Medicaid Records Retention Requirements: How Long Providers Must Keep Records (Federal and State Guide)

Getting Medicaid record retention right protects your organization during audits, supports accurate reimbursements, and demonstrates strong compliance. This guide explains how long you must keep records under federal expectations, how state rules change the timeline, and what to do when managed care, audits, or litigation are involved.

Use a simple rule of thumb: retain records for the longest applicable period among federal requirements, state compliance requirements, payer or managed care contract terms, and any audit or litigation holds. When in doubt, choose the longer medical record retention period.

Federal Record Retention Requirements

Core federal expectations

Federal Medicaid rules require providers to maintain complete, accurate records that disclose services rendered, support claims, and allow federal and state reviewers to audit. Records must be readily retrievable and supplied promptly to authorized agencies on request.

Minimum federal retention period in practice

There is no single universal federal number for every provider type and record; however, many Medicaid programs and provider agreements adopt a six-year baseline for clinical and billing documentation. This aligns with common federal program-integrity expectations and the six-year retention of HIPAA compliance documentation. Keep the longer of: six years from date of service, six years from final payment/adjustment, or your state’s required period.

Financial and grant-related documentation

For cost reports, grants, and other federally funded activities tied to Medicaid, maintain supporting financial records for at least three years after the final expenditure report or final settlement—longer if your contract or state rules require it.

What to retain

• Clinical records: histories, exams, orders, notes, consents, test results, care plans, and discharge summaries.
• Billing and claims: itemized bills, remittance advices, prior authorizations, referrals, medical necessity documentation, coding worksheets, and correspondence.
• Administrative: schedules, appointment logs, policies/procedures, and HIPAA-required documentation.
• Electronic system artifacts: metadata supporting authorship, timestamps, access logs, and audit trails.

When the clock starts

Start counting from the latest relevant event: date of service, final payment or denial, final cost-report settlement, or closure of an appeal. Any audit, overpayment, or investigation can extend the retention period; never destroy records while a review or dispute is pending.

State-Specific Record Retention Requirements

Why state rules matter

States set their own Medicaid record retention requirements, which often exceed federal baselines. Typical medical record retention periods range from three to ten years for adults, with many states landing at five to seven years. For minors, states commonly require retention until a set time after the patient reaches the age of majority.

Common state patterns

• Adult records: five to seven years after the last encounter is common; some states require longer.
• Minor records: keep until age of majority plus an additional period (for example, three to ten years).
• Specialty care: behavioral health, substance use treatment, and long-term care often carry longer timelines.
• Imaging and dental: diagnostic images, models, and films may have explicit minimums distinct from the chart.

How to confirm your state compliance requirements

• Check your state Medicaid provider manual and administrative code for “medical record retention periods.”
• Review your provider agreement and MCO contracts for stricter managed care recordkeeping clauses.
• Coordinate with counsel or compliance to harmonize state rules with federal retention period expectations.

Record Accessibility and Availability

Who can request records

You must make Medicaid records available to the state Medicaid agency, federal oversight (such as HHS, CMS, and OIG), Medicaid Fraud Control Units, contracted auditors, and managed care organizations when applicable. Access must be timely and without unreasonable delay.

Response time and format

Provider agreements often specify deadlines (for example, within days for routine requests or sooner for investigations). Maintain systems that can produce legible records quickly in paper or electronic form, including signatures, orders, and attachments needed to verify medical necessity and payment accuracy.

Documentation of fulfillment

Log each request, what was produced, by whom, and when. Keep proof of transmittal and receipt. Index your archives so you can retrieve by member, date of service, claim number, and rendering provider.

Record Safeguarding Practices

Administrative, physical, and technical safeguards

Implement health record safeguarding that satisfies HIPAA Privacy and Security Rules: access controls, unique user IDs, role-based permissions, workforce training, sanction policies, and device/room security. Encrypt ePHI at rest and in transit, and enable audit logs to track access and changes.

Minimum necessary and vendor oversight

Disclose only what is necessary to meet a request. Execute business associate agreements with vendors who handle Medicaid records and verify their security practices, incident response, and retention/destruction procedures.

Secure disposal

When retention periods end and no holds apply, destroy records securely: shred paper; sanitize or destroy media and backups. Document destruction decisions with dates and authority.

Record Retention for Managed Care Organizations

Plan and subcontractor obligations

Managed care organizations (MCOs) and their delegates typically must keep contracts, encounter data, provider and member communications, and financial records for extended periods—commonly ten years from the end of the contract or the completion of an audit, whichever is later.

Flow-down to network providers

MCO contracts often require network providers to follow the plan’s longer managed care recordkeeping schedule. Review every contract and amendment for record retention clauses, audit rights, and production timelines, and align your retention schedule accordingly.

Encounter and quality records

Retain encounter submissions, quality measurement support (for example, HEDIS source files), grievances/appeals, and utilization management records for the full contract retention period plus any applicable state extensions.

Record Retention for Litigation and Audits

Litigation hold

When litigation or an investigation is reasonably anticipated or underway, immediately suspend routine destruction for all potentially relevant records (including emails, messages, and backups). Keep them intact until the matter is fully resolved, then resume normal schedules.

Audit and overpayment reviews

For audits, retain all records until the audit is complete, all appeals are exhausted, and final payment determinations are made. Add a buffer period (for example, one to two years) before destruction to cover reopenings or late inquiries.

Documentation quality

Clear, contemporaneous notes, signed orders, and preserved metadata are essential for defending medical necessity, coding, and billing. Validate that scanned images are legible and that electronic records show authorship and timestamps.

Record Retention for Special Patient Categories

Minors

Retain pediatric records until the patient reaches the age of majority and for an additional period set by your state (commonly three to ten years). Because discovery of injury can occur later, adopting a longer timeline is prudent.

Behavioral health and substance use treatment

These records carry heightened confidentiality requirements. Follow the strictest applicable rules and consider longer retention to support continuity of care and defend medical necessity while safeguarding privacy.

Long-term services and supports

For nursing facilities, home health, hospice, and waiver services, keep care plans, assessments, and service logs for longer periods that reflect state facility regulations and payer contracts.

Reproductive health, HIV, and immunizations

Some jurisdictions prescribe specific retention for sensitive services and vaccination histories. Align your schedule so these records remain available for clinical needs and verification across care transitions.

Telehealth and digital artifacts

Retain telehealth consents, platform logs, messages, and attachments with the same medical record retention periods as in-person care. Preserve metadata that demonstrates timing, modality, and clinician involvement.

Conclusion

There is no one-size-fits-all answer for Medicaid record retention. Set policy to keep the longest applicable period across federal expectations, state rules, payer or managed care contracts, and any audit or litigation holds. Build strong safeguards and retrieval processes so you can produce complete records quickly and confidently.

FAQs.

What is the minimum federal record retention period for Medicaid providers?

Federal rules do not impose a single uniform time for all providers and records. In practice, many programs and provider agreements adopt a six-year minimum for clinical and billing documentation, with longer timelines applied when contracts, state laws, cost reports, or audits require it.

How do state record retention requirements differ for Medicaid records?

States set their own timelines—commonly five to seven years for adult records, with some states shorter or longer. For minors, states usually require retention until after the age of majority plus additional years. Always follow the longest combination of state and federal requirements.

What safeguards are required for protecting Medicaid records?

Implement administrative, physical, and technical safeguards: role-based access, encryption, audit logs, workforce training, vendor oversight, and secure disposal. Apply minimum-necessary standards and document your security program and risk management activities.

When must Medicaid records be made available upon request?

You must provide records promptly to authorized reviewers—state Medicaid agencies, federal oversight, fraud units, auditors, and managed care plans—within the timeframes in your provider agreement or request letter. Do not delay production due to format; furnish legible copies quickly in paper or electronic form.

How long must records be retained if involved in litigation or audit?

Place an immediate hold and keep all potentially relevant records until the matter is fully resolved and final determinations are issued. After resolution, apply your standard medical record retention periods, adding a prudent buffer before secure destruction.