Arizona Medical Records Retention Requirements: How Long to Keep Patient Records

Overview of Retention Laws in Arizona

Arizona sets baseline rules for how long you must keep patient charts through the Arizona Revised Statutes medical records provisions (A.R.S. 12-2291 to 12-2297). These laws apply to most licensed health care providers and facilities, and they work alongside any profession‑specific board rules and payer or accreditation requirements.

At a high level, state law requires you to maintain adult records for a defined minimum period and to keep minor records longer to account for the child reaching the age of majority. These requirements govern paper and electronic health records (EHRs), images, test results, operative notes, and other documentation created in the course of healthcare provider recordkeeping.

Federal rules do not replace Arizona’s timelines. HIPAA retention compliance focuses on keeping privacy and security documentation for six years, while Arizona law dictates how long to retain the clinical record itself. Always verify whether contracts, malpractice carriers, or specialty boards require longer-retention practices.

Retention Periods for Adult Medical Records

For adult patients, Arizona’s minimum standard is to retain medical records for at least six years after the last date of service. Each new encounter restarts the clock. The rule applies regardless of whether records are stored on paper, in an EHR, or in hybrid form.

Examples help clarify timing. If an adult was last seen on March 10, 2024, you must keep the chart until at least March 10, 2030. If the patient returns on May 2, 2026, the new minimum runs to May 2, 2032. Do not begin a destruction process while a litigation hold, audit, or investigation is reasonably anticipated or pending.

Although six years is the legal floor, many providers retain select information (for example, immunizations, implant data, or oncology summaries) longer for continuity of care. Longer retention is also common when payer contracts or specialty guidelines exceed the state minimums.

Retention Periods for Minor Patient Records

Arizona’s pediatric records retention law requires a longer window to account for the child reaching adulthood. You must keep a minor’s records for the later of: six years after the last date of service, or three years after the patient turns 18 (i.e., until at least age 21).

Here are two illustrations. If a teenager with a date of birth of September 15, 2010 was last seen on February 1, 2023, you would compare: six years after service (February 1, 2029) versus three years after turning 18 (September 15, 2031). You must keep the record until at least September 15, 2031. If a patient’s last visit occurs after the 18th birthday, apply the adult rule from that final visit date.

Keep in mind that schools, camps, and future care often require historical vaccine and problem lists. Even when the legal minimum is met, many practices preserve a concise summary (or ensure participation in an immunization registry) to support long-term patient record confidentiality Arizona and continuity of care.

Handling of Mental Health Records

Mental health record retention generally follows the same Arizona timelines noted above: adults for at least six years after the last visit, and minors until the later of six years post‑visit or age 21. However, mental health records carry additional confidentiality rules under Arizona law (Title 36) and, for substance use disorder programs, under federal 42 C.F.R. Part 2.

Psychotherapy notes (as defined by HIPAA) should be maintained separately from the rest of the designated record set and disclosed only with specific patient authorization or as otherwise permitted by law. When contracting with EHR vendors or shredding companies, ensure business associate agreements reflect heightened protections and clear instructions for mental health record retention and destruction.

Before releasing behavioral health information, verify the legal authority, scope of consent, and any redisclosure limits. For blended records, consider segmenting sensitive components to minimize over‑disclosure while still meeting care and legal obligations.

Compliance with HIPAA and Arizona Regulations

HIPAA does not set a national medical-record lifetime, but it does require you to keep required privacy and security documentation—such as policies and procedures, risk analyses, breach logs, notices of privacy practices, and workforce training records—for at least six years from the date of creation or last effective date. That is separate from Arizona’s clinical record timeframes.

To stay compliant: align your written retention schedule with Arizona Revised Statutes medical records timelines; apply the longer period when a federal program, contract, or licensing rule exceeds the state minimum; and document the business rationale for any extended retention. Maintain strict access controls, audit trails, and encryption to uphold patient record confidentiality Arizona throughout the record’s life cycle.

Build a clear pathway for patient access. Under HIPAA, patients generally must receive access or copies within 30 days (with one allowable 30‑day extension when necessary). Your process should explain what is available, how requests are verified, and applicable fees allowed by law.

Procedures for Record Disposal

When the retention period ends—and no legal hold or investigation applies—you may proceed with medical record destruction Arizona using methods that render information unreadable and irretrievable. Approved approaches include secure shredding, pulping, pulverizing, incineration for paper, and secure wipe or physical destruction for electronic media consistent with recognized standards (for example, NIST 800‑88 for media sanitization).

Establish a destruction protocol that covers: a pre‑destruction legal hold check; standardized destruction methods; supervision or vendor oversight; and permanent documentation. Your destruction log should capture the patient identifier, description of records, date, method, and the person or vendor responsible.

For EHRs, address archived data, backups, removable media, and data held by business associates. Contracts should spell out post‑contract data return and destruction, including timelines and confirmation of completion. Never dispose of records if you reasonably anticipate a claim, audit, or subpoena.

Best Practices for Medical Record Management

• Create a single, written retention schedule that cites Arizona requirements and any applicable board, payer, or accreditation rules. Review it annually.
• Track the retention “start date” at each encounter to automate destruction eligibility and reduce errors.
• Segment and label sensitive content (for example, psychotherapy notes and substance use disorder information) to support precise disclosures.
• Use role‑based access, multifactor authentication, encryption at rest and in transit, and robust audit trails for end‑to‑end protection.
• Standardize scanning and data‑conversion quality checks so digital images are complete, legible, and indexed correctly before destroying originals.
• Train staff regularly on HIPAA retention compliance, identity verification, and patient communications about record access and availability.
• Plan for business continuity: maintain tested backups, disaster‑recovery procedures, and succession plans for provider retirement, sale, or closure.

Conclusion

In Arizona, the baseline is straightforward: keep adult records at least six years after the last visit and keep minor records until the later of six years post‑visit or age 21. Layer on stricter timelines if a board, payer, or contract requires more, and apply heightened safeguards for behavioral health information. A clear policy, strong security, and documented destruction complete a compliant, defensible program.

FAQs.

What is the minimum retention period for adult medical records in Arizona?

At least six years from the adult patient’s last date of service. Each new encounter restarts the six‑year clock, and you must extend retention if a legal hold, audit, or investigation applies.

How long must minor patient records be retained in Arizona?

You must keep a minor’s chart until the later of: six years after the last visit or three years after the patient turns 18 (i.e., until at least age 21). Choose the later date before considering destruction.

Are there special retention rules for mental health records?

Retention timeframes generally match the standard Arizona rules, but mental health and substance use disorder records are subject to stricter confidentiality and disclosure controls (including psychotherapy notes and, for SUD programs, 42 C.F.R. Part 2). Check any profession‑specific board or program rules that may require longer retention.

What are the legal requirements for disposing of medical records in Arizona?

After meeting the retention period and confirming no legal hold, you must use secure destruction methods that make information unreadable and irretrievable, keep a permanent destruction log, and ensure business associates follow the same standards for medical record destruction Arizona.