Medicare Records Retention Requirements: How Long Providers Must Keep Medical, Billing, and Cost Report Documents

Medical Record Retention Periods

Core timeframes you can rely on

You should treat Medicare Fee-For-Service retention as a minimum operating standard and keep medical and billing records long enough to satisfy audits, appeals, and state medical record statutes. A widely adopted benchmark is at least seven years from the date of service (or discharge/last encounter for an episode of care). Many organizations extend certain records to ten years to cover longer lookbacks and align with managed care obligations.

Hospitals operating under Medicare Conditions of Participation generally maintain adult patient records for five years (six for critical access hospitals), but this does not replace longer requirements you may face under state law, payer contracts, or litigation holds. For minors, retain records until the age of majority is reached, then add the applicable retention period.

What counts as “medical and billing” documentation

• Clinical content: histories, physician orders, progress notes, diagnostic test results and images, care plans, consents, discharge summaries, and care coordination notes.
• Billing support: claim forms (UB-04/837I, CMS-1500/837P), coding abstracts, charge capture, itemized statements, medical necessity documentation, ABNs/prior authorizations/referrals, and correspondence with MACs and auditors.

When to extend beyond your baseline

• Active or threatened audits (RAC, UPIC, SMRC, MAC), appeals, overpayment demands, or investigations.
• Open incidents, malpractice claims, sentinel events, or government inquiries.
• Research-related records tied to care, and records subject to special state rules (behavioral health, oncology, imaging).

Cost Report Documentation Retention

Required retention period and start point

Retain Medicare cost report workpapers and supporting financial/statistical records for at least five years after the cost report closure date. In practice, closure is commonly tied to the MAC’s final settlement or issuance of the Notice of Program Reimbursement (NPR). If the report is reopened, appealed, or under investigation, continue retention until final resolution, then at least five additional years.

What to keep to defend your cost report

• Filed cost report package and all iterations; correspondence with the MAC.
• Trial balance, general ledger, journals, and reconciliations linking books to the report.
• Statistics and allocation bases, time studies, cost apportionment methodologies, wage index support, bad debt logs, charity care documentation, related-party and home office allocations.
• Provider-based attestations, organ acquisition support, and any schedules used to derive worksheet entries.

Practical tips

• Calendar the expected NPR to calculate the five-year window correctly.
• Maintain a segregation of duties so original source data, summaries, and reviewer sign-offs are clearly traceable.
• Mirror retention in Medicaid cost reporting and other payers where periods differ, defaulting to the longest applicable rule.

Medicare Managed Care Record Requirements

The 10-year rule for Medicare Advantage and Part D

For Medicare managed care, retain records for 10 years. This applies to Medicare Advantage organizations, Part D sponsors, and their first-tier, downstream, and related entities. The clock generally runs from the end of the final contract period or the completion of an audit, with extensions during investigations, litigation, or audit holds.

Obligations for network providers

If you contract with an MA or Part D plan, you must keep clinical and billing documentation, make it readily retrievable, and furnish it to the plan, CMS, OIG, and contractors upon request during the retention window. Aligning your enterprise policy to a 10-year horizon simplifies compliance across payer types.

Acceptable Record Formats

Paper, electronic, microform, and hybrid systems

Medicare permits paper and electronic formats as long as records are complete, legible, accurate, and retrievable within required time frames. Scanned images, microfilm/microfiche, and electronic medical records are acceptable if they faithfully reproduce the original content, including signatures and amendments.

Electronic medical record security and integrity

Protect ePHI using role-based access, unique user IDs, multi-factor authentication where feasible, encryption in transit and at rest, routine backups, and tested restorations. Maintain audit trails that capture creation, edits, late entries, and electronic signatures. These controls support patient confidentiality standards while proving record authenticity during reviews.

Signatures, amendments, and readability

• Electronic signatures must be attributable, time-stamped, and tamper-evident.
• Late entries and corrections should be dated, signed, and never obscure prior entries.
• Ensure long-term readability (file formats, viewer availability) and maintain index metadata to enable rapid retrieval.

Influence of State Laws

Follow the most stringent rule

Federal Medicare requirements set a floor, not a ceiling. If state medical record statutes, board rules, or tort statutes of limitation require a longer retention period, you must adopt the longer timeline. If state rules are shorter, retain long enough to satisfy federal and contract requirements.

Special state-driven scenarios

• Minors: retain until the patient reaches majority, then add the adult retention period.
• Sensitive services (behavioral health, oncology, imaging): state laws often extend timelines or add content rules.
• Record ownership and access: state provisions can affect how long and in what form you must preserve patient-accessible copies.

Secure Record Destruction Practices

Establish defensible record destruction protocols

Use a written schedule that maps each record type to its retention period and destruction method. Before destroying, check for holds (audits, appeals, litigation, cost report reopenings). Keep a destruction log capturing record types, dates, volumes, methods, and authorizations; if you use a vendor, retain a certificate of destruction.

Approved methods

• Paper: cross-cut shredding, pulping, or incineration to render PHI unreadable.
• Electronic media: secure wipe/overwrite, cryptographic erasure, degaussing, or physical destruction (e.g., shredding drives).
• Backups and replicas: apply the same lifecycle controls so expired data does not persist offsite.

Compliance and Penalties for Non-Compliance

What’s at stake

• Claim denials and repayment demands; extrapolated overpayment recoveries following audits.
• Civil monetary penalties and potential False Claims Act exposure when documentation is missing or inadequate.
• Contract sanctions in Medicare Advantage and Part D programs.
• Medicare enrollment revocation for failing to maintain or produce records when required, which can trigger re-enrollment bars and reputational harm.

Practical steps to stay compliant

• Create a retention matrix covering medical, billing, imaging, and cost report records, including the cost report closure date for each fiscal year.
• Standardize on seven to ten years for clinical and billing records unless a longer state or contract rule applies.
• Use centralized repositories with role-based access, audit logs, and disaster recovery.
• Train staff on documentation standards, retrieval timelines, and hold procedures.
• Periodically audit retrieval speed, completeness, and your record destruction protocols.

Conclusion

Set clear timelines, track your cost report closure date, honor the longest applicable rule (federal, state, or contract), and secure both paper and electronic records. Robust retention and defensible destruction minimize audit risk, prevent overpayment exposure, and protect your Medicare participation.

FAQs

What is the standard retention period for Medicare Fee-For-Service medical records?

A practical standard is at least seven years from the date of service (or discharge/last encounter for an episode of care). Some provider types have shorter federal minimums, but many organizations choose seven to ten years to accommodate audits, appeals, and state requirements.

How long must providers retain cost report records after closure?

Keep cost report documentation for at least five years after the cost report closure date—commonly the MAC’s final settlement or NPR. If the report is reopened, appealed, or under investigation, retain records until the matter is fully resolved, then for at least five additional years.

Are electronic records acceptable under Medicare retention rules?

Yes. Electronic records are acceptable if they are complete, accurate, readily retrievable, and protected by strong electronic medical record security controls (access management, encryption, backups, and audit trails). Electronic signatures and time-stamped amendments are appropriate when they ensure authenticity and integrity.

Do state laws override federal Medicare record retention requirements?

You must follow the most stringent rule. Federal requirements set minimums, but if state medical record statutes require longer retention, the state timeline governs. If state rules are shorter, keep records long enough to satisfy federal and contract obligations.

What are the consequences of failing to comply with Medicare record retention policies?

Consequences include claim denials, extrapolated overpayment recoveries, civil monetary penalties, potential False Claims Act exposure, contract sanctions in managed care, and even Medicare enrollment revocation for failure to maintain or produce required records.