HIPAA Medical Record Retention Requirements: How Long to Keep Patient Records

Overview of HIPAA Medical Record Retention

HIPAA does not set a universal time frame for how long you must keep patient medical records. Instead, medical record retention periods are driven by state medical record retention laws and by payer rules, including Medicare record retention requirements and Medicaid record retention rules. HIPAA’s core obligation is that you protect and control protected health information (PHI) for as long as you retain it.

Two principles guide compliant retention: apply the longest applicable requirement and document your rationale. The “longest rule wins” usually comes from a combination of state law, payer contracts, accreditation standards, and your own risk posture. Build a written retention schedule, apply it consistently, and align it with your EHR and paper workflows.

While HIPAA does not dictate how long to keep patient charts, it does require you to keep HIPAA compliance documentation (for example, policies, risk analyses, training logs, and business associate agreements) for a defined period. You should manage clinical records and compliance records on the same schedule framework, but recognize they follow different rules.

State-Specific Retention Periods

State medical record retention laws establish minimum retention periods by provider type (for example, hospitals, clinics, physicians), record type, and sometimes patient age or service category. These rules vary widely, so you must map the statutes and regulations for each state where you deliver care, including telehealth and outreach services.

Common ranges and triggers

• Adults: Many organizations adopt 6–10 years after the last encounter or discharge, aligning with common state minimums and liability considerations.
• Minors: States often require retention until a fixed period after the patient reaches the age of majority, in addition to a baseline number of years after the last visit.
• Specialty records: Obstetrics, oncology, and imaging may warrant longer retention to address delayed claims, complications, or exposure-related issues.
• Events that reset the clock: Readmissions, new encounters, addenda, and late results can shift the “last encounter” date; capture these events in your retention logic.
• Legal holds: If litigation, audits, or investigations are pending or reasonably anticipated, suspend destruction until the hold is lifted.

How to set your schedule

• Inventory jurisdictions and record types (inpatient, outpatient, behavioral health, dental, images, device data, messages, and backups).
• Research state requirements for each setting and choose the longest rule per record type and location.
• Document the policy, approval date, effective date, and the business owner responsible for updates.
• Configure EHR retention fields and purge jobs to match policy; require a pre-destruction review.
• Review annually; laws change, and program rules evolve.

Retention Requirements for Minor Patients

Minor patient record retention typically extends longer because statutes of limitations often do not begin until the patient reaches the age of majority. This means the retention period usually runs to a set number of years after the minor turns 18 (or the state’s majority age), and also after the last encounter—whichever is later.

A conservative approach

As a practical baseline, many providers retain records for minors until at least the later of: the patient reaching the age of majority plus several additional years, and the standard adult retention period after the last encounter. This approach accommodates delayed claims, malpractice timelines, and access needs without conflicting with minor patient record retention rules in stricter states.

Edge cases to plan for

• Emancipated minors and confidential services: Retention rules still apply, but your access controls and documentation should reflect consent nuances.
• High-risk specialties: Obstetrics and neonatal care may warrant additional years due to long-tail liability.
• Immunization histories: Retain longer or maintain a permanent record so patients can prove vaccination status into adulthood.

Retention of Medicare and Medicaid Records

Federal program requirements layer on top of state rules. Your policy should explicitly address Medicare record retention requirements and Medicaid record retention rules, including managed care contracts and cost-reporting timelines.

Medicare Advantage and Part D

Medicare Advantage and Part D contracts commonly require retention of books, records, and documents—including clinical records needed to substantiate payment—for at least 10 years, with longer retention when audits, investigations, or litigation are ongoing. Subcontractors and delegated entities should match this period in their agreements.

Traditional Medicare and Medicaid (fee-for-service) providers

Keep patient records and supporting documentation (orders, authorizations, medical-necessity evidence, cost reports, and claim files) long enough to satisfy audit and overpayment lookback windows, plus any state minimums. Many organizations adopt 7–10 years as a baseline, extending further when program participation agreements or state Medicaid rules require it.

Practical compliance tips

• Tie the retention clock to the end of the cost-report period or the last paid claim for the episode when required.
• Flow down retention obligations to billing services and other business associates.
• Do not destroy records while program audits or appeals are open; document the legal hold.

HIPAA Compliance Documentation Retention

HIPAA requires you to retain HIPAA compliance documentation for at least six years from the date of creation or the date it last was in effect, whichever is later. This applies to both Privacy Rule and Security Rule documentation and should be part of your written retention schedule.

What to include

• Policies and procedures (Privacy, Security, Breach Notification) and revision history.
• Risk analyses, risk management plans, security assessments, and mitigation tracking.
• Training content, completion logs, attestations, and sanctions records.
• Business associate agreements and due diligence records.
• Notices of Privacy Practices, patient authorizations, and accounting-of-disclosures logs.
• Incident and breach response records, reports, and notifications.
• Device/media movement logs, access reviews, and audit findings.

Retention best practices

• Maintain a central repository with version control and effective dates.
• Map each document type to its minimum six-year period; extend if state or payer rules are stricter.
• Store certificates of destruction and legal-hold releases as part of the record set.

Proper Disposal of Medical Records

When the retention period ends, disposal must render PHI unreadable, indecipherable, and unreconstructable. Select secure record disposal methods that fit each medium and document the process.

Methods by medium

• Paper: Cross-cut shredding, pulverizing, or incineration; use locked consoles and supervised transfer to destruction.
• Electronic media: Cryptographic wipe, secure overwrite, degaussing (where appropriate), or physical destruction of drives and removable media.
• Cloud and applications: Terminate access, delete exports/test datasets, and obtain written confirmation of destruction from service providers.
• Images and devices: Sanitize copiers, scanners, infusion pumps, and imaging systems before reuse or disposal.

Controls to prove compliance

• Execute business associate agreements with destruction vendors; require chain-of-custody and certificates of destruction.
• Log what was destroyed, when, how, and by whom; include witness verification for high-risk media.
• Coordinate with legal and compliance to clear holds before destruction jobs run.

Key takeaways

• HIPAA does not set a universal chart-retention period; follow the longest applicable state and payer requirements.
• For minors, plan for retention that extends beyond the age of majority plus your standard period.
• Medicare Advantage/Part D commonly require 10-year retention; fee-for-service programs and Medicaid may necessitate 7–10 years or more.
• Retain HIPAA compliance documentation for at least six years and document every destruction action.

FAQs

What are the HIPAA requirements for medical record retention?

HIPAA does not prescribe how long you must keep patient medical records. It requires you to safeguard PHI for as long as you retain it and to keep HIPAA compliance documentation—such as policies, risk analyses, training records, and business associate agreements—for at least six years from creation or last effective date. Your medical record retention periods should be set by state law and payer rules, applying the longest requirement.

How do state laws affect medical record retention periods?

State medical record retention laws establish minimum time frames that vary by provider type, record type, and patient age. They often specify years after the last encounter or discharge and longer timelines for minors. You should inventory every state where you practice, select the longest applicable rule for each record type, and embed it into your retention schedule and EHR workflows.

How long must records for minor patients be retained?

Most jurisdictions require retention until a period after the patient reaches the age of majority, in addition to a baseline number of years after the last visit. A conservative practice is to retain until at least the later of the patient turning 18 (or the state’s majority age) plus several years, and your standard adult retention period. This approach aligns with common minor patient record retention principles and reduces risk.

What is the required retention period for Medicare and Medicaid records?

Medicare Advantage and Part D contracts commonly require you to retain relevant records for at least 10 years, longer if audits or investigations are open. For traditional Medicare and Medicaid, retain clinical and billing records long enough to satisfy program audits, cost-report rules, and state law—many providers adopt 7–10 years as a baseline, extending when contract terms or legal holds require more time.