How Long Should Medication Records Be Kept? Legal Requirements and Best Practices

Medication records—prescriptions, dispensing logs, medication administration records (MARs), and medication lists in electronic health records—are core parts of protected health information. Keeping them long enough protects patients, supports quality care, and helps you defend against audits and medical malpractice claims. This guide explains the legal landscape and offers practical steps to build a defensible record retention policy.

Federal Record Retention Requirements

There is no single federal rule that sets a universal retention period for all medication records. Instead, several federal frameworks apply, often alongside stricter state laws. You should keep the longest period required by any applicable rule.

HIPAA Privacy Rule

• HIPAA does not prescribe how long to keep medical or medication records themselves.
• However, HIPAA requires you to retain privacy documentation—policies, procedures, notices, authorizations, and accounting of disclosures—for six years from the date of creation or last effective date.

DEA (Controlled Substances)

• Records for controlled substances—e.g., inventories, DEA order forms, dispensing and transfer logs, and loss/theft reports—must be kept for at least two years and be readily retrievable at the registered location.
• Because many states require longer retention, adopt “federal minimum or state rule, whichever is longer.”

CMS and Federal Program Requirements

• Medicare Conditions of Participation generally require hospitals and many providers to keep medical records for at least five years after the patient’s discharge or the last date of service.
• Medicare Advantage and Part D sponsors typically must retain claims, payment, and related records for ten years, which can indirectly affect how long providers keep supporting medication documentation used for billing or audits.

Compounding and Manufacturing Contexts

• Entities engaged in compounding or manufacturing follow additional standards (e.g., FDA and USP chapters). Retention periods commonly extend years beyond the beyond-use date; verify your specific obligations and adopt the longest applicable duration.

Bottom line: there is no universal federal “medication record” period. Map all federal rules that apply to your setting, then default to the longest requirement that touches each record type.

State-Specific Retention Laws

State law is typically the primary driver of how long you must retain medication records. Requirements vary widely by state and record type (pharmacy prescription files, hospital records, clinic charts, long-term care MARs).

• Adult patients: states often require 5–10 years after the last encounter or last entry in the record.
• Minors: retention usually runs until the age of majority plus an additional period (commonly 2–7 years). Some states specify a fixed age (e.g., 21 or 23) or a set time after majority.
• Pharmacy prescription records: many states require 3–7 years; others set 10 years. PDMP query documentation may have its own timeline.
• Behavioral health, oncology, and other sensitive services may carry longer requirements.

Action step: verify your state’s medical board, pharmacy board, and health department rules, and write the longest applicable period into your record retention policy for each medication-related record category.

Best Practices for Record Retention

Build a defensible record retention policy

• Inventory medication-related records: e-prescriptions and paper Rxs, dispensing logs, MARs, compounding worksheets, adverse drug event notes, PDMP checks, prior authorizations, and billing support.
• For each record type, list all federal and state drivers (HIPAA documentation, DEA, CMS, state boards) and set the retention period to the longest applicable rule.
• Define the retention “start” (e.g., last entry, discharge date, or prescription fill date) to avoid ambiguity.

Operationalize retention in electronic health records

• Ensure your EHR and pharmacy systems can archive, index, and retrieve records through the full retention period, including metadata and audit trails.
• Use role-based access and encryption to protect protected health information throughout its lifecycle, including backups and offsite archives.
• Document data migrations when changing systems so medication histories remain intact and discoverable.

Risk management and training

• Implement a litigation hold process that suspends destruction when an incident, complaint, or request suggests potential claims or investigations.
• Train staff on what to keep, how long to keep it, and how to store and dispose of it securely.
• Audit compliance periodically; reconcile discrepancies and update schedules when laws change.

Statute of Limitations Considerations

Even when regulations allow destruction, the statute of limitations may require or wisely motivate you to retain records longer. Medication records often play a central role in medical malpractice claims, product liability, or billing disputes.

• Medical malpractice: many states set a 1–3 year limitation period, but “discovery rules,” tolling for minors, and special cases (e.g., foreign objects) can extend timelines.
• Billing and reimbursement: some payers can review claims years after payment; federal false claims actions can reach back 6–10 years.
• Conservative approach: keep adult medication records at least 7–10 years after the last encounter; for minors, retain until the age of majority plus the longest applicable period (often totaling 10–21 years).

When in doubt, choose the longer period that covers both regulatory obligations and the longest reasonably applicable statute of limitations.

Proper Destruction of Medical Records

When a record reaches the end of its retention period and no litigation hold applies, destroy it in a way that renders PHI unusable, unreadable, and indecipherable. Select record destruction methods that match the medium.

Paper records

• Use cross‑cut shredding, pulping, or incineration; do not discard intact records in regular trash or recycling.
• Secure bins and chain of custody from collection to final destruction.

Electronic records and media

• Follow recognized sanitization standards (e.g., purge or destroy per NIST guidelines) for drives, tapes, and devices.
• Cryptographic erasure is appropriate when strong encryption was in place and keys are destroyed; otherwise, use secure wiping or physical destruction.
• Decommission systems carefully to remove residual PHI from caches, logs, backups, and third‑party integrations.

Third‑party vendors

• Use business associate agreements that specify record destruction methods, timelines, and breach responsibilities.
• Obtain and retain a certificate of destruction for each destruction event.

Documentation of Record Destruction

Maintain a permanent destruction log as part of your record retention policy. This documentation proves compliance during audits and defends your process if a dispute arises.

• Patient identifiers (minimum necessary), record type, and date range covered.
• Retention authority (policy citation and governing law) and reason for destruction.
• Destruction method, date, location, equipment used, and witness (if any).
• Name of the person authorizing destruction and the person or vendor performing it; attach the certificate of destruction.
• Retain destruction logs and HIPAA‑related documentation for at least six years.

Conclusion

Set retention by record type, apply the longest applicable federal, state, and payer rule, and consider the statute of limitations. Store PHI securely for the full period, suspend destruction when needed, and use approved record destruction methods with rigorous documentation. A clear, enforced record retention policy reduces risk and supports safe, high‑quality care.

FAQs

What is the federal retention period for medication records?

No single federal rule sets a universal period for all medication records. HIPAA requires six years of retention for privacy documentation (not the records themselves). DEA rules require at least two years for controlled‑substance records, and Medicare‑related requirements commonly range from five to ten years depending on the program. Always follow whichever period is longest for your situation.

How do state laws affect medication record retention?

State law usually sets the baseline. Adult records often must be kept 5–10 years after the last encounter; for minors, retention typically extends to the age of majority plus additional years. Pharmacy prescription files may carry 3–10‑year requirements. Adopt the longest state or federal rule that applies to each record type.

When can medication records be legally destroyed?

You may destroy records after the longest applicable retention period has passed and no litigation hold, audit, or investigation is pending. Destruction must use approved record destruction methods that make PHI unreadable and must be documented in a permanent destruction log (and, if a vendor is used, supported by a certificate of destruction).

What are the best practices for retaining medication records?

Create a written record retention policy, inventory all medication‑related records, and set periods by the longest applicable rule. Configure electronic health records to archive and retrieve data securely for the full term, train staff, run audits, and apply litigation holds when needed. Document all disposal activity and retain HIPAA documentation for at least six years.