How Long Do Doctors Keep Medical Records? Retention Timelines and Rules Explained

Medical Record Retention Under State Laws

How long do doctors keep medical records primarily depends on State medical record retention statutes. These laws set minimum periods that providers must keep adult and pediatric charts, typically measured from the last encounter or discharge. Because requirements vary, you should apply the longest applicable rule across state law, payer contracts, and internal policy.

Common state timelines (general patterns)

• Physician practices (adult records): commonly 6–7 years after the last visit.
• Hospitals (adult records): commonly 10 years after discharge, though some states require more.
• Deceased patients: at least the standard adult period from date of death or last entry, whichever is longer.

Always layer in the statute of limitations for medical claims. Even if a statute sets a short filing window, discovery rules and tolling can extend exposure, so many organizations keep records a buffer period beyond the minimum. Document your rationale to support HIPAA Privacy Rule compliance and audit readiness.

Operationalizing state rules

• Maintain a written schedule that cites the controlling state statute and any payer or accreditation requirements.
• Review the schedule annually and when opening new sites, since multi-state groups must follow each state’s rule.
• Train staff and designate record custodian responsibilities for approvals, holds, and destruction decisions.

Federal Retention Requirements for Hospitals

There is no single federal law that sets one nationwide retention period for all clinical records. Instead, federal rules create floors that hospitals and health systems must meet, often alongside stricter state requirements.

HIPAA documentation vs. clinical charts

HIPAA Privacy Rule compliance does not mandate a specific time to keep medical records. It does require keeping compliance documentation—such as policies, procedures, notices of privacy practices, business associate agreements, and accounting-of-disclosures logs—for at least six years. Treat this as a separate, clearly labeled retention schedule for compliance documentation retention.

Medicare, Medicaid, and CMS program rules

CMS retention requirements under Medicare Conditions of Participation generally require hospitals to maintain complete, promptly retrievable medical records for a defined minimum period (commonly at least five years), with some specialized facilities keeping longer. Program-integrity and cost-report rules typically expect financial and cost-report support records to be retained for about five years after the reporting period, subject to longer state or contractual terms.

Retention Guidelines for Minors' Records

For minors, retention clocks usually run until the child reaches the age of majority plus an additional period. A prudent baseline is to retain pediatric records until at least age 21–23, or for the state’s standard adult period after the last visit—whichever is longer. This approach accounts for tolling of the statute of limitations for medical claims during childhood.

• Where mother–baby care is linked (obstetric and neonatal records), retain both charts in alignment with the child’s extended timeline.
• For emancipated minors or services where minors may consent under state law, verify access and retention rules before setting destruction dates.

Extended Retention for Special Medical Records

Certain record types warrant longer retention due to clinical, legal, or program requirements. Build explicit exceptions into your schedule so these materials are not purged prematurely.

Records commonly kept longer

• Oncology, transplant, and high-risk procedures: often 10 years or longer based on program standards and outcome tracking.
• Pathology slides and tissue blocks: frequently retained a decade or more to support re-review and quality investigations.
• Radiology images and reports: commonly 5–7 years; mammography images often follow federal timelines that can extend to 10 years in certain scenarios.
• Occupational health and exposure records: employee exposure documentation is often retained for the duration of employment plus 30 years.
• Clinical research: FDA/GCP frameworks typically require investigators to keep trial records for at least two years after marketing approval or study termination, with sponsors or IRBs sometimes requiring longer (e.g., 7–15 years).
• Immunization records: often maintained for extended periods and reported to state or local immunization information systems for permanent retrieval.

Triggers for extended holds

• Known or reasonably anticipated litigation, investigations, or payer audits.
• Sentinel events, complex adverse outcomes, or open quality reviews.
• Contractual obligations (e.g., payer or research agreements) that exceed statutory minimums.

Procedures for Medical Record Destruction

When records meet their retention end date and no holds apply, use standardized record destruction protocols that protect confidentiality and prove due diligence.

Pre-destruction checks

• Confirm the applicable state minimum and any longer federal, accreditation, or contract requirement.
• Verify no litigation hold, investigation, audit, or unpaid claim is pending.
• For minors, confirm the patient has reached majority and the post-majority period has elapsed.

Approved destruction methods

• Paper: cross-cut shredding, pulping, or incineration so PHI cannot be reconstructed.
• Electronic PHI: sanitize or destroy media per industry standards (e.g., secure wiping, degaussing, or physical destruction) and ensure backups are covered by the same policy.
• Vendors: execute a business associate agreement, maintain chain-of-custody, and obtain a certificate of destruction.

Documentation you must keep

• Destruction logs listing date, record categories, inclusive dates, volume, method, location, and the responsible record custodian’s signature.
• Vendor certificates and approvals retained for at least six years to support HIPAA Privacy Rule compliance.

Patient Rights to Record Access

Patients have a right to access their designated record set. You generally must provide access within 30 days (with a limited extension if necessary), in the form and format requested if readily producible, including secure electronic copies. Reasonable, cost-based fees may cover labor, supplies, and postage, but not profit.

Some information is excluded—such as psychotherapy notes kept separately and information compiled for legal proceedings. For minors, parental access depends on state consent laws and the nature of the service. Maintain clear intake forms and authorizations to streamline compliant responses and documentation.

Handling Record Transfer on Practice Closure

When a practice closes, your duty to protect and provide access to medical records continues until retention periods expire. Plan early, notify patients, and appoint a custodian to manage storage and requests.

Closure checklist

• Notify patients well in advance with instructions for obtaining or transferring records.
• Designate a custodian and publish their contact details on outgoing messages and signage.
• Transfer active records to succeeding providers only with proper authorization.
• Store remaining records securely for the full retention term; document location and access controls.
• Keep logs of notices, requests, releases, and destruction as part of compliance documentation retention.

Record custodian responsibilities

• Respond timely to access requests and subpoenas.
• Maintain the retention schedule, legal holds, and destruction approvals.
• Preserve audit trails and certificates that demonstrate compliant handling end to end.

Summary and best practices

• Follow State medical record retention statutes as your baseline, then apply stricter federal, accreditation, or contract rules.
• Account for the statute of limitations for medical claims and build in a buffer where risk warrants.
• Use written policies, trained custodians, and auditable processes for retention, access, and destruction.

FAQs

How long must doctors keep adult medical records?

It varies by state, but a common minimum is 6–7 years after the last encounter for physician practices, with hospitals frequently keeping records around 10 years. Always follow the longest applicable rule and extend retention if a legal hold or audit is pending.

What are the retention periods for minors’ medical records?

Most schedules retain pediatric records until the child reaches the age of majority plus an additional period—often 2–7 years—or for the standard adult period after the last visit, whichever is longer. Many organizations use at least age 21–23 as a practical floor.

Are there special retention rules for immunization records?

Yes. Immunization histories are often kept longer than other pediatric records and are commonly reported to state immunization registries for long-term access. Retain vaccine data through adulthood and ensure it transfers to the state registry where required.

What happens to medical records when a practice closes?

The practice must secure the records for the full retention term, notify patients how to obtain copies, and appoint a custodian to handle requests. After required periods elapse and no holds exist, records may be destroyed using documented, HIPAA-compliant protocols.