Hawaii Medical Records Retention Requirements: How Long Providers Must Keep Patient Records

Understanding Hawaii’s medical record retention policies helps you meet healthcare compliance standards, reduce liability, and support patient care continuity. Under Hawaii Revised Statutes Section 622-58, providers must keep complete records for defined periods and preserve certain basic information longer to protect access and accountability.

Minimum Retention Period for Adult Patient Records

For adult patients, you must retain the complete medical record for at least seven years from the date of the last entry, visit, or discharge. This minimum applies to paper and electronic health records, imaging, and ancillary documentation maintained as part of the designated record set.

Plan your medical record retention policies so the seven-year clock runs from the most recent documented activity. If other laws, contracts, or accreditation standards require longer retention, follow the longer period while still honoring Hawaii’s patient confidentiality requirements.

Practical tips

• Anchor your retention schedule to the “last entry” date, not the first visit.
• Map EHR metadata (amendments, addenda) so late entries extend the retention period appropriately.
• Store audit trails alongside the record when they are needed to reconstruct care decisions.

Retention Requirements for Minor Patients

Minor patient record retention follows a longer rule. Keep the complete record for at least seven years after the patient reaches the age of majority (18), or seven years after the last entry—whichever period ends later. In practice, many records for minors are kept until at least the patient’s 25th birthday.

Example

If a patient last received care at age 16, you would retain the record until at least seven years after the patient turns 18, even if the seven-year period from the last visit would have ended sooner.

Permissible Methods for Record Destruction

When a record is eligible for disposal, you must use medical record destruction protocols that render PHI unreadable, indecipherable, and incapable of reconstruction while honoring state and federal patient confidentiality requirements.

Paper records

• Cross-cut shredding, pulping, or incineration in secure conditions.
• Locked custody until destruction and documented chain-of-custody.

Electronic records and media

• Secure wipe/overwrite using industry-accepted standards or cryptographic erasure.
• Physical destruction of drives or media when appropriate (e.g., shredding, degaussing).
• Verification and logging of destruction, including device IDs and methods used.

Operational controls

• Written destruction policy approved by leadership and reviewed annually.
• Destruction logs capturing patient identifiers, date, method, and personnel/vendor.
• Business associate agreements with vendors that handle PHI destruction.

Required Basic Information Retention

Hawaii Revised Statutes Section 622-58 requires providers to keep certain “basic information” for a longer period—no less than 25 years—so essential facts remain available even after full charts are destroyed.

What to keep for at least 25 years

• Patient’s full name and date of birth.
• Unique patient identifier and, if collected, the last known address or contact information at the time of service.
• Identity of the treating healthcare provider or facility.
• Dates and location(s) of service.
• A brief description of the general nature of services provided.

Maintain this basic information in a durable index or summary register that remains accessible if you migrate EHR systems or close a practice.

Compliance with State Confidentiality Laws

Your retention schedule must align with patient confidentiality requirements under state law while also meeting HIPAA privacy and security rules. Limit access to the minimum necessary, protect records during storage, transfer, and destruction, and release information only with valid authorization, a court order, or another permitted basis.

Privacy safeguards to build in

• Role-based access controls and audit monitoring for all systems holding retained records.
• Encryption of data at rest and in transit, including archived backups.
• Documented breach response procedures that cover legacy and archived records.

Healthcare Provider Responsibilities

Healthcare provider recordkeeping obligations extend beyond simply saving files. You need a coherent governance program that demonstrates compliance with Hawaii’s medical record retention policies and broader healthcare compliance standards.

Core obligations

• Adopt a written retention and destruction policy referencing Hawaii Revised Statutes Section 622-58.
• Maintain a current records inventory and retention schedule covering all media types.
• Ensure continuity planning for practice closure, mergers, or EHR transitions, including patient notice and access procedures.
• Train workforce members annually and document competency.
• Test retrieval so you can furnish timely copies for treatment, payment, operations, audits, or legal requests.

Record Retention Exceptions and Special Cases

Some records must be kept longer than Hawaii’s baseline to satisfy federal programs, accreditation, or clinical standards. Always apply the strictest applicable rule.

• Medicare and other payer contracts: Certain program records (e.g., Medicare Advantage or Part D) often require retention of related clinical and billing documentation for up to 10 years; follow contract terms.
• Mammography: Federal MQSA rules require retention of mammograms and reports for at least five years, or at least 10 years if no subsequent mammogram is performed at the facility.
• Pathology and imaging: Professional standards may call for longer retention of slides, blocks, and diagnostic images; align with accrediting bodies and specialty guidelines.
• Research: Keep HIPAA authorizations and related documentation for at least six years after the document’s effective date or the study’s conclusion, whichever is later.
• Occupational health: Employee exposure and medical surveillance records may require retention for extended periods (often decades) under workplace safety rules.
• Litigation/investigations: Implement a legal hold to suspend destruction when claims, audits, or government inquiries are reasonably anticipated.

Summary

In Hawaii, keep complete adult records at least seven years from the last entry, keep minor records until at least seven years after the patient turns 18, and preserve core identifying and service details for at least 25 years. Build secure processes for storage, retrieval, and destruction, and apply the longest applicable rule when federal programs, contracts, or specialty standards exceed state minimums.

FAQs.

How long must adult patient records be retained in Hawaii?

At least seven years from the date of the last entry, visit, or discharge. If another law, contract, or accreditation standard requires a longer period, follow the longer rule. Keep the 25-year basic information as outlined by Hawaii Revised Statutes Section 622-58.

What are the retention requirements for minor patient records?

Retain the complete record for at least seven years after the patient reaches age 18, or seven years after the last entry—whichever ends later. In effect, many minor records are kept until at least the patient’s 25th birthday, plus the 25-year basic information requirement.

What information must be kept for 25 years?

Maintain a durable index with the patient’s name and date of birth; a unique identifier and, if collected, last known contact information; the treating provider or facility; dates and location(s) of service; and a brief description of services provided. This preserves essential facts even after full charts are destroyed.

What are the allowed methods for destroying medical records?

Use secure, documented methods that make PHI unreadable and irrecoverable: cross-cut shredding, pulping, or incineration for paper; secure wipe/overwrite, cryptographic erasure, degaussing, or physical destruction for electronic media. Maintain destruction logs and, if using vendors, execute appropriate business associate agreements.