Michigan Medical Records Retention Requirements: How Long Providers Must Keep Patient Records

General Retention Period

Core timeline providers should plan around

Under Michigan’s medical records retention law framework, most health facilities and providers plan for a minimum retention period of at least seven years from the date of last service or discharge for adult patients. For minors, retain the record at least until one year after the patient turns 18 (age 19) and never less than seven years. When multiple rules apply, follow the longest time frame.

Aligning policy across settings and systems

Create one written retention schedule that applies across paper and electronic health records (EHRs), including progress notes, imaging, labs, orders, consents, messages, recordings, and audit logs. Clearly label it as your Medical Records Retention Law policy and train staff on how to apply it to encounters, addenda, and late results.

When to go beyond the minimum

Consider adopting a 7–10 year baseline for adults to cover payer contract lookbacks, malpractice risk horizons, and research or device documentation needs. If you participate in federal programs, remember HIPAA requires you to keep privacy and security documentation for six years, which can overlap with record retention but is a separate obligation.

Extended Retention Period for Sensitive Records

Minors, obstetrics, and pediatrics

Because claims may arise years after birth or adolescence, many providers keep obstetric, neonatal, and pediatric records longer than the general minimum. A practical approach is to retain maternal and newborn records for at least the minor’s retention rule and, when possible, align mother–infant records so they can be located together.

Oncology, implants, and transplants

For oncology, transplant, and implanted device cases, longer Sensitive Records Retention helps with continuity of care and device surveillance. Keep operative reports, device identifiers, and implant logs well beyond general minimums; many organizations retain implant logs indefinitely and clinical details for 10 years or longer.

Behavioral health and substance use treatment

Behavioral health and substance use disorder programs carry heightened Patient Record Confidentiality obligations (for example, additional consent rules). Retention time frames often match medical records, but you should ensure access controls, redisclosure warnings, and destruction procedures reflect program-specific rules.

Imaging and mammography

Radiology images and reports are often retained for 7–10 years. Mammography carries specific federal program requirements; many facilities keep mammograms and reports for at least five years and up to 10 years when patients are not routinely returning to the same facility, or longer if state policy or risk management dictates.

Research and clinical trials

For FDA-regulated studies, investigators generally must keep study records for at least two years after certain closure or approval milestones. If research data are part of the designated record set, apply the longest applicable requirement and document it in your retention matrix.

Destruction of Medical Records

Pre-destruction controls

• Confirm the retention period has been met and no litigation hold, audit, or investigation applies.
• Obtain Record Destruction Authorization from your privacy or compliance officer that lists what will be destroyed, why, and on what date.
• Validate that destruction covers duplicates, offsite boxes, scanned images, EHR attachments, and backups scheduled for purge.

Documentation of destruction

Maintain a destruction log for Healthcare Compliance Penalties defense. Include the date, method, description or range of records, quantity or volume, and the names and signatures of staff or the vendor’s certificate of destruction. Keep the log permanently or per your compliance record schedule.

Protecting confidentiality during destruction

Destruction must preserve Patient Record Confidentiality from start to finish. Use locked containers, verified chain-of-custody, and vetted vendors under a business associate agreement where required. Train staff to recognize and immediately report any breach risks during staging or transport.

Record Disposal Methods

Paper and film

• Cross-cut shredding to unreconstructable size suitable for recycling.
• Pulping, pulverizing, or incineration in compliance with environmental rules.
• Secure staging and sealed bins until destruction is complete, with Record Disposal Security checks at each handoff.

Electronic media

• Apply industry-accepted sanitization (for example, purge, clear, or destroy methods appropriate for the medium).
• Cryptographic erasure when full-disk encryption is used and keys are irretrievably destroyed.
• Physical destruction (shredding, crushing, or degaussing) for end-of-life drives, tapes, and removable media.
• Don’t forget shadow data: caches, downloads, clinician device storage, EHR test/training instances, and legacy backups.

Penalties for Non-Compliance

Licensure and state enforcement

Michigan regulators can impose Healthcare Compliance Penalties that include reprimand, probation, fines, or license limitations or suspension for failing to maintain, secure, or properly dispose of records. Poor documentation during practice sales or closures can also trigger disciplinary exposure.

Federal privacy and security exposure

HIPAA enforcement actions may result in corrective action plans and civil monetary penalties for impermissible disclosures, access delays, or insecure disposal. Breach notification and credit monitoring costs are common secondary impacts.

Civil litigation and payer consequences

Improper destruction can lead to spoliation in lawsuits, adverse inferences, and higher settlements. Payers may recoup overpayments or impose sanctions when documentation is missing during audits or investigations.

Ownership and Access of Records

Who owns what

In Michigan, the provider or facility generally owns the physical or electronic record, while the patient owns the information in it. Patients hold broad Patient Access Rights to inspect or receive copies, with limited exceptions permitted by law.

Responding to requests

Respond promptly—ordinarily within HIPAA’s 30-day window (with a permissible one-time extension)—and in the form and format requested when readily producible. Fees must comply with state and federal rules and should be reasonable and cost-based.

Minimum necessary and confidentiality

Apply the minimum necessary standard for routine disclosures and maintain Patient Record Confidentiality during intake, verification of identity, fulfillment, and delivery. Track disclosures where required and educate staff to avoid unauthorized redisclosures.

Special Circumstances in Retention

Litigation holds and investigations

Immediately suspend destruction when you anticipate or receive notice of litigation, subpoenas, audits, or investigations. Communicate holds to all custodians, including vendors, and monitor compliance until the hold is lifted.

Practice closures, mergers, and EHR migrations

Designate a records custodian, notify patients how to request records, and publish forwarding information. During migrations, map all data elements, preserve audit logs, and test retrieval of legacy records before decommissioning systems.

Telehealth and modern data sources

Include chat transcripts, images, remote monitoring feeds, and recordings that form part of the legal medical record. Ensure retention applies equally to third-party telehealth platforms, with contractual rights to export or destroy data securely.

Employee medical and exposure records

If you are an employer, remember that employee medical and exposure records have distinct retention rules that can extend to 30 years—separate from patient records—so maintain them under a different schedule and secure location.

Key takeaways

• Adopt a written Medical Records Retention Law policy with a baseline of at least seven years for adults and longer for minors.
• Extend retention for high-risk scenarios (obstetrics, oncology, implants, mammography, and research) and always apply the longest rule.
• Require Record Destruction Authorization, keep detailed logs, and use secure disposal methods for paper and electronic media.
• Protect Patient Record Confidentiality at every step and prepare for audits by documenting decisions.

FAQs.

What is the minimum retention period for medical records in Michigan?

A practical statewide baseline is at least seven years from the last encounter or discharge for adults. For minors, retain records until at least one year after the patient turns 18 (age 19), and never less than seven years. If a payer, program rule, or specialty standard is longer, follow the longest applicable period.

How should medical records be destroyed to maintain confidentiality?

Use secured, documented processes: cross-cut shredding, pulping, or incineration for paper; and validated electronic sanitization or physical destruction for media. Lock bins, maintain chain-of-custody, obtain Record Destruction Authorization, and keep certificates or logs as proof of compliant destruction.

Who owns the medical records in Michigan?

The provider or facility owns the physical or electronic record, but the patient owns the information in it and has Patient Access Rights to inspect or obtain copies, subject to limited legal exceptions and reasonable, cost-based copy fees.

What penalties exist for non-compliance with retention laws?

Consequences can include state licensure discipline, civil or administrative fines, HIPAA enforcement actions, payer recoupments, and litigation sanctions for spoliation. Strong retention, access, and destruction controls reduce these Healthcare Compliance Penalties risks.