Colorado Medical Records Retention Requirements: How Long Healthcare Providers Must Keep Patient Records

As of March 2026, Colorado’s legal retention requirements vary by practice setting. Use this guide to set a defensible record retention period, preserve records during disputes, plan for practice changes, and dispose of records securely while protecting patient confidentiality and healthcare compliance obligations.

Retention Period for Adult Patients

Physician offices and independent providers

For physicians and physician assistants, the Colorado Medical Board’s policy advises retaining adult patient records for a minimum of seven years after the last date of treatment. This Board policy is widely followed across outpatient practices as a baseline legal retention requirement. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))

If you serve Health First Colorado (Medicaid), your provider agreement also requires you to keep records for at least seven years (or longer if another regulation or contract says so). ([hcpf.colorado.gov](https://hcpf.colorado.gov/gen-info-manual?utm_source=openai))

Hospitals and other licensed facilities

Colorado’s hospital licensure rules require hospitals to preserve adult medical records for ten years after the most recent patient care usage of the record. Freestanding centers governed under related chapters carry similar timelines within their specific licensing rules. ([law.cornell.edu](https://www.law.cornell.edu/regulations/colorado/title-6/agency-1011/division-1/chapter-04/part-10?utm_source=openai))

Practical pointers

• Anchor your retention clock to the patient’s last date of treatment (or most recent “usage” in hospital settings).
• Adopt a written records schedule that reflects the longest applicable rule (e.g., payer, facility, or contract) to streamline healthcare compliance.
• Document exceptions and litigation holds so routine destruction never conflicts with legal retention requirements.

Retention Period for Minor Patients

Physician offices and independent providers

For minors treated in physician practices, retain records for seven years after the patient turns 18 (i.e., until at least age 25). ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))

Hospitals and other licensed facilities

Hospital rules require preserving a minor’s records for the period of minority plus ten years—effectively until the patient reaches age 28 (or ten years after the most recent usage, whichever is later, depending on setting). ([regulations.justia.com](https://regulations.justia.com/states/colorado/1000/1011/rule-6-ccr-1011-1-chapter-20/section-6-ccr-1011-1-20-7/?utm_source=openai))

Practical pointers

• Configure EHR retention logic to calculate “age 25” for office-based care and “age 28” for hospital-based care to avoid premature destruction.
• Flag minors transitioning to adulthood so patient authorization and records transfer protocols are handled accurately at age 18.

Records Retention in Litigation or Investigation

When a lawsuit, subpoena, or Colorado Medical Board investigation is reasonably anticipated or active, pause any scheduled destruction and retain the affected records until the matter is fully resolved. This litigation hold applies even if it extends beyond your normal record retention period. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))

Record the hold in your retention log, identify all systems and storage locations containing the patient’s protected health information, and notify any business associates to suspend destruction for implicated data sets to maintain patient confidentiality throughout the process.

Procedures on Discontinuation of Practice

Statutory duties

Colorado law requires a written plan that explains how you will secure patient records, what happens to those records if you cease practicing (e.g., retirement, sale, relocation), and how patients can promptly access or obtain their records. You must inform each patient in writing of the method to access records if such an event occurs. ([law.justia.com](https://law.justia.com/codes/colorado/2023/title-12/health-care-professions-and-occupations/article-240/section-12-240-142/?utm_source=openai))

Board policy expectations

On closure or departure, notify patients and instruct them to submit a written authorization if they want records transferred. The Medical Board recommends sending letters to patients seen within the last three years and, when appropriate, publishing a general notice. Maintain records consistent with the Board’s retention guidelines. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))

Operational checklist

• Designate a records custodian and publish contact details in your patient notice.
• Use written, signed patient authorization for releases and records transfer protocols, except where law permits disclosure without authorization. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))
• Document chain-of-custody for any bulk transfer to another provider or a records management vendor.

Management of Records after Provider's Death or Disability

Your written plan must address record storage, access, and transfer if you die, become disabled, or otherwise cannot continue practicing; you also attest to having this plan at licensure and renewal. ([law.justia.com](https://law.justia.com/codes/colorado/2023/title-12/health-care-professions-and-occupations/article-240/section-12-240-142/?utm_source=openai))

The Medical Board advises that a deceased provider’s estate retain and manage records in line with the Board’s retention guidance so patients can obtain copies or authorize transfers without interruption to care. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))

Secure Destruction of Medical Records

HIPAA-compliant disposal

HIPAA requires safeguards when disposing of protected health information (PHI). For paper, use methods like shredding, burning, pulping, or pulverizing so information is unreadable and cannot be reconstructed; for electronic media, clear, purge, or destroy in accordance with recognized standards such as NIST SP 800‑88. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))

Colorado data disposal law

Colorado’s data disposal statute requires covered entities to destroy paper or electronic documents containing personal identifying information by shredding, erasing, or otherwise rendering the information unreadable or indecipherable when no longer needed, unless another law requires longer retention. Apply this in tandem with your PHI obligations. ([law.justia.com](https://law.justia.com/codes/colorado/title-6/fair-trade-and-restraint-of-trade/article-1/part-7/section-6-1-713/?utm_source=openai))

Process controls

• Confirm no litigation hold or audit need applies before destruction.
• Use vetted vendors and obtain certificates of destruction to evidence healthcare compliance and patient confidentiality controls.
• Update your retention schedule and inventory after each destruction cycle.

Compliance with Medical Liability Insurance Guidelines

Medical liability carriers may recommend longer retention than state minimums to align with claim reporting and defense needs. For example, COPIC advises retaining records 10 years after last treatment (or 10 years after a minor reaches majority), and planning for tail coverage and secure long-term storage. Always reconcile carrier guidance with statutory and licensing rules before finalizing your policy. ([cms.org](https://www.cms.org/copic-comment-checklist-for-physicians-retiring-from-a-medical-practice/))

Summary

• Physician offices: keep adult records at least 7 years after last treatment; minors until at least age 25. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))
• Hospitals: keep adult records 10 years; minors until age 28, under facility licensing rules. ([law.cornell.edu](https://www.law.cornell.edu/regulations/colorado/title-6/agency-1011/division-1/chapter-04/part-10?utm_source=openai))
• Pause destruction for any litigation or Board investigation until fully resolved. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))
• Maintain a written plan, notify patients how to access records when you close or leave, and use written patient authorization for transfers. ([law.justia.com](https://law.justia.com/codes/colorado/2023/title-12/health-care-professions-and-occupations/article-240/section-12-240-142/?utm_source=openai))
• Destroy records securely under HIPAA and Colorado’s data disposal law. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))

FAQs

How long must adult patient records be retained in Colorado?

For physician practices, keep adult records at least seven years after the last date of treatment; hospitals must retain adult records for ten years under facility licensing rules. ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))

How are minor patient records handled differently?

In physician offices, retain a minor’s records for seven years after the patient turns 18 (through at least age 25). Hospitals preserve minors’ records for the period of minority plus ten years (through about age 28). ([ehr.wrshealth.com](https://ehr.wrshealth.com/shared/practice-documents/2037373/2028_Colo_Med_Board_40-07_records_release.pdf))

What happens to records if a healthcare provider discontinues practice?

Colorado law requires a written plan for record security and patient access, and you must notify patients how to obtain records. The Board also recommends letters to recent patients and, when appropriate, published notices; releases and transfers require written patient authorization. ([law.justia.com](https://law.justia.com/codes/colorado/2023/title-12/health-care-professions-and-occupations/article-240/section-12-240-142/?utm_source=openai))

How should records be destroyed to maintain confidentiality?

Apply HIPAA-compliant methods—e.g., shredding, pulping, or pulverizing paper; clearing, purging, or destroying electronic media—so PHI is unreadable and cannot be reconstructed. Colorado’s data disposal law likewise requires rendering personal information unreadable or indecipherable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))