HIPAA Medical Record Retention Requirements: How Long to Keep Records (and What HIPAA Actually Requires)

HIPAA Documentation Retention Requirements

HIPAA Medical Record Retention Requirements often get confused with HIPAA’s actual legal obligations. HIPAA requires you, as a covered entity or business associate, to retain HIPAA compliance documentation—not patient charts—for at least six years from creation or last effective date. This includes policies, procedures, and required records that demonstrate compliance with the Privacy and Security Rules. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.316?utm_source=openai))

What counts as HIPAA Compliance Documentation?

• Written policies and procedures, including updates and version history.
• Risk assessments (risk analyses) and risk management plans for electronic Protected Health Information (PHI/ePHI).
• Training rosters, sanctions logs, incident and breach documentation, and Notices of Privacy Practices with acknowledgments where applicable.
• Business Associate Agreements and designated record set/access process documentation.

HIPAA does not impose a federal medical record retention period for patient charts; states set those timelines. HIPAA’s role is to require appropriate safeguards for Protected Health Information for as long as you maintain it, and to keep HIPAA Compliance Documentation for six years. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html?utm_source=openai))

Practical retention tips

• Apply the “6-year HIPAA clock” to all required compliance records, restarting when a document is revised.
• Segment your schedule: HIPAA Compliance Documentation (6 years) versus clinical records (follow state and payer rules).
• Use a documented retention policy so staff know what to keep, for how long, and how to dispose of it.

State Laws Governing Medical Record Retention

State Retention Statutes drive how long you keep medical records. In practice, you follow the longest applicable rule among state law, Medicare/Medicaid conditions, payer contracts, and liability considerations. HIPAA does not set a chart-retention duration. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html?utm_source=openai))

Common patterns and examples

• California hospitals: preserve records at least 7 years; for minors, keep at least 1 year past age 18 and not less than 7 years. ([law.cornell.edu](https://www.law.cornell.edu/regulations/california/22-CCR-70751?utm_source=openai))
• Texas physicians: retain adult records 7 years from last treatment; for minors, until age 21 or 7 years from last treatment, whichever is longer. ([law.cornell.edu](https://www.law.cornell.edu/regulations/texas/22-Tex-Admin-Code-SS-163-2?utm_source=openai))
• New York: physicians generally 6 years; hospitals generally 6 years, with longer rules for minors (3 years past the age of majority, at a minimum). ([archives.nysed.gov](https://www.archives.nysed.gov/records/laws-and-regulations-related-to-records?utm_source=openai))

Action point: build a state-by-state matrix if you operate in multiple jurisdictions and adopt the longest period that applies to your record type and patient population.

Medicare and Medicaid Retention Guidelines

Medicare and Medicaid rules add program-specific timelines you must layer onto state requirements. These rules often apply to Covered Entities that participate in federal programs and influence how long you keep clinical and financial records supporting reimbursement.

Medicare Conditions of Participation (examples)

• Hospitals: retain medical records in original or legally reproduced form for at least 5 years. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/482.24?utm_source=openai))
• Home Health Agencies: retain clinical records for 5 years after patient discharge (or longer if state law requires). ([ecfr.io](https://ecfr.io/Title-42/Section-484.110?utm_source=openai))
• Critical Access Hospitals: retain records at least 6 years from the date of last entry. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/485.638?utm_source=openai))
• Outpatient rehabilitation and similar providers often have 5-year minimums after discharge (verify your specific provider type). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/485.60?utm_source=openai))
• Clinical laboratories/pathology: CLIA requires longer retention for certain materials (for example, pathology slides 10 years). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/493.1105?utm_source=openai))

Medicare Advantage and Medicaid managed care

• Medicare Advantage organizations must allow audit and retain relevant records for 10 years after the final contract period or completion of audit, whichever is later. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/422.504?utm_source=openai))
• Medicaid managed care entities (MCOs/PIHPs/PAHPs) must retain specified records for no less than 10 years. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/438.3?utm_source=openai))

Orders, certifications, referrals, and related documentation

Separate from facility CoPs, Medicare requires providers/suppliers who furnish, order, certify, refer, or prescribe Part A or B services/items/drugs to maintain related documentation for 7 years from the date of service and to provide access upon request. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/424.516?utm_source=openai))

Cost Report Retention

Keep cost report workpapers and supporting detail long enough to satisfy audit and appeal windows and any longer state or program requirements. As a practical baseline, hospitals’ 5-year federal minimum for medical record retention and the 10-year Medicare Advantage/Medicaid managed care recordkeeping requirements often drive organizations to retain Cost Report Retention packages for 5–10 years, or longer if a cost report is under appeal. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/482.24?utm_source=openai))

Safeguards for Medical Record Disposal

Before disposal, you must protect PHI with reasonable administrative, technical, and physical safeguards and implement device and media controls for ePHI. For electronic media, the Security Rule requires policies for final disposition and for removing ePHI before reuse. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.310?utm_source=openai))

Paper PHI

• Use methods that render PHI unreadable and cannot be reconstructed, such as cross‑cut shredding or pulping; never discard intact PHI in publicly accessible receptacles. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/576/may-a-covered-entity-dispose-of-information-in-dumpsters/index.html?utm_source=openai))
• Stage materials in secure areas and, if using a vendor, execute a Business Associate Agreement and supervise pickup/destruction. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/576/may-a-covered-entity-dispose-of-information-in-dumpsters/index.html?utm_source=openai))

Electronic PHI

• Apply NIST‑aligned sanitization: clearing (secure overwrite), purging (e.g., degaussing), or destroying media (disintegrate, pulverize, melt, incinerate, or shred) before disposal or reuse. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/578/may-a-covered-entity-reuse-computers-that-store-protected-information/index.html?utm_source=openai))
• Maintain accountability for media movements and create retrievable backups when needed prior to equipment transfer. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.310?utm_source=openai))

Variations in State Retention Periods

Expect significant variation in State Retention Statutes. Many states set 5–7 years for adult records; others require 10 or more. Minors’ records commonly follow “age of majority plus X years.” Some service lines (for example, pathology or radiology) have distinct federal or state rules that exceed general statutes, so map retention by record type, not just by patient status. ([archives.nysed.gov](https://www.archives.nysed.gov/records/laws-and-regulations-related-to-records?utm_source=openai))

Example: pathology slides must be kept 10 years under CLIA—longer than many general medical record rules—so your enterprise schedule should default to the longest applicable timeline across federal program rules and state law. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/493.1105?utm_source=openai))

Compliance with HIPAA Privacy Rules

Retention is only half of compliance. You must also restrict access, apply minimum necessary, and safeguard PHI throughout its life cycle—storage, use, transmission, and disposal. Build these controls into your HIPAA Compliance Documentation and keep that documentation for six years. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.530?utm_source=openai))

Action checklist

• Inventory records and map the longest applicable rule (state law, Medicare/Medicaid, payer contracts, clinical specialty).
• Document a retention schedule covering clinical records, billing/Cost Report Retention materials, and HIPAA documentation.
• Implement administrative, technical, and physical safeguards; test your Data Disposal Safeguards and keep destruction logs.
• Train staff and audit compliance; apply legal holds when litigation or audits require extended retention.

Bottom line: follow HIPAA’s six‑year rule for compliance records, then layer on state and program rules for patient records. When timelines differ, keep the record for the longest required period and dispose of it securely.

FAQs

What is the minimum retention period for HIPAA documentation?

Six years from the date a document is created or last in effect, for required HIPAA policies, procedures, and other compliance records. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.316?utm_source=openai))

How do state laws affect medical record retention?

States set the retention period for patient charts. You must meet state rules and any longer federal program requirements, keeping records for the longest applicable timeframe. HIPAA itself does not mandate how long to keep medical records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html?utm_source=openai))

What are the Medicare record retention requirements?

Examples: hospitals keep records at least 5 years; home health agencies keep clinical records 5 years after discharge; critical access hospitals keep records at least 6 years; ordering/certifying/referring documentation must be kept 7 years from the date of service; Medicare Advantage and Medicaid managed care contracts generally require 10 years of retention for applicable program records. Verify your provider type and contracts. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/482.24?utm_source=openai))

What safeguards are required for disposing of medical records?

HIPAA requires reasonable safeguards and device/media controls. For paper, destroy so PHI is unreadable (for example, cross‑cut shredding); for ePHI, sanitize or destroy media (clearing, purging, or physical destruction) before reuse or disposal. Never place intact PHI in publicly accessible receptacles. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.310?utm_source=openai))