HIPAA Compliance Recordkeeping Guide: What to Retain and For How Long

Your HIPAA Compliance Recordkeeping Guide: What to Retain and For How Long starts with one core truth: HIPAA sets minimums for compliance documentation, while state-specific medical record laws, CMS rules, payer contracts, research obligations, and litigation holds often require longer retention. Use the longest applicable rule to set policy and avoid gaps.

HIPAA Record Retention Requirements

HIPAA does not dictate how long you keep medical records themselves. Instead, it requires you to retain documentation that proves compliance with the Privacy, Security, and Breach Notification Rules for at least six years. The six-year clock runs from the later of the document’s creation date or the date it was last in effect.

What HIPAA expects you to retain

• Privacy practices documentation: your Notice of Privacy Practices (NPP), prior versions, distribution methods, and acknowledgments.
• Policies and procedures across the Privacy, Security, and Breach Notification Rules, including minimum necessary standards and protected health information safeguards.
• Risk analysis and risk management plans, security evaluations, and contingency plans (backup, disaster recovery, emergency operations) with test results.
• Workforce training materials, schedules, and attendance records.
• Business associate agreements (BAAs) and vendor due diligence records.
• Breach documentation: investigation notes, risk assessments, decision memos, and breach notification retention (letters, notices, media postings, and logs).
• Complaint files and dispositions, including privacy rights violation complaints and sanction records for workforce violations.
• Authorizations and accounting-of-disclosures documentation related to PHI uses and disclosures.

Timeframe and start date

Retain each item for a minimum of six years from the later of its creation date or when that version was superseded. For BAAs, keep six years after termination. When policies change, keep both the prior and current versions for their full retention periods.

Beyond the HIPAA minimum

If another law, contract, accreditation rule, or litigation hold requires longer, follow the longest period. Align your retention matrix so compliance documentation never ages out before the records and events it governs.

State Medical Record Retention Laws

States set medical record retention rules for hospitals, clinics, and physician practices. These laws commonly differ for adults, minors, and certain record types (e.g., imaging, behavioral health), so you should map policy to each location where you practice.

Common state patterns

• Adult records: typically 7–10 years from the last encounter or discharge.
• Minors: usually until the age of majority plus an additional period (often 2–10 years), whichever is longer.
• Hospitals versus physician offices: hospitals often have longer obligations than office-based practices.
• Special categories: behavioral health, reproductive health, and radiology images may have unique timelines.

How to operationalize state-specific rules

• Build a living inventory of state-specific medical record laws for every facility address and provider type you operate.
• Layer in malpractice statutes of limitation and discovery rules; retain long enough to defend claims.
• Coordinate with credentialing, accreditation, and payer contracts so all drivers point to a single, longest-required retention period.

CMS Record Retention Requirements

CMS requirements vary by program and contract. At a minimum, you should retain documentation to support Medicare patient record retention and audit needs well beyond the HIPAA six-year baseline.

Medicare fee-for-service providers

• Cost report and related financial records: at least five years after the cost report year, with longer retention if there are open audits or appeals.
• Claims support (medical records, orders, certifications, documentation for medical necessity): many providers keep seven years to cover audit lookback periods.

Medicare Advantage and Part D

• Managed care (MA) and Part D sponsors and first-tier, downstream, and related entities typically must retain records for 10 years, including contracts, compliance, and claims data.

Medicaid considerations

• State Medicaid and Medicaid managed care contracts often require six to 10 years from final payment or contract end; verify your exact agreement.

Practical approach

If you serve Medicare Advantage or Part D members, set your default to 10 years for operational records connected to those programs. Otherwise, maintain at least seven years for Medicare FFS claims support and five years for cost-report data, extending for audits or litigation holds.

Disposal of Protected Health Information

Secure disposal is the final stage of retention. Your process must render PHI unreadable, indecipherable, and unable to be reconstructed while maintaining protected health information safeguards throughout the chain of custody.

Paper PHI

• Use cross-cut shredding, pulping, or incineration. Strip-cut shredding alone is insufficient.
• Seal and stage containers in restricted areas; never place PHI in standard trash or recycling.
• Use a vetted destruction vendor under a BAA, and keep dated destruction certificates and logs.

Electronic PHI

• Apply media sanitization methods consistent with industry-standard guidance (e.g., secure erase, cryptographic erasure, degaussing, or physical destruction).
• Wipe or destroy data on hard drives, SSDs, tapes, mobile devices, copiers, and removable media before reuse or disposal.
• Document serial numbers, methods, dates, and personnel; retain destruction logs per your policy.

Program controls

• Adopt written disposal procedures, workforce training, monitored containers, and vendor oversight.
• Test and audit your disposal workflow periodically to confirm it works as designed.

HIPAA Compliance Documentation Retention

This section consolidates the HIPAA documentation most organizations retain for six years (or longer if required by other rules). Specify the start date for each item and track versions.

• Privacy practices documentation: NPPs, revisions, posting methods, and acknowledgments—six years from the last effective date.
• Policies and procedures for Privacy, Security, and Breach Notification—six years from the version’s last effective date.
• Risk analysis, risk management plans, security evaluations, contingency plans, and test results—six years.
• Workforce training content, schedules, sign-ins, and attestation records—six years.
• Business associate agreements and vendor risk reviews—six years after termination or last effective date.
• Incident and breach records, including breach notification retention (letters, logs, substitute notice artifacts, and decision memos)—six years.
• Privacy rights violation complaints and investigation files with outcomes—six years.
• Authorizations, denial/approval notices, and accounting-of-disclosures logs—six years.
• Sanctions and corrective actions related to HIPAA violations—six years.
• System security configurations, access control standards, and audit log retention policies—retain at least six years; keep actual audit logs long enough to investigate incidents and satisfy contractual or regulatory lookbacks.

Retention Period for Medical Records of Minors

HIPAA is silent on medical record retention, so you must rely on state law, malpractice timelines, and payers. For minors, retention periods are usually framed as “age of majority plus X years,” because statutes of limitations often are tolled until the child turns 18.

Set a minors policy you can apply consistently

• Keep the record until the later of: your state’s minor-specific requirement, the malpractice limitations period, or any payer/contract duty.
• Common pattern: retain until at least age 18 plus 7 years; some states require longer.
• Document exceptions for emancipated minors or services where minors can consent under state law (e.g., behavioral or reproductive health).

Example

If a patient is seen at age 16 and your state requires “7 years after majority,” you would retain until the patient turns 25. Extend if a claim, audit, or research obligation is pending.

Record Retention for Research Records Containing PHI

Research retention must satisfy multiple frameworks: HIPAA, the Common Rule, FDA regulations, sponsor contracts, and grant rules. To maintain research protocol compliance, keep records for the longest applicable period to cover all drivers.

What to retain

• Protocol and amendments, investigator brochure, case report forms, source documents, datasets, and analysis files.
• Informed consent forms and HIPAA authorizations; recruitment materials; screening logs.
• Delegation and training logs, monitoring and audit reports, adverse event/SAE reports, and correspondence.

Typical timeframes

• HIPAA: retain authorizations and accounting-of-disclosures documentation for six years.
• Common Rule/IRB: retain research records for at least three years after study completion (IRBs may require longer).
• FDA-regulated trials: retain for two years after the marketing application is approved for the indication; if no application is filed or approved, two years after the investigation is discontinued and FDA is notified.
• Grants (e.g., federal awards): retain award and financial records for at least three years after the final financial report, unless an audit or other condition extends the period.
• Sponsors and institutions often require 10–15 years; adopt the longest rule across all obligations.

Coordinate your research retention schedule with clinical record retention so linked PHI and study documents do not expire on different timelines.

Bottom line: HIPAA sets a six-year minimum for compliance documentation, while states, CMS, payers, and research rules frequently require longer. Build a unified schedule that applies the longest relevant period, document your start dates, and enforce secure disposal when time is up.

FAQs.

How long does HIPAA require covered entities to keep compliance records?

At least six years. The six-year period runs from the later of the document’s creation date or the date it was last in effect. If another law, contract, or litigation hold requires longer, follow the longest period.

What are the state variations in medical record retention?

States set their own timelines. Adult records commonly range from 7–10 years after the last visit; minors are usually retained until the patient turns 18 plus an additional period (often 2–10 years). Always verify the rule for each practice location and record type.

How should protected health information be disposed of securely?

Use methods that render PHI unreadable and irrecoverable: cross-cut shredding, pulping, or incineration for paper; secure erasure, cryptographic erasure, degaussing, or physical destruction for electronic media. Maintain disposal policies, vendor BAAs, and destruction logs.

What is the retention period for minors’ medical records?

Keep the record until at least the age of majority plus the state’s required additional years, and long enough to cover malpractice limitations and payer/audit timelines. When multiple rules apply, choose the longest period.