HIPAA Record Retention Guidelines: How Long to Keep Medical Files

HIPAA Medical Record Retention Requirements

HIPAA does not prescribe a universal medical record retention period for patient charts. Instead, HIPAA focuses on retaining HIPAA compliance documentation—your policies, procedures, and related records—for a minimum of six years from the date of creation or last effective date, whichever is later (Privacy Rule 45 CFR 164.530(j) and Security Rule 45 CFR 164.316(b)).

Because HIPAA sets a floor, you must also follow state retention mandates and any payer or accreditation requirements. In practice, many organizations adopt minimum retention periods that satisfy the strictest rule that applies to them.

What HIPAA requires you to keep

• All HIPAA compliance documentation for at least six years, including policies, procedures, risk analyses, breach notification retention records, and notices of privacy practices.
• Documentation of actions and assessments required by HIPAA, such as sanctions, complaints and their disposition, and business associate agreements.

What HIPAA does not dictate

• No single federal “how long to keep medical files” rule for clinical records themselves; those minimum retention periods are mainly driven by state retention mandates and contracts.

Practical baseline to reduce risk

• Adults: many providers maintain records 7–10 years after the last encounter to align with common state requirements and litigation defenses.
• Minors: retain until the patient reaches the age of majority plus additional years as required by the state (often several more years).

State-Specific Retention Periods

States set detailed medical record disposal regulations and retention timelines that vary by provider type, record type, and patient age. Requirements often differ for hospitals versus physician practices and may specify separate timelines for imaging, pathology slides, and immunization histories.

Common state patterns

• Adult records: typically 5–10 years after last treatment or discharge.
• Minor records: keep until the age of majority plus a state-specified period (commonly 2–10 additional years).
• Special records: oncology, obstetrics, or transplant records may require longer retention; some immunization records are kept permanently.
• Event triggers: retention clocks often start at last encounter, discharge, or case closure, and pause during litigation holds.

Multi-state operations

• Adopt a master schedule anchored to the longest applicable rule across your footprint to ensure compliance and simplify training.
• Document state-by-state exceptions in your policy and audit against them regularly.

HIPAA Compliance Documentation Retention

Beyond clinical records, HIPAA requires you to maintain HIPAA compliance documentation that proves your privacy and security program is in place and operating. Retain each item for at least six years, and longer if a stricter state rule, contract, or legal hold applies.

Documents to retain at minimum for six years

• Written privacy, security, and breach notification policies and procedures, including version histories and approvals.
• Risk analysis and risk management plans, technical evaluations, and security assessments.
• Notices of Privacy Practices and changes, plus acknowledgment documentation when applicable.
• Business Associate Agreements and related due diligence.
• Workforce training materials, attendance logs, and sanction documentation.
• Complaint logs and resolutions, access request denials, amendment requests and responses, and restriction/alternative communication agreements.
• Breach investigation files, risk assessments, notification letters, and incident response records (breach notification retention).
• System activity review and compliance audit records, including access logs and audit findings.
• Device and media control records, such as backup inventories and destruction certificates.

Best Practices for Medical Record Disposal

When minimum retention periods are met and no legal holds apply, dispose of records in a manner that protects protected health information safeguards and prevents re-identification.

Paper PHI

• Use cross-cut shredding, pulping, or incineration so documents cannot be reconstructed.
• Secure receptacles and supervised handling until final destruction; maintain chain-of-custody.
• Obtain and keep certificates of destruction from any vendor; ensure a Business Associate Agreement is in place.

Electronic PHI (ePHI)

• Sanitize media per a recognized standard (for example, NIST 800-88 methods such as secure wipe, cryptographic erasure, degaussing, or physical destruction).
• Track all devices and storage locations, including servers, laptops, removable media, copiers, and backups.
• Coordinate disposal with IT so archived backups, replicas, and logs age out on schedule.

Program controls

• Document your destruction process, roles, and approvals; retain destruction logs as compliance evidence.
• Pause destruction immediately when legal, audit, or eDiscovery holds are issued.

Understanding Privacy Safeguards During Retention

Retention does not reduce your duty to protect PHI. Maintain administrative, physical, and technical safeguards for the full lifecycle of the records, whether on paper, on-premises, or in the cloud.

Administrative safeguards

• Role-based access, minimum necessary standards, and periodic access reviews.
• Security risk analysis and continuous risk management; workforce training and sanctions.
• Vendor oversight with Business Associate Agreements and security attestations.
• Clear retention schedules, legal hold procedures, and disposal authorization workflows.

Technical safeguards

• Encryption at rest and in transit, strong authentication, and session timeouts.
• Audit logging, intrusion detection, and alerts for anomalous access.
• Data integrity controls and tested backups to assure availability throughout retention.

Physical safeguards

• Locked storage, visitor controls, camera coverage, and clean-desk practices.
• Secure offsite storage with environmental protections and documented transport procedures.

Special considerations

• Sensitive categories (for example, psychotherapy notes or records protected by 42 CFR Part 2) may require tighter access and longer or separate retention handling.
• When appropriate, de-identify data for research or archival use to reduce risk exposure.

Retention Policies for Minor Patient Records

For minors, the retention clock usually extends beyond the visit timeline to account for the age of majority and applicable statutes of limitations. Because the age of majority and rules for consented services vary by state, align your policy to the strictest combination of state retention mandates and malpractice defense needs.

Build a defensible minor-records rule

• Start with your state’s minimum for minors, measured from the patient’s age of majority or last encounter, as specified.
• Add extra years to cover potential claims that may not begin until majority or discovery.
• Apply special handling for confidential services a minor can consent to; access and disclosure rules may differ from standard pediatric records.
• Retain immunization histories long term; many practices keep them indefinitely for continuity of care.

Conclusion

HIPAA sets a six-year retention rule for HIPAA compliance documentation but leaves clinical record timelines to state law and contracts. Establish minimum retention periods that satisfy the strictest rule you face, protect PHI with robust safeguards during storage, and execute documented, secure destruction once records are eligible. This balanced approach supports compliance, risk reduction, and operational efficiency.

FAQs.

How long does HIPAA require medical records to be retained?

HIPAA does not set a universal retention period for patient medical records. It requires you to keep HIPAA compliance documentation—such as policies, risk analyses, breach files, and notices of privacy practices—for at least six years. Your record retention timeline for medical files should follow applicable state laws and contracts, which commonly fall in the 7–10 year range for adults and longer for minors.

Do state laws override HIPAA retention guidelines?

HIPAA is a federal floor. You must meet HIPAA’s six-year rule for HIPAA documentation and also comply with any stricter or more specific state retention mandates for medical records. When state law requires longer retention, follow the state rule; when HIPAA is stricter for documentation, follow HIPAA. In practice, you comply with both.

What documents must be retained under HIPAA compliance?

Retain, at minimum for six years: privacy, security, and breach policies and procedures; risk analyses and risk management plans; Notices of Privacy Practices and revisions; Business Associate Agreements; training materials and attendance logs; sanction and complaint records; breach investigations and notification files; device/media control and destruction logs; and compliance audit records such as access reviews and system activity reports.

How should medical records be securely disposed of?

Use destruction methods that make PHI unrecoverable. For paper, apply cross-cut shredding, pulping, or incineration with chain-of-custody and certificates of destruction. For ePHI, sanitize per recognized standards (e.g., secure wipe, cryptographic erasure, degaussing, or physical destruction), inventory all media, and ensure backups age out. Always pause destruction for legal holds and verify a Business Associate Agreement with any vendor.