
Workers’ comp: The IWCC posts medical fee schedules and billing guidance online; professional workers’ comp bills commonly use CMS-1500.
Data breach: Notify affected Illinois residents in the most expedient time possible and without unreasonable delay; additional AG/media notice may apply.

Stay compliant in Illinois

Indiana Medical Office Compliance

Records retention: Indiana Medicaid providers must retain supporting medical records 7 years from the date of service; many offices use 7 years as baseline.
Surprise billing: Indiana mainly points providers and patients to federal No Surprises Act protections for covered emergency and facility-based out-of-network care.
Telehealth: No broad Indiana commercial payment-parity rule identified; Indiana Medicaid covers select telehealth services, with some audio-only codes allowed.
Workers’ comp: Indiana workers’ comp provider resources and fee-dispute forms are posted online; professional billing commonly uses CMS-1500.
Data breach: Indiana requires notice to affected residents without unreasonable delay; businesses must also notify the Attorney General after a reportable breach.

Stay compliant in Indiana

Iowa Medical Office Compliance

Records retention: Physicians retain records at least 7 years from last service; minors follow Iowa Code section 614.8.
Surprise billing: Iowa mainly relies on federal No Surprises Act protections; see Iowa Insurance Division guidance.
Telehealth: No broad private-payer parity rule identified; Iowa Medicaid supports telehealth, including audio-only visits by telephone.
Workers’ comp: Iowa workers’ comp disputes are filed through eFlex; use current Iowa DWC medical billing and fee resources.
Data breach: Notify consumers without unreasonable delay; notify the Iowa AG within 5 business days if 500+ residents are affected.

Stay compliant in Iowa

Kansas Medical Office Compliance

Records retention: Physicians generally retain patient records at least 10 years from the date of service.
Surprise billing: Kansas mainly relies on federal No Surprises Act protections for covered emergency and facility-based out-of-network care.
Telehealth: Kansas requires coverage of covered telemedicine services; payment may be set like in-person reimbursement.
Workers’ comp: Kansas posts its medical fee schedule online; billing disputes are handled through the OSCAR system.
Data breach: Notify affected residents without unreasonable delay and as soon as possible; notify nationwide CRAs if 1,000+ notices issue.

Stay compliant in Kansas

Kentucky Medical Office Compliance

Records retention: Kentucky hospitals retain records 6 years from discharge; minors 3 years after majority, whichever is longer.
Surprise billing: Kentucky mainly points patients and plans to federal No Surprises Act protections for covered surprise bills.
Telehealth: Kentucky has commercial payment parity; audio-only encounters are recognized, and Medicaid reimburses covered telehealth with modality limits.
Workers’ comp: Kentucky’s physician fee schedule is reviewed every 2 years; use DWC forms and current medical-fee resources.
Data breach: Notify affected Kentucky residents in the most expedient time possible and without unreasonable delay.

Stay compliant in Kentucky

Louisiana Medical Office Compliance

Records retention: Physicians retain records at least 6 years from last treatment; diagnostic images generally 3 years, unless longer requested.
Surprise billing: Louisiana has state balance-billing disclosure rules, but many surprise-bill protections still flow through the federal No Surprises Act.
Telehealth: No broad general private-payer payment-parity rule identified; Louisiana authorizes telehealth, and Medicaid covers defined telehealth and remote monitoring services.
Workers’ comp: OWCA maintains the workers’ comp medical reimbursement schedule; professional claims commonly use HCFA-1500/CMS-1500 billing.
Data breach: Notify affected residents without unreasonable delay and no later than 60 days; notify the AG within 10 days after resident notice.

Stay compliant in Louisiana

Maine Medical Office Compliance

Records retention: No single statewide physician-office term found; hospitals generally retain records 7 years from discharge under licensing rules.
Surprise billing: Maine prohibits balance billing for surprise bills and many out-of-network emergency services, with patient cost-sharing limited to in-network amounts.
Telehealth: Maine requires telehealth coverage parity; MaineCare covers many telehealth visits, including phone visits where program rules allow.
Workers’ comp: Maine WCB posts medical fee schedules and provider billing resources online; board forms are also maintained centrally.
Data breach: Notify affected persons as expediently as possible and no later than 30 days; notify consumer reporting agencies if 1,000+ notices issue.

Stay compliant in Maine

Maryland Medical Office Compliance

Records retention: Adults 7 years after record creation; minors until age 18 plus 7 years.
Surprise billing: Maryland applies federal No Surprises Act protections to state-regulated carriers and directs consumers to NSA guidance.
Telehealth: Maryland permanently includes audio-only in telehealth and requires same-basis, same-rate reimbursement for covered telehealth services.
Workers’ comp: Maryland WCC posts the Medical Fee Guide online; provider medical claims use Form C-51 and CMS-1500 resources.
Data breach: Notify affected individuals as soon as reasonably practicable, but no later than 45 days; notify the Maryland AG before consumer notice.

Stay compliant in Maryland

Massachusetts Medical Office Compliance

Records retention: Physicians retain records 7 years from last encounter, or until patient reaches age 9 if longer.
Surprise billing: Massachusetts mainly points providers to federal No Surprises Act requirements and required consumer disclosures.
Telehealth: No broad permanent private-payer parity identified; MassHealth pays covered telehealth, including audio-only, at parity.
Workers’ comp: Massachusetts DIA posts workers’ comp medical rates online; follow current DIA medical billing guidance.
Data breach: Notify affected residents, OCABR, and the Attorney General as soon as practicable after a reportable breach.

Stay compliant in Massachusetts

Michigan Medical Office Compliance

Records retention: Patient records generally must be kept at least 7 years; certain MRI and mammography records 15 years.
Surprise billing: Michigan has its own surprise medical billing law; self-funded employer plans usually fall under federal NSA rules.
Telehealth: Michigan now has telehealth payment parity; Medicaid covers telemedicine, including approved audio-only services.
Workers’ comp: Michigan WDCA posts health care services fee schedules and manuals online for workers’ comp billing.
Data breach: Notify affected residents without unreasonable delay unless the breach is unlikely to cause substantial harm.

Stay compliant in Michigan

Minnesota Medical Office Compliance

Records retention: Hospital core records are permanent; other record portions 7 years, and minors’ records at least until majority.
Surprise billing: Minnesota prohibits balance billing in key NSA-covered situations, including certain facility-based and emergency services.
Telehealth: Minnesota requires telehealth coverage parity; audio-only policy has been temporary, so verify current payer program rules.
Workers’ comp: Minnesota DLI posts workers’ comp medical fee schedules online, including RBRVS professional-service reimbursement tables.
Data breach: Businesses must notify affected residents following discovery; Minnesota’s private-sector law sets no fixed-day deadline.

Stay compliant in Minnesota

Mississippi Medical Office Compliance

Records retention: Beginning Jan. 1, 2026, physicians retain records 10 years from the date the patient was last treated.
Surprise billing: Mississippi mainly relies on federal No Surprises Act protections for covered emergency and facility-based out-of-network care.
Telehealth: No broad private-payer parity rule identified; Mississippi Medicaid covers telemedicine, including real-time audio and/or visual communication.
Workers’ comp: MWCC posts the medical fee schedule online; professional workers’ comp billing commonly uses CMS-1500.
Data breach: Notify affected residents without unreasonable delay; Mississippi law does not set a fixed-day deadline.

Stay compliant in Mississippi

Missouri Medical Office Compliance

Records retention: Physicians retain patient records at least 7 years from the date of the last professional service.
Surprise billing: Missouri mainly follows federal No Surprises Act protections and provides a state external arbitration path for out-of-network surprise bills.
Telehealth: Missouri Medicaid covers telemedicine and telehealth; audio-only is included in the state’s telemedicine definition.
Workers’ comp: Missouri DWC provides healthcare-provider billing resources and medical-fee guidance for workers’ compensation claims.
Data breach: Notify affected individuals without unreasonable delay; Missouri law does not impose a fixed-day outer deadline.

Stay compliant in Missouri

Montana Medical Office Compliance

Records retention: No broad statewide physician-office retention term identified; Montana law expressly requires keeping records during access, amendment, and disclosure periods.
Surprise billing: Montana mainly points providers and patients to federal No Surprises Act protections for covered surprise-billing situations.
Telehealth: No general private-payer payment parity rule identified; Montana Medicaid posts telehealth reimbursement policy and audio-only billing updates.
Workers’ comp: Montana posts workers’ comp fee schedules online; payers use the applicable schedule and instruction set by date of service.
Data breach: Notify affected residents following discovery; Montana law does not set a fixed-day deadline or general AG-notice trigger.

Stay compliant in Montana

Nebraska Medical Office Compliance

Records retention: Nebraska has no general statewide physician-record retention period; set and follow a written retention policy.
Surprise billing: Nebraska mainly relies on the federal No Surprises Act, with added state protection for out-of-network emergency care.
Telehealth: Nebraska requires telehealth reimbursement parity; audio-only is expressly included for established-patient behavioral health and crisis services.
Workers’ comp: Nebraska Workers’ Compensation Court posts medical fee schedules online; professional paper billing commonly uses CMS-1500.
Data breach: Notify affected residents as soon as possible and without unreasonable delay; notify the Nebraska AG no later than resident notice.

Stay compliant in Nebraska

Nevada Medical Office Compliance

Records retention: Custodians of health care records generally retain records 5 years after receipt or production.
Surprise billing: Nevada has its own balance-billing protections; federal law also applies, and stricter Nevada payment rules can control.
Telehealth: Nevada requires telehealth coverage parity and reimbursement parity for certain services; standard telephone alone is generally excluded.
Workers’ comp: Nevada DIR posts the annual medical fee schedule online; workers’ comp providers also use Form D-35 and bill-appeal forms.
Data breach: Notify consumers in the most expedient time possible and without unreasonable delay; Nevada sets no fixed-day deadline.

Stay compliant in Nevada

New Hampshire Medical Office Compliance

Records retention: Board rules require retaining patient medical records at least 7 years from the patient’s last contact.
Surprise billing: New Hampshire now aligns state law with the federal No Surprises Act and offers a state IDR path.
Telehealth: New Hampshire requires telehealth coverage parity and reimburses all telehealth modes, including video, audio, and audio-only.
Workers’ comp: New Hampshire DOL posts workers’ comp forms online; providers must submit the NH Workers’ Compensation Medical Form.
Data breach: Notify affected individuals as quickly as possible; notify the regulator or New Hampshire AG with the expected notice date and count.

Stay compliant in New Hampshire

New Jersey Medical Office Compliance

Records retention: Physicians must maintain treatment records 7 years from the date of the most recent entry.
Surprise billing: New Jersey has its own out-of-network consumer protection law; federal No Surprises Act protections also apply.
Telehealth: Covered telehealth is reimbursed on the same basis as in-person care; audio-only is allowed, but physical-health audio-only parity is limited.
Workers’ comp: New Jersey posts medical fee schedules online through NJDOBI; use current state workers’ comp billing resources and forms.
Data breach: Notify affected residents without unreasonable delay and report qualifying breaches to New Jersey State Police.

Stay compliant in New Jersey

New Mexico Medical Office Compliance

Records retention: Retain records at least 2 years beyond insurance, Medicare, or Medicaid requirements; minors at least 2 years past age 18.
Surprise billing: New Mexico has state surprise-billing rules for regulated plans; federal No Surprises Act protections may also apply.
Telehealth: New Mexico parity laws require reimbursement for covered telemedicine like in-person care; Medicaid audio-only is now mainly behavioral-health focused.
Workers’ comp: The WCA posts its Health Care Provider Fee Schedule and Billing Instructions online for current workers’ comp billing.
Data breach: Notify affected residents within 45 days; notify the AG and major consumer reporting agencies if 1,000+ residents are affected.

Stay compliant in New Mexico

New York Medical Office Compliance

Records retention: Retain records at least 6 years after last service; minors at least 3 years after age 18 if longer.
Surprise billing: New York has longstanding surprise-bill protections for emergency and certain out-of-network facility-based services.
Telehealth: New York requires telehealth coverage and same-rate reimbursement for covered services; Medicaid includes audio-only telehealth.
Workers’ comp: New York workers’ comp uses the CMS-1500 universal billing form; electronic CMS-1500 submission is now required.
Data breach: Notify affected residents and also notify the NY Attorney General, State Police, and Division of Consumer Protection.

Stay compliant in New York

North Carolina Medical Office Compliance

Records retention: No fixed statewide physician term; hospitals keep adult records 11 years after discharge, minors until age 30.
Surprise billing: North Carolina mainly relies on federal No Surprises Act protections for covered emergency and facility-based out-of-network care.
Telehealth: No broad statewide payment-parity rule identified; NC Medicaid covers telehealth, virtual communications, and some audio-only services.
Workers’ comp: NCIC posts the medical fee schedule online; professional bills use HCFA/CMS-1500-based workers’ comp billing requirements.
Data breach: Notify affected residents without unreasonable delay; North Carolina law does not set a fixed-day deadline.

Stay compliant in North Carolina

North Dakota Medical Office Compliance

Records retention: Physicians retain records at least 7 years from the last date of service.
Surprise billing: North Dakota mainly relies on federal No Surprises Act protections; see Insurance Department guidance for covered cases.
Telehealth: Coverage parity applies; North Dakota Medicaid allows audio-only telehealth when video is unavailable and documented.
Workers’ comp: WSI posts fee schedules online; professional billing commonly uses CMS-1500 or electronic 837P submission.
Data breach: Notify residents without unreasonable delay; notify the Attorney General if the breach exceeds 250 individuals.

Stay compliant in North Dakota

Ohio Medical Office Compliance

Records retention: No single universal physician-retention rule identified; Ohio record-retention requirements vary by provider type and setting.
Surprise billing: Ohio has its own surprise-billing law limiting patient cost-sharing to in-network amounts in covered cases.
Telehealth: Ohio permits telehealth broadly; Ohio Medicaid includes covered telehealth services and allows some non-video modalities, including telephone.
Workers’ comp: Ohio BWC posts fee schedules online; professional workers’ comp billing commonly uses CMS-1500 or the C-19 service invoice.
Data breach: Notify affected Ohio residents without unreasonable delay if a qualifying breach creates material identity-theft or fraud risk.

Stay compliant in Ohio

Oklahoma Medical Office Compliance

Records retention: Medical records are generally retained 5 years after last visit; minors 3 years past majority.
Surprise billing: Oklahoma has no separate state surprise-billing law; federal No Surprises Act protections are the main rule.
Telehealth: Oklahoma has telehealth payment parity; Medicaid separates audio-only from telehealth and covers approved audio-only services.
Workers’ comp: Oklahoma WCC posts medical fee schedules online; professional claims commonly use the 1500/CMS-1500 format.
Data breach: Notify affected residents without unreasonable delay; AG notice is required if 500+ residents are affected.

Stay compliant in Oklahoma

Oregon Medical Office Compliance

Records retention: Oregon Medical Board advises keeping patient records at least 10 years after last patient contact.
Surprise billing: Oregon bans many surprise medical bills under state law and added protections starting January 1, 2022.
Telehealth: Oregon requires same reimbursement as in-person care; OHP covers video, phone, and online visits.
Workers’ comp: Oregon WCD posts fee schedules online; professional workers’ comp bills use CMS-1500 with supporting chart notes.
Data breach: Notify within 45 days; report to Oregon DOJ if more than 250 consumers are affected.

Stay compliant in Oregon

Pennsylvania Medical Office Compliance

Records retention: Physicians retain records 7 years from last service; minors until 1 year after majority.
Surprise billing: Pennsylvania mainly follows the federal No Surprises Act for covered surprise-billing situations.
Telehealth: Commercial plans must cover telemedicine under Act 42; Medicaid FFS pays parity, and audio-only remains allowed in some programs.
Workers’ comp: Pennsylvania posts workers’ comp fee schedules online; medical bills use HCFA-1500 or UB-92 successor forms.
Data breach: Notify affected residents without unreasonable delay; Pennsylvania law does not set a general fixed-day deadline.

Stay compliant in Pennsylvania

Rhode Island Medical Office Compliance

Records retention: Medical practices should store records at least 7 years after the most recent patient encounter.
Surprise billing: Rhode Island mainly relies on federal No Surprises Act protections; see OHIC and carrier balance-billing notices.
Telehealth: Rhode Island Medicaid allows telemedicine billing; check current RI Medicaid guidance for covered modalities and billing rules.
Workers’ comp: RI DLT posts the workers’ compensation medical fee schedule online; medical providers also use DWC medical forms.
Data breach: Notify affected persons and the Rhode Island AG within 45 days when more than 500 Rhode Islanders are affected.

Stay compliant in Rhode Island

South Carolina Medical Office Compliance

Records retention: Physicians retain adult records 10 years from last treatment; minors’ records follow separate longer-retention rules.
Surprise billing: South Carolina mainly relies on federal No Surprises Act protections for covered emergency and facility-based out-of-network care.
Telehealth: No broad statewide private-payer parity rule identified; Medicaid has permanent telephonic and telehealth flexibilities in some programs.
Workers’ comp: The WCC posts medical fee schedules online; professional billing follows the Medical Services Provider Manual.
Data breach: Notify affected residents in the most expedient time possible and without unreasonable delay; no fixed-day deadline in general law.

Stay compliant in South Carolina

South Dakota Medical Office Compliance

Records retention: No single statewide physician-office term identified; licensed hospitals retain records at least 10 years from service.
Surprise billing: South Dakota mainly relies on federal No Surprises Act protections; see DOI consumer guidance for covered surprise bills.
Telehealth: South Dakota law authorizes telehealth broadly; Medicaid allows audio-only in qualifying cases and excludes originating-site fees for audio-only.
Workers’ comp: South Dakota DLR maintains workers’ comp rates, forms, and medical fee-schedule rule updates online.
Data breach: Notify affected persons no later than 60 days after discovery; also notify consumer reporting agencies when required.

Stay compliant in South Dakota

Tennessee Medical Office Compliance

Records retention: No single universal physician-office term found in current public Tennessee sources; verify specialty, facility, and payer-specific retention rules.
Surprise billing: Tennessee mainly relies on federal No Surprises Act protections for covered emergency and facility-based out-of-network care.
Telehealth: Tennessee requires telehealth reimbursement consistent with in-person care for the same covered service; confirm payer rules for audio-only.
Workers’ comp: Tennessee posts its workers’ comp medical fee schedule online; follow the MFS handbook and current billing rules.
Data breach: Notify affected residents no later than 45 days after discovery or notice of a reportable breach.

Stay compliant in Tennessee

Texas Medical Office Compliance

Records retention: Physicians generally retain medical records at least 7 years from the last treatment date.
Surprise billing: Texas has its own balance-billing protections and IDR process; federal No Surprises Act protections also apply.
Telehealth: No broad commercial same-rate parity rule confirmed; Texas Medicaid covers telemedicine, telehealth, and some audio-only services.
Workers’ comp: Texas DWC posts medical fee guidelines online; professional workers’ comp reimbursement follows Chapter 134 methodologies.
Data breach: Report breaches affecting 250+ Texans to the AG within 30 days; affected consumers must also be notified.

Stay compliant in Texas

Utah Medical Office Compliance

Records retention: No single universal physician-office retention term was confirmed in current public Utah sources; follow provider-specific and federal program rules.
Surprise billing: Utah mainly points consumers and providers to federal No Surprises Act protections for covered surprise-billing situations.
Telehealth: Utah requires telehealth coverage parity and commercially reasonable reimbursement; verify current payer policy for audio-only services.
Workers’ comp: Utah Labor Commission annually sets medical fee standards online; providers also file Form 123 for initial work injuries.
Data breach: Notify affected residents without unreasonable delay; notify the AG and Utah Cyber Center if 500+ residents are affected.

Stay compliant in Utah

Vermont Medical Office Compliance

Records retention: No single universal physician-office term confirmed in current public Vermont sources; hospitals commonly use a 10-year baseline.
Surprise billing: Vermont mainly points patients and providers to federal No Surprises Act protections for covered surprise-billing situations.
Telehealth: Vermont keeps reimbursement parity for in-person, telemedicine, and audio-only telephone services under current law.
Workers’ comp: Vermont maintains a workers’ compensation medical fee schedule; professional workers’ comp billing commonly uses CMS-1500.
Data breach: Notify the Attorney General or DFR within 14 business days of discovery; consumer notice generally no later than 45 days.

Stay compliant in Vermont

Virginia Medical Office Compliance

Records retention: Keep records at least 6 years after last patient encounter; minors until age 18, with at least 6 years retention.
Surprise billing: Virginia has its own balance-billing protections for covered services, and federal No Surprises Act protections also apply.
Telehealth: Virginia requires coverage for telemedicine services; state law broadly includes telephone and audio-only modalities in telehealth definitions.
Workers’ comp: Virginia Workers’ Compensation Commission posts medical fee schedules online; professional workers’ comp billing commonly uses CMS-1500.
Data breach: Notify affected residents without unreasonable delay; if 1,000+ notices issue, also notify the Attorney General and nationwide CRAs.

Stay compliant in Virginia

Washington Medical Office Compliance

Records retention: No single universal physician-office term confirmed; Washington hospitals now retain medical records at least 26 years from creation.
Surprise billing: Washington’s Balance Billing Protection Act covers key emergency, facility-based, and certain ground ambulance surprise bills.
Telehealth: Washington requires telehealth reimbursement parity; audio-only is covered with an established relationship and advance billing consent.
Workers’ comp: L&I posts medical aid rules and fee schedules online; professional paper workers’ comp billing uses CMS-1500.
Data breach: Notify consumers within 30 days of discovery; Washington also requires Attorney General notice in covered private-sector breaches.

Stay compliant in Washington

West Virginia Medical Office Compliance

Records retention: West Virginia Board of Medicine guidance requires physicians to keep patient records at least 3 years after the last encounter.
Surprise billing: West Virginia mainly relies on federal No Surprises Act protections for covered emergency and facility-based out-of-network care.
Telehealth: West Virginia covers telehealth if in-person care is covered; audio-only is allowed, and reimbursement is negotiated with the payer.
Workers’ comp: West Virginia Insurance Commissioner posts the medical reimbursement schedule online; professional workers’ comp billing commonly uses CMS-1500.
Data breach: Notify affected residents following discovery if misuse causes or is likely to cause identity theft or fraud; no fixed-day deadline is stated.

Stay compliant in West Virginia

Wisconsin Medical Office Compliance

Records retention: Physicians and PAs retain patient records at least 5 years after the date of the last entry.
Surprise billing: Wisconsin mainly relies on federal No Surprises Act protections for covered emergency and in-network facility situations.
Telehealth: No general Wisconsin telehealth payment-parity law was confirmed; Wisconsin Medicaid supports telehealth by phone, computer, or tablet.
Workers’ comp: Wisconsin does not use a workers’ comp medical fee schedule; billing disputes go through DWD health cost dispute processes.
Data breach: Notify affected residents without unreasonable delay; notify nationwide consumer reporting agencies if 1,000+ notices are required.

Stay compliant in Wisconsin

Wyoming Medical Office Compliance

Records retention: No single universal physician-office retention term was confirmed in current public Wyoming primary sources; follow board, payer, and program rules.
Surprise billing: Wyoming mainly relies on federal No Surprises Act protections for covered surprise-billing situations.
Telehealth: Wyoming allows telehealth and recently expanded cross-state telehealth practice; verify payer rules for audio-only reimbursement.
Workers’ comp: Wyoming DWS posts workers’ comp fee schedules and provider bulletins online; use current Chapter 9 fee schedule guidance.
Data breach: Notify affected consumers following a reasonable, prompt investigation when misuse occurred or is reasonably likely; no fixed-day deadline is stated.

Stay compliant in Wyoming