HIPAA Medical Record Retention Requirements by State: 50-State Guide

HIPAA Privacy Rule Overview

What HIPAA requires—and what it does not

The HIPAA Privacy Rule governs how you use, disclose, secure, and provide access to protected health information (PHI). It also sets Provider Documentation Obligations for policies, procedures, notices, and authorizations. You must retain HIPAA-required documentation for six years from creation or the date last in effect, whichever is later.

HIPAA does not set a universal minimum for medical record retention periods. Instead, you preserve patient records according to State Medical Record Retention Laws, federal program rules, payer contracts, and your organization’s policy—always following the most stringent requirement that applies.

Preemption and “more stringent” standards

When state law provides stronger privacy protections or longer retention than HIPAA, the state law controls. In practice, record retention is primarily a state-law question, while the HIPAA Privacy Rule ensures you can locate, produce, and safeguard PHI for patient access, amendments, and audits during the retention lifecycle.

Patient access and preservation

Effective Patient Record Preservation means your records remain complete, legible, and retrievable for the full retention period. You should maintain indexes, audit trails, and scalable storage to support timely patient access, fulfill requests, and document disclosures consistent with the HIPAA Privacy Rule.

State Medical Record Retention Periods

Typical timeframes across the states

State requirements vary widely. Many states set a baseline of 5–10 years for adult medical records from the last encounter or discharge. For minors, states commonly require retaining records until the patient reaches the age of majority plus additional years, often aligning with the state’s malpractice statute of limitations.

Hospitals and facility-based providers frequently face longer obligations than office-based practices. Some states differentiate between inpatient and outpatient records or specify longer retention for specialized records such as oncology, obstetrics, or imaging.

Event triggers that start the clock

• Last encounter vs. discharge date: States may calculate from final visit, discharge, or last activity.
• “Whichever is later”: Rules often use later of last service, final bill, or case closure.
• Active vs. closed charts: Retention applies to closed records; active charts remain in use.

Building a state-aligned retention schedule

• Identify the governing State Medical Record Retention Laws for your practice type and setting.
• Map special categories (minors, mental health, imaging, labs) that may carry longer periods.
• Overlay federal program and CMS Retention Requirements, payer contracts, and accreditation rules.
• Adopt the most stringent time period and document it in policy; review annually.

Legal holds and audits

Always suspend destruction if records are subject to a legal hold, government investigation, or payer audit. Document the hold, scope, and release, and retain affected records until the matter is fully resolved.

Federal Retention Requirements

HIPAA documentation (six years)

You must keep HIPAA-required policies, procedures, training attestations, notices of privacy practices, authorizations, and designated record set disclosures for at least six years from creation or last effective date. This is separate from state-defined medical record retention.

CMS and Medicare program expectations

CMS Retention Requirements vary by setting and program. Hospitals and other facilities commonly maintain medical records for at least five years under federal participation rules, with some programs expecting longer periods for cost reports, managed care, and audit support. When federal and state rules differ, follow the longer requirement.

Employee medical records (OSHA)

Employers must retain required employee exposure and medical records for the duration of employment plus 30 years. These are distinct from patient treatment records but often coexist in healthcare organizations.

Mammography records (FDA MQSA)

Under federal mammography quality standards, facilities retain mammography images and reports for at least five years, or at least ten years if no subsequent mammogram is performed at that facility—longer if state law requires.

Clinical laboratory records (CLIA)

CLIA rules set minimum retention periods for laboratory records and materials. Many routine lab records are kept at least two years, while certain slides and pathology materials require longer retention. Verify CLIA specifics for your laboratory services and harmonize with state law.

Retention Rules for Minors and Deceased Patients

Minors

States typically require you to retain a minor’s record until the patient reaches the age of majority plus additional years. A prudent approach is to keep records through the longest applicable statute of limitations for medical claims after majority, plus a reasonable buffer.

Deceased patients

Patient death does not automatically shorten retention. Follow the same state-law period you would for adults unless your state sets a specific rule. HIPAA protects decedents’ PHI for 50 years after death, so access and confidentiality obligations continue during that timeframe.

Guardianship and emancipation

If a patient becomes emancipated or guardianship changes, confirm how your state calculates retention start dates. Record custody documentation thoroughly to support future access decisions.

Provider-Specific Record Retention

Hospitals and health systems

Facilities often adopt 5–10 year baselines, with longer periods for high-risk services or where state law dictates. Include emergency department logs, operative reports, anesthesia records, and imaging within your unified retention schedule.

Physician and APP practices

Office-based practices commonly set 5–7 year baselines for adults, extending for minors and high-risk specialties. Align your EHR, scanning, and offsite storage so designated record set elements remain retrievable throughout the retention lifecycle.

Long-term care, home health, hospice

Post-acute providers may face longer retention expectations due to federal and state oversight. Confirm resident/patient record rules, care plan documentation, and medication administration records, and retain beyond discharge when audits or payer reconciliations are pending.

Dental, optometry, and allied health

These providers typically mirror physician office baselines but may retain radiographs, study models, or specialty images longer. Ensure scheduling, billing, and consent documents are included in your retention inventory.

Clinical laboratories

Harmonize CLIA-driven timeframes with state requirements. Track requisitions, quality records, maintenance logs, test reports, and retained specimens to ensure nothing is destroyed prematurely.

Management of Mental Health Records

General mental health records

Mental Health Record Regulations are primarily state-driven and can prescribe longer retention or special content rules. Incorporate therapy notes, treatment plans, and care coordination records into your schedule according to state law.

Psychotherapy notes

HIPAA treats psychotherapy notes (the clinician’s separate, personal notes) differently from the general medical record. They have heightened protections and are excluded from the standard patient right of access, but their retention period still follows applicable state law and your policy.

Substance use disorder records (42 CFR Part 2)

Part 2 imposes strict confidentiality and consent requirements for SUD records. While Part 2 focuses on use and disclosure rather than a uniform retention length, many programs retain records at least as long as state rules and payer contracts require, with robust segmentation and audit controls.

Retention Policies for Radiology and Imaging Records

Images, reports, and accessibility

Radiologic Imaging Retention covers both the image and the interpretive report. You should maintain DICOM images and structured reports in systems that ensure integrity, readability, and timely retrieval for the full retention period.

Mammography and specialty modalities

For mammography, federal standards require at least five years—or ten years if the patient has no subsequent mammogram at your facility—and longer if state law mandates. Other modalities typically follow your state’s general medical record retention unless a specific rule applies.

Data migration and defensible destruction

Plan for archive migrations (PACS/VNA) to prevent data loss. At the end of the retention period, apply secure, documented destruction that irreversibly deletes electronic images and appropriately disposes of any remaining film, while maintaining a destruction log.

Key takeaways

• HIPAA sets privacy and documentation duties; states set most medical record retention periods.
• Use the longest applicable rule among state law, federal program rules, and contracts.
• Extend retention for minors, legal holds, specialty records, and imaging that carries federal requirements.
• Design policies that preserve completeness, accessibility, and security for the entire retention lifecycle.

FAQs

What is the minimum medical record retention period under HIPAA?

HIPAA does not impose a universal minimum for medical record retention. It requires you to retain HIPAA-related documentation—such as policies, procedures, and authorizations—for six years from creation or the date last in effect. Medical record retention periods come primarily from state law and other applicable requirements.

How do state laws affect medical record retention requirements?

State Medical Record Retention Laws set the baseline for how long you must keep adult and pediatric records, with variations by provider type and record category. When state rules differ from federal or payer requirements, follow the most stringent period to ensure compliance and audit readiness.

Are there special retention rules for minor patients?

Yes. Most states require retaining a minor’s record until the patient reaches the age of majority plus additional years, often aligned to the malpractice statute of limitations. A conservative practice is to keep the record through majority and the longest applicable limitations period before permitting destruction.

What are the retention requirements for mental health records?

Retention for mental health records is primarily governed by state law and may be longer than general medical records. Psychotherapy notes have special HIPAA protections, and substance use disorder records are subject to 42 CFR Part 2 confidentiality rules. Set your schedule to meet the strictest applicable requirement and document your rationale in policy.