Arkansas Medical Records Retention Requirements: How Long Hospitals and Providers Must Keep Patient Records

Understanding Arkansas medical records retention requirements helps you protect patients, meet Healthcare Compliance expectations, and avoid costly gaps during audits or legal holds. This guide explains how long hospitals and providers must keep patient records and how to manage Patient Record Disposal securely under Arkansas Code Regulations and federal rules.

Hospital Record Retention Periods

For hospitals licensed in Arkansas, maintain a complete medical record for each inpatient and outpatient for a minimum of ten years after the date of last discharge or last encounter. Use “whichever is later” logic if multiple dates apply, and extend retention when a litigation hold, investigation, or Audit and Appeal Documentation is pending.

Scope of what to retain

• History and physicals, consents, operative and procedure reports, medication administration records, care plans, discharge summaries, and diagnostics (lab, radiology, EKGs, images, and tracings).
• Emergency department records and observation stays, even when the patient is not admitted.
• Amendments, late entries, and metadata necessary to show the record’s integrity.

When to keep records longer

• Open audits, payer appeals, quality investigations, or reported events.
• Ongoing treatment for chronic or high‑risk conditions (e.g., oncology, obstetrics).
• Federal program requirements (e.g., Medicare cost report support) with longer look‑back windows.

Document your hospital policy so it clearly states the adult baseline (10 years), extensions, and who authorizes exceptions. This clarity is essential for Healthcare Compliance.

Minor Patient Record Retention

For minors, retain the medical record until the patient reaches the age of majority plus at least two additional years, and never less than the standard adult baseline used by your facility. In practice, that means you should not destroy a pediatric record before both thresholds are met (age‑of‑majority plus the added years, and the facility’s adult minimum).

Special pediatric considerations

• Keep neonatal, obstetric/newborn, and immunization records long enough to support future care needs; many facilities align these with a longer internal standard.
• If abuse/neglect is suspected or reported, retain records in accordance with legal holds and protective‑services guidance.

Home Health Provider Requirements

Home health agencies should retain each clinical record for at least five years after discharge or death. For minors, keep the record at least five years beyond the age of majority. Maintain the plan of care, physician orders, visit notes, supervisory notes, medications, and outcome assessments in a manner that demonstrates a complete episode of care.

Program and payer overlays

• Extend retention to cover any open surveys, payer reviews, or appeals.
• Retain scheduling logs, visit verification, and billing support that substantiates claims for the entire look‑back period.

Physician Record Management

Arkansas physicians typically maintain adult patient records for at least seven years from the last date of service. For minors, retain records until at least two years after the patient reaches the age of majority, and not less than your adult baseline.

Continuity and practice transitions

• Adopt a written policy that designates the record custodian, specifies retention periods, and outlines secure Patient Record Disposal.
• When closing, relocating, or selling a practice, provide patients advance notice, offer copies, and document the transfer of custody.

HIPAA Compliance and Record Retention

HIPAA does not set a nationwide medical record retention period, but it does require you to keep Privacy Rule Documentation and Security Rule documentation for at least six years from the date of creation or the date last in effect, whichever is later.

Keep these for at least six years

• Policies and procedures, risk analyses, risk‑management plans, and security incident response records.
• Notices of Privacy Practices, acknowledgment forms (where used), and authorization forms.
• Business Associate Agreements and documentation of workforce training, sanctions, complaints, and complaint resolutions.
• Accounting of disclosures logs and records of access requests and amendments.

Align HIPAA’s six‑year rule with state retention timelines by keeping clinical records for the longer of the two and preserving compliance documentation long enough to prove your program’s effectiveness during audits.

Record Destruction Procedures

Create a written destruction policy that specifies what is destroyed, when, how, and by whom. Never destroy records subject to a legal hold, audit, or appeal. Maintain a permanent destruction log as part of your Audit and Appeal Documentation.

Secure Patient Record Disposal methods

• Paper: cross‑cut shredding, pulping, or incineration so PHI cannot be reconstructed.
• Electronic: cryptographic erasure, degaussing, or physical media destruction with certificates of destruction from vetted vendors.

What your destruction log should include

• Date and method of destruction; description of records with inclusive dates.
• Volume or unique identifiers; location; name/title of the person who authorized and witnessed destruction.
• Vendor name and certificate number (if applicable). Keep these records at least six years.

Master Patient Index Maintenance

The Master Patient Index (MPI) is the facility’s permanent directory of patients and must be retained indefinitely. It should uniquely identify each patient and link all encounters across time and settings.

Essential MPI elements and controls

• Unique medical record number, legal name, date of birth, sex, and key identifiers needed for matching.
• Policies for merges/unmerges, alias handling, and duplicate resolution with auditable change history.
• Access controls, routine data‑quality checks, and backup/restore procedures.

Key takeaways

• Hospitals: keep complete records at least 10 years; extend for legal or payer needs.
• Minors: retain until majority plus additional years and never less than the adult baseline.
• Home health: keep at least 5 years (longer if audits/appeals or program rules apply).
• Physicians: keep at least 7 years; longer for high‑risk care or unresolved issues.
• HIPAA: retain privacy/security documentation for at least 6 years.
• MPI: maintain permanently.

FAQs.

How long must Arkansas hospitals keep patient medical records?

Keep inpatient and outpatient hospital records for a minimum of ten years after the last discharge or encounter, and longer if an audit, appeal, investigation, or litigation hold is open. If the patient is a minor, follow the minor rule (age of majority plus additional years) and the ten‑year baseline—use whichever is longer.

What are the retention requirements for records of minor patients?

Retain records until the patient reaches the age of majority plus at least two additional years, and never less than your standard adult retention period. Do not destroy pediatric records while any audit, appeal, or legal hold is active.

How should home health providers manage medical record retention?

Maintain each home health clinical record for at least five years after discharge or death; for minors, keep it at least five years beyond the age of majority. Extend retention to cover payer look‑backs, surveys, and appeals, and keep HIPAA compliance documentation for six years.

What documentation does HIPAA require healthcare providers to retain?

HIPAA requires at least six years of Privacy Rule Documentation and Security Rule records, including policies and procedures, risk analyses, Business Associate Agreements, training and sanctions logs, complaints and resolutions, authorizations, NPPs, and accounting of disclosures. Keep these alongside your state‑mandated clinical record retention so you can prove compliance during audits and appeals.