District of Columbia Medical Records Retention Requirements: How Long Healthcare Providers Must Keep Patient Records

Physician Record Retention Requirements

In the District of Columbia, a licensed physician must maintain an accurate medical record for each patient and keep it for a minimum of three years after the last visit. For minor patients, the record must be retained for at least three years after the patient reaches age 18. Building your record retention policy DC around these baselines helps support healthcare compliance DC while preserving continuity of care.

At a glance for physician offices (minimums):

• Adults: retain for at least 3 years after the last encounter.
• Minors: retain until at least age 21 (3 years after age 18).
• Access: provide copies within 30 days when requested, consistent with DC standards and HIPAA’s right of access.

Practical best practices often extend beyond the statutory minimums. Consider malpractice statutes of limitations, payer and audit requirements, and research or quality needs when setting your patient record retention schedule. Document the rationale in your record retention policy DC and review it annually.

Hospital Record Retention Guidelines

Hospitals in DC must preserve each patient’s medical record—whether inpatient, emergency, or outpatient—for at least 10 years after discharge. For minors, hospitals must keep records until 3 years after the patient reaches age 18. Hospitals must also ensure medical records are complete within 30 days of discharge and maintain a permanent patient index for retrieval.

If a hospital ceases operations, medical records must be transferred as directed by the patient or authorized representative, with any remaining records stored securely to protect confidentiality. These requirements align with protected health information management fundamentals and support reliable patient care transitions across facilities.

Electronic Medical Record Management

Electronic systems must preserve the complete, authoritative medical record, including any scanned paper documents, so that the electronic version reproduces the original in full. Establish written procedures for imaging, quality assurance sampling, version control, and audit trails. Backups, disaster recovery testing, and role‑based access are essential elements of protected health information management.

Electronic health record accessibility is a core compliance expectation. The federal Information Blocking rules under the 21st Century Cures Act require providers to avoid practices that unreasonably interfere with a patient’s access, exchange, or use of electronic health information (EHI). Build workflows that release results, notes, and other EHI through patient portals or direct exchange unless a specific regulatory exception applies.

For specialty programs (for example, behavioral health and substance use disorder services), configure your EHR to segregate and control sensitive data consistent with stricter confidentiality rules. Maintain clear data‑sharing rules and audit logs that show who accessed or disclosed information and why.

Patient Record Disposal Procedures

DC hospital regulations permit shredding, incineration, electronic deletion, or another equally effective method that ensures PHI cannot be reconstructed. Apply medical record destruction standards consistently across paper and electronic media, and retain certificates of destruction and chain‑of‑custody logs for audit purposes.

• Paper: cross‑cut/micro‑cut shredding, pulping, or incineration so documents cannot be read or reconstructed.
• Electronic: follow media sanitization practices (for example, secure overwrite, cryptographic erase, degaussing for magnetic media, or physical destruction such as shredding or pulverizing). “Delete” alone is not sufficient.
• Vendors: execute a business associate agreement, validate NAID‑type certifications if applicable, and document verification of destruction.

Never destroy records under a legal hold or while audits, investigations, or litigation are pending. Your policy should specify how destruction is paused and resumed, who authorizes final disposal, and how exceptions (such as minor patients) are identified.

Compliance and Legal Considerations

HIPAA does not impose a nationwide medical record retention period for providers; DC law controls the minimums above. However, HIPAA requires you to keep privacy and security policies, authorizations, and related compliance documentation for at least six years. Medicare and many commercial payers also require retention (often six years) for claims and supporting documentation.

For behavioral health and substance use disorder programs certified in DC, additional rules apply, including longer retention (see below) and strict confidentiality under federal 42 CFR Part 2 and DC mental health privacy laws. Your record retention policy DC should cross‑reference these sources, specify patient record retention and medical record disposal steps, and assign accountable owners for policy maintenance, staff training, and periodic audits.

Retention Periods for Minor Patients

Minimum retention periods in DC vary by setting. For physician practices, keep a minor’s record for at least three years after the patient turns 18 (retain until at least age 21). Hospitals must also retain minors’ records until three years after age 18. Certain DC‑certified behavioral health programs must keep client records for at least 10 years after the patient turns 18 due to program‑specific standards.

• Physician office example: a 16‑year‑old patient last seen in June 2026—retain the record until at least June 2031.
• Hospital example: a 17‑year‑old discharged in March 2026—retain until at least March 2031.
• Behavioral health program example: a 16‑year‑old discharged in 2026—retain until at least 2028 plus 10 years (that is, until the patient is at least 28), per applicable program rules.

Summary: set your patient record retention to meet the DC minimums for your setting, then layer on longer periods driven by risk, payers, and specialty regulations. Pair this with strong access controls, electronic health record accessibility, and documented medical record disposal procedures to sustain healthcare compliance DC end‑to‑end.

FAQs

How long must physicians keep patient records in DC?

Physicians must retain adult patient records for at least three years after the last visit. For minors, keep records for at least three years after the patient turns 18 (retain until at least age 21). Many practices keep records longer based on risk and payer requirements.

What are DC hospital record retention requirements?

Hospitals must maintain each patient’s medical record for at least 10 years after discharge. For minors, the record must be kept until at least three years after the patient reaches age 18. Hospitals must also complete records within 30 days of discharge and maintain a permanent patient index.

How should electronic medical records be maintained?

Maintain an authoritative electronic record that fully reproduces the original content, with documented imaging procedures, QA sampling, audit trails, backups, and role‑based access. Ensure timely electronic health record accessibility and avoid practices that could be seen as information blocking, unless a specific exception applies.

What methods are approved for medical record destruction?

Acceptable methods include shredding, pulping, or incinerating paper so it cannot be reconstructed, and securely sanitizing or destroying electronic media (for example, verified overwrite, cryptographic erase, degaussing for magnetic media, or physical destruction). Document destruction with logs and certificates, and never dispose of records under a legal or audit hold.