Pennsylvania Medical Records Retention Requirements (2026): How Long Providers Must Keep Patient Records

General Retention Periods

At‑a‑glance retention schedule for adult patient records

• Hospitals: Keep records for at least 7 years after the patient’s discharge.
• Ambulatory surgical facilities (ASFs): Keep records for at least 7 years after discharge.
• Physicians (MDs): Keep records for at least 7 years from the date of the last medical service documented.
• Osteopathic physicians (DOs): Keep records for at least 7 years from the last entry in the record.

These periods come directly from Pennsylvania’s facility regulations and professional board rules. Hospitals and ASFs follow 28 Pa. Code Chapter 115 and Chapter 563. Physicians licensed by the State Board of Medicine follow 49 Pa. Code § 16.95; osteopathic physicians follow 49 Pa. Code § 25.213. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

Retention Requirements for Minors

How long to keep minor records (by provider type)

• Hospitals and ASFs: Retain until the patient reaches age 18, then keep for an additional 7 years (effectively until at least age 25).
• Physicians (MDs): Retain until 1 year after the patient reaches age 18 (at least until age 19), even if that exceeds 7 years from last service.
• Osteopathic physicians (DOs): Retain until 2 years after the patient reaches age 18 (at least until age 20) or 7 years from the last entry, whichever is later.

These minor‑specific rules are explicit in the Pennsylvania Code and differ slightly between MDs and DOs. Facilities use the “majority plus seven years” formula; MDs and DOs use board‑specific timelines to ensure records remain available through the post‑majority claims window. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

Mandatory Record Content

Physician records (office and clinic settings)

• Information sufficient to clearly identify the patient; the identity of the person making each entry (if not the physician); and the date of each entry.
• Patient complaints and symptoms; diagnoses; findings and results of laboratory, pathology, and radiology examinations.
• Treatments, procedures, and prescription drug orders; timely, legible, and complete entries. ([regulations.justia.com](https://regulations.justia.com/states/pennsylvania/title-49/part-i/subpart-a/chapter-16/subchapter-f/section-16-95/))

Hospital and ASF records (facility settings)

• Comprehensive record for each episode of care; records must be complete, readily accessible, and available to the care team.
• Consultation reports; nurses’ notes; entries by privileged professionals; lab and imaging results; operative reports; clinical résumés; discharge summaries; entries dated and authenticated. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

Pennsylvania’s facility rules spell out essential content and documentation standards to support accurate diagnosis, treatment, and continuity of care—cornerstones of sound health information management. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

Storage and Security Guidelines

Core Pennsylvania requirements

• Store medical records to protect them from loss, damage, and unauthorized access (applies to hospitals and ASFs).
• Treat all records as confidential; allow access only to authorized personnel; maintain any patient authorization for external release within the original record.
• Ownership: Hospital and ASF records are the property of the facility, though copies may be provided for authorized purposes. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

HIPAA overlay you must follow

• Right of access: Respond to patient access requests within 30 days (one 30‑day extension allowed with written notice).
• Fees: For a patient’s own request, charge only a reasonable, cost‑based fee limited to labor for copying, supplies, and postage (if mailed), and any agreed‑upon summary costs. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.524))

Records disposal protocols

• Apply appropriate safeguards when disposing of PHI (paper or electronic). Shred, pulverize, or otherwise render PHI unreadable; for ePHI, sanitize or destroy media before reuse or disposal.
• Implement device and media controls and create a retrievable backup copy of ePHI, as needed, before moving or decommissioning equipment. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))

Following these patient confidentiality regulations and healthcare record storage compliance rules helps you meet both state and federal expectations and reduces breach risk. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

Patient Access Rights

What Pennsylvania facilities must provide

• Hospitals and ASFs must give patients (or designees) access to or copies of their medical records upon request; for deceased patients, hospitals must provide access to the executor or, if none, the next of kin responsible for remains. Charges must be reasonably related to reproduction costs. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

How HIPAA shapes access for all providers

• Patients may inspect or obtain copies (paper or electronic) of information in the designated record set; you must provide in the requested form and format if readily producible.
• Act within 30 days; if you need more time, send written reasons and give a firm date (one extension, up to 30 days). Limit fees to HIPAA’s cost‑based standard for patient‑initiated requests. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.524))

Together, these medical record access rights ensure timely, affordable access for patients while allowing providers to recoup reasonable copy costs. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.524))

Procedures for Discontinuation of Practice

When a facility closes (hospitals and ASFs)

• Notify the Department where records will be stored; ensure a retrieval service for at least 5 years after closure.
• Before destruction, publish public notice (legal notice plus display advertisement) in a newspaper of general circulation to let former patients or representatives claim their records. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

When a practitioner departs an employer (new statewide rule effective January 1, 2025)

• Employers must, within 90 days of the practitioner’s departure, notify patients seen within the past year.
• The notice must state the departure, explain how patients can transfer their health records to continue care with the departed practitioner or another practitioner, and inform patients they may be assigned to a new practitioner within the employer if they choose. ([legis.state.pa.us](https://www.legis.state.pa.us/WU01/LI/LI/US/HTM/2024/0/0074..HTM))

For solo or group practices, also confirm who will serve as the custodian of records and keep your retention schedule and records disposal protocols intact throughout and after the transition. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.524))

Electronic Records Management

Format neutrality: same retention, stronger safeguards

Pennsylvania expressly permits automation/computerization of medical records as long as all chapter requirements are met and information remains readily available for patient care. Retention schedules apply equally to paper and electronic health records (EHRs). ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

Practical steps for compliant EHR stewardship

• Document a medical records retention schedule that covers paper and ePHI; align it with the rules above.
• Maintain auditability and integrity when scanning or converting records; preserve dates, authorship, and required signatures.
• Before migrating systems or retiring devices, create a retrievable, exact copy of ePHI as needed; verify the migrated dataset; and sanitize or destroy legacy media per HIPAA device/media controls. ([ecfr.io](https://ecfr.io/Title-45/Section-164.310?utm_source=openai))
• Ensure secure disposal of ePHI and paper per HHS guidance; use vetted vendors under business associate agreements where appropriate. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?utm_source=openai))

Conclusion

Your medical records retention schedule in Pennsylvania hinges on provider type: hospitals/ASFs keep records 7 years post‑discharge, MDs keep them 7 years from last service, and DOs keep them 7 years from last entry—with longer timelines for minors. Pair these timelines with rigorous storage, confidentiality, access, and disposal controls, and you will satisfy state law and HIPAA while supporting high‑quality health information management. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

FAQs

How long must medical records be retained in Pennsylvania?

It depends on the setting and license. Hospitals and ASFs must keep records for at least 7 years after discharge. Physicians (MDs) must retain records at least 7 years from the last medical service; osteopathic physicians (DOs) must retain them at least 7 years from the last entry. Longer periods can apply for minors (see next question). ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

What are the retention requirements for minor patient records?

Hospitals and ASFs must keep a minor’s record until the patient turns 18, then for 7 more years (to at least age 25). MDs must keep a minor’s record until 1 year after the patient turns 18 (at least age 19), and DOs must keep it until 2 years after 18 (at least age 20) or 7 years from the last entry, whichever is later. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))

What information is required to be included in medical records?

Physician records must clearly identify the patient, record who made each entry and when, and document complaints, symptoms, diagnoses, test results, treatments, and prescriptions. Facility records add consultation reports, nurses’ notes, operative and pathology reports, discharge summaries, and authentication of entries. ([regulations.justia.com](https://regulations.justia.com/states/pennsylvania/title-49/part-i/subpart-a/chapter-16/subchapter-f/section-16-95/))

How are electronic medical records managed according to retention laws?

Pennsylvania allows computerized records if they remain readily available for care, and the same retention timelines apply to EHRs as to paper. You must also follow HIPAA’s device and media controls—back up ePHI as needed before system changes, and properly sanitize or destroy media on retirement or reuse. ([pacodeandbulletin.gov](https://www.pacodeandbulletin.gov/Display/pacode?d=&file=%2Fsecure%2Fpacode%2Fdata%2F028%2Fchapter115%2Fchap115toc.html))