How Long Does a Hospital Keep Medical Records? Timeframes, Laws, and What to Expect

Hospitals balance clinical needs, regulations, and risk when deciding how long to keep your chart. In the United States, Health Information Management teams set retention schedules that weave together federal rules, state medical record laws, payer contracts, and accreditation standards. This guide explains the typical timelines, what drives them, and how you can get copies of your records.

Because requirements differ by record type and state, think in terms of frameworks rather than a single number. You will see common patterns—especially 5–10 years for adults—plus special rules for minors and deceased patients, and additional obligations tied to Medicare retention guidelines and legal record retention.

Federal Retention Requirements

What federal law does—and doesn’t—require

No single federal statute sets a universal retention period for all hospital medical records. HIPAA focuses on HIPAA record privacy and security, not how long to keep the clinical record. Under HIPAA, covered entities must retain privacy-related documentation (such as policies, authorizations, and Notices of Privacy Practices) for six years, but HIPAA does not impose a blanket timeline for keeping the medical record itself.

Medicare retention guidelines at a glance

Medicare and other federal programs influence retention indirectly. Hospitals typically retain cost reports and supporting documentation for audit purposes for multiple years, and Medicare Advantage or Part D contracts can require longer windows. To harmonize compliance and audits, many organizations align clinical, billing, and audit files to a conservative multi‑year schedule.

Other federal program rules that affect specific records

Certain record types carry additional federal expectations—for example, device tracking data, research records bound by grant or FDA requirements, or modality‑specific images and reports (such as mammography). These rules don’t replace state timelines; they sit alongside them, and hospitals keep the longest applicable period.

Practical takeaways

• HIPAA sets documentation retention for privacy records, not a universal medical record timeline.
• Medicare retention guidelines and federal program contracts extend how long related financial, compliance, or modality‑specific records are kept.
• When two rules apply, hospitals use the longer period.

State-Specific Retention Periods

States set the primary timetable for hospitals. Most state medical record laws require adult inpatient and outpatient records to be kept for a defined period after the last encounter or discharge. Common minimums cluster between five and ten years, with some states mandating longer spans.

Hospitals often keep a single policy that satisfies every location they serve. If a system operates in multiple states, its Health Information Management team typically standardizes to the strictest requirement so records aren’t destroyed too early anywhere.

Typical adult timelines you’ll see

• Adults: commonly 5–10 years after the last visit or discharge, depending on the state and record type.
• Specialty records (behavioral health, imaging): may carry longer state or program‑specific requirements.
• Worker’s compensation or occupational health files: often follow separate statutes or payer rules.

How to interpret your state’s rule

• Confirm the “clock start”: last encounter date vs. discharge date can differ.
• Apply the longest applicable rule if multiple laws or contracts cover the same record.
• Note carve‑outs: minors, radiology, and behavioral health records often have distinct timelines.

Record Retention for Minors and Deceased Patients

Minors: States usually tie retention to the age of majority. A common pattern is to retain a minor’s record until the patient turns 18 plus an additional period (often several years) to ensure claims and legal time limits have passed. Many hospitals therefore keep pediatric records until at least age 21, and some for longer, based on state law.

Deceased patients: Most states do not shorten retention when a patient dies; the adult schedule usually still applies. Under HIPAA, decedent information remains protected for 50 years after death. Estate record access is typically granted to the personal representative (for example, an executor) with appropriate documentation.

Requesting and Accessing Medical Records

Steps to request your records

• Contact the hospital’s Health Information Management or Release of Information office.
• Submit a signed request or HIPAA authorization specifying what you need (dates of service, summaries, images).
• Verify identity and delivery method (portal download, secure email, mail, or pickup).

Timelines, formats, and fees

Hospitals must respond to patient access requests within HIPAA’s timelines (generally within 30 days, with one allowed extension if necessary). You can request paper or electronic copies, and many facilities offer portal access. Fees, where allowed, must be reasonable and cost‑based for copying and delivery; many states further restrict or cap these amounts.

Who may access records besides the patient

HIPAA permits access by a personal representative (such as a parent/guardian, health care proxy, or executor for a decedent) to the extent allowed by state law and the underlying documentation. Third parties—like attorneys or insurers—need a valid authorization or other legal basis.

Record Destruction and Notification Procedures

Hospitals follow medical record destruction policies that specify when and how information is disposed of. Destruction occurs only after all applicable retention periods and legal holds have cleared, and it is logged to show what was destroyed, when, and by whom.

Notification to patients is not typically required for routine, on‑schedule destruction. However, notice or public posting can be required when a facility closes or transfers records, and breach notification applies if records are lost or improperly discarded.

When can records be destroyed?

• After the longest applicable retention period (state law, contracts, audits) has expired.
• When no litigation hold, audit, or investigation is pending or reasonably anticipated.

How destruction happens

• Paper: cross‑cut shredding, pulping, or incineration.
• Electronic media: secure overwriting, cryptographic erasure, degaussing, or physical destruction.
• Vendors: business associate agreements and certificates of destruction document compliance.

Record Storage and Indexing Systems

Modern records live in electronic health records with some legacy paper and images in archives. To retrieve information quickly and enforce retention clocks, hospitals rely on consistent indexing, metadata, and access controls managed by Health Information Management.

How hospitals index records

• Patient identifiers: name, date of birth, medical record number (MRN).
• Encounter identifiers: visit number, location, attending provider.
• Document attributes: type (e.g., H&P, operative note), authorship, and finalized dates.

Long‑term storage and safeguards for ePHI

• Encryption at rest and in transit, role‑based access, and audit logs.
• Backups and disaster recovery with tested restore procedures.
• Archiving strategies (including write‑once media) mapped to retention schedules.

Migration and data integrity

When systems change, hospitals migrate charts with chain‑of‑custody documentation, reconcile master patient indexes to prevent duplicates, and validate that the complete legal medical record remains accessible for the full retention period.

Retention for Legal and Tax Purposes

Retention isn’t only about clinical care. Legal record retention accounts for malpractice limitation periods, government investigations, and e‑discovery. If litigation is anticipated, a legal hold immediately pauses destruction until the matter resolves, even if routine timelines have ended.

Financial and tax audits

Hospitals maintain financial, cost‑report, and reimbursement files for multiple years to satisfy audits and payer reviews. Medicare retention guidelines and many tax practices lead organizations to keep key financial support for extended periods—often equal to or longer than clinical record minimums—so documentation is available for appeals and examinations.

Conclusion

In practice, hospitals keep adult records for several years (commonly 5–10), retain pediatric records until after majority plus extra time, and preserve decedent information with HIPAA protections for decades. The longest applicable rule—state law, federal program, contract, or legal hold—wins. If you need copies, submit a clear request to Health Information Management and expect a timely, cost‑based response.

FAQs.

How long are hospital records kept for adults?

Most states require adult records to be kept for a defined period after the last visit or discharge, commonly between five and ten years. Hospitals may choose a longer standard to satisfy audits, payer obligations, or multi‑state operations.

Are medical records kept longer for minors?

Yes. States generally require retention until the patient turns 18 plus additional years. Many hospitals keep pediatric records until at least age 21, and sometimes longer, to cover legal and claims timeframes.

What rights do patients have to access their records?

You have the right under HIPAA to inspect or obtain copies of your records in paper or electronic form, to direct a copy to a third party, and to receive a timely response (generally within 30 days). Reasonable, cost‑based copying fees may apply, and state law may provide added protections.

When can hospitals destroy medical records?

Hospitals may destroy records only after the longest applicable retention period has expired and no legal hold, audit, or investigation is pending. Destruction follows documented medical record destruction policies that ensure secure, irreversible disposal.