New Hampshire Medical Records Retention Requirements: How Long Healthcare Providers Must Keep Patient Records

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

New Hampshire Medical Records Retention Requirements: How Long Healthcare Providers Must Keep Patient Records

Kevin Henry

HIPAA

November 22, 2025

7 minutes read
Share this article
New Hampshire Medical Records Retention Requirements: How Long Healthcare Providers Must Keep Patient Records

General Retention Periods

Baseline timeframes most New Hampshire providers follow

  • Adults: retain the complete medical record for at least 7 years after the last encounter or discharge. Many organizations adopt a 10‑year retention schedule for added risk management and payer audit protection.
  • Key clinical artifacts: keep operative reports, oncology and obstetric records, and advanced directives as long as the core record, and consider extended retention when care has lifelong implications.
  • Imaging: retain radiology, cardiology, and other diagnostic reports for the full record period; maintain images for at least 5–7 years, or longer if clinically prudent.

When to extend the retention schedule

Maintain records beyond the minimum if litigation is reasonably anticipated, a government audit is pending, or contractual obligations (for example, Medicare Advantage or research agreements) require longer storage. Always align with healthcare licensing requirements and internal policy.

What “last encounter” means

The clock typically starts at the most recent date the patient received care, consultation, or was discharged. If a patient intermittently returns, the retention period refreshes with each new encounter.

Retention Requirements for Minors

Standard rule of thumb

Keep a minor’s record until the later of: (1) the child reaching age 18, plus 7 additional years (commonly through the 25th birthday), or (2) at least 7 years after the last encounter. This approach preserves continuity into early adulthood and addresses delayed claim timelines.

Special situations

  • Emancipated minors: retain for at least 7 years after the last encounter, as with adults.
  • Perinatal and neonatal care: retain maternal and newborn records for the longer of the mother’s or child’s required period, since conditions are interrelated.
  • Immunizations: preserve the immunization history indefinitely within your EMR or ensure it is accurately transmitted to the state registry.

Electronic Medical Records Compliance

HIPAA compliance and documentation

HIPAA does not impose a single nationwide medical record retention period, but it requires you to retain HIPAA policies, procedures, and other required documentation for at least six years from the date of creation or last effective date. Keep those materials alongside your record retention policy.

Data security protocols for EMRs

  • Access control: role‑based access, unique user IDs, and multi‑factor authentication to protect patient record confidentiality.
  • Encryption: encrypt ePHI in transit and at rest; manage keys securely.
  • Auditability: enable audit logs for access, edits, exports, and disclosures; review alerts for anomalous activity.
  • Integrity: use hashing/checksums and versioning to prevent and detect unauthorized alteration of records.

Backup, disaster recovery, and archiving

  • Backups: maintain daily incremental and routine full backups; test restores regularly.
  • Business continuity: document RTO/RPO targets and validate them through tabletop exercises.
  • Archiving: when records age out of the live EMR, move them to a searchable, vendor‑neutral archive that preserves metadata and can produce legible copies on demand throughout the retention schedule.

Vendor management

Execute business associate agreements, confirm data portability, and require exit services (data export, verification, and destruction certificates) to ensure continuity if you change systems.

Record Storage Upon Facility Closure

Plan and designate a custodian

Appoint a records custodian to manage medical record storage, respond to requests, and uphold your patient information release policy for the full retention period after closure.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Notify patients and stakeholders

  • Provide 30–60 days’ advance notice via mail, portal, and on‑site signage with instructions for requesting records.
  • File forwarding information with state licensing authorities and payers so patients and auditors can locate records.

Store, transfer, and destroy securely

  • Store paper in secure, access‑controlled facilities; encrypt electronic archives.
  • Arrange orderly transfer to successor providers when appropriate, with written chain‑of‑custody.
  • After the retention schedule expires, destroy records using methods that render PHI unreadable and irretrievable, documenting the process.

Retention for Physicians and Hospitals

Office‑based physicians

Maintain adult records for at least 7 years after the last visit; for minors, through at least age 25. Consider 10 years for high‑risk specialties. Keep scheduling logs and billing abstracts long enough to reconcile payer reviews and appeals.

Hospitals and health systems

  • Inpatient and outpatient hospital records: many facilities adopt 10‑year retention to support risk, accreditation, and audit needs.
  • Permanent indexes: retain a master patient index, birth/death logs, and operating room logs permanently or for an extended period per hospital policy.
  • Specialty sets: obstetric, oncology, transplant, and complex surgical records often merit extended retention due to long‑term clinical relevance.

Retention for Home Health and Laboratory Records

Home health agencies

Keep clinical records for at least 5 years after discharge to meet federal program expectations; many agencies standardize on 7–10 years to align with enterprise retention schedules and HIPAA documentation cycles.

Clinical laboratories (CLIA‑oriented baselines)

  • Test reports and requisitions: retain at least 2 years.
  • Quality control, proficiency testing, and instrument maintenance records: retain at least 2 years.
  • Cytology slides: retain at least 5 years; histopathology slides: at least 10 years; paraffin blocks: at least 2 years.
  • Transfusion‑related and blood bank records: retain for extended periods (commonly 10 years) under applicable federal requirements.

Where state or accreditation standards are stricter, follow the longer requirement.

Policies for Safeguarding and Release of Records

Safeguarding PHI

  • Adopt written data security protocols that cover access, encryption, device/media controls, remote work, and vendor oversight.
  • Train workforce members on patient record confidentiality and the minimum necessary standard; refresh training annually and upon policy changes.
  • Maintain an incident response and breach notification procedure that coordinates HIPAA and state law duties.

Patient access and copies

  • Respond to access requests within 30 days and document any permitted extension.
  • Provide records in the format requested if readily producible; otherwise offer an alternative readable format.
  • Charge only a reasonable, cost‑based fee permitted by HIPAA; confirm any New Hampshire‑specific limits before billing.

Third‑party disclosures

  • Use valid, written authorizations when required; verify identity and authority before releasing records.
  • Apply stricter rules for specially protected information (for example, substance use disorder treatment under federal Part 2, certain mental health notes, and HIV‑related data).
  • Maintain an accounting of disclosures when required and retain supporting documentation for at least six years.

Key takeaways

Set a clear retention schedule, defaulting to at least 7 years for adults and to the 25th birthday for minors, with longer periods for hospitals and high‑risk specialties. Pair sound medical record storage with HIPAA compliance, robust security, and a patient‑centered release process.

FAQs

How long must medical records be retained in New Hampshire?

A practical standard is to retain adult records for at least 7 years after the last encounter, with many organizations adopting a 10‑year period for added protection. Certain records and specialties may warrant longer retention based on clinical value, risk, or contractual requirements.

What are the retention requirements for minors' medical records?

Retain a minor’s chart until the later of 7 years after the last encounter or the patient’s 25th birthday (18 plus 7 years). Keep immunization histories long term and coordinate maternal/newborn records so that both remain available for the longer applicable period.

How should electronic medical records be maintained?

Maintain EMRs in a format that remains readable and retrievable for the full retention schedule, with encryption, access controls, audit logs, tested backups, and vendor‑neutral archiving. Keep HIPAA policies and required documentation for at least six years and verify business associate safeguards.

What procedures must be in place for releasing patient information?

Adopt a patient information release policy that verifies identity, applies the minimum necessary standard, and uses valid authorizations where required. Respond to patient access requests within 30 days, provide copies in a readily producible format, charge only reasonable cost‑based fees, and apply heightened protections to specially sensitive records.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles