PHI Retention Requirements Explained: How Long to Keep Records Under HIPAA and State Law

PHI retention affects how you manage protected health information across its lifecycle—from creation and storage to secure disposal. To stay compliant, you must separate HIPAA’s documentation rules from state medical record mandates, align business associate agreements, and enforce privacy and security protections at every step.

This guide clarifies what HIPAA actually requires, how state laws drive record retention for patients, which secure disposal procedures to use, and how to handle exceptions so your policies are defensible and practical for covered entities and their partners.

HIPAA Compliance Documentation Retention

HIPAA does not impose a national retention period for medical records themselves. Instead, it requires you to keep compliance documentation—your policies, procedures, and evidence of required actions—for six years from the date of creation or the date last in effect, whichever is later. That six‑year rule applies under both the Privacy Rule and Security Rule.

What to retain for six years

• Written privacy and security policies and procedures, including version history and approvals.
• Risk analyses, risk management plans, and evaluations of safeguards.
• Training materials and attendance records for workforce members.
• Incident/breach documentation, mitigation steps, and notification records.
• Designations (privacy officer, security official) and sanctions records.
• Notices of Privacy Practices and acknowledgments.
• Business associate agreements and amendments as part of compliance documentation.
• Logs that support required activities (for example, accounting of disclosures covering the prior six years).

Apply the “last in effect” rule: if you replace a policy on March 1, 2024, you must retain the old version until March 1, 2030. Always suspend destruction under a legal hold or investigation, even if the retention clock has run.

State Medical Record Retention Laws

State law—not HIPAA—typically dictates how long you must keep patient medical records. Legal retention mandates vary by state, care setting (hospital vs. physician office), and record type. Many states require 6–10 years for adult records; for minors, retention often extends to the age of majority plus additional years. Behavioral health, oncology, and imaging may carry longer periods.

How to operationalize state rules

• Build a jurisdiction map listing statutes and board rules for each practice location.
• Differentiate by record type (e.g., ambulatory chart, inpatient record, diagnostic images, fetal monitor strips, research files).
• Use the longest applicable period when multiple laws or contracts apply (state law, licensing, payer agreements, accreditation).
• Remember that some payer or program contracts (for example, certain federal program arrangements) may require retention of underlying records for up to 10 years.
• Apply the same timeline to electronic and paper designated record sets, including metadata needed to render the record complete.

When in doubt, document your interpretation, cite the source authority, and confirm with counsel—especially for multi‑state operations or specialized services.

Disposal of Protected Health Information

Once legal retention mandates are met, you must dispose of PHI using secure disposal procedures that prevent reconstruction and uphold privacy and security protections. Your methods should match the medium and be documented, verified, and repeatable.

Approved methods

• Paper: cross‑cut shredding, pulping, pulverizing, or incineration performed under supervision.
• Electronic media: sanitization aligned with recognized guidance (e.g., NIST SP 800‑88), including secure wipe/overwrite, cryptographic erasure, degaussing, or physical destruction of drives and removable media.
• Devices: remove PHI, wipe to an approved standard, and verify before redeployment or recycling.

Process controls that prove compliance

• Written destruction schedules tied to retention rules and legal holds.
• Chain‑of‑custody logs from collection through final destruction.
• Certificates of destruction from vetted vendors with signed business associate agreements.
• Restricted access to staging areas; no open “to be shredded” bins in public or mixed‑use spaces.
• Quality checks and periodic audits to confirm methods remain effective.

Business Associate Agreements Requirements

Business associates that create, receive, maintain, or transmit PHI on your behalf must operate under business associate agreements. BAAs set privacy and security expectations, define permitted uses and disclosures, and address what happens to PHI when the contract ends.

Key BAA terms for retention and disposition

• Return or destruction: on termination, the BA must return or destroy PHI within a defined timeframe and format.
• Privacy and security protections: if retention is necessary, the BA continues safeguard obligations, limits use to archival/legal purposes, and prevents further disclosure.
• Subcontractors: downstream vendors must agree to the same protections and retention rules.
• Breach/incident reporting: timely notice, cooperation, and documentation requirements.
• Verification: certification of destruction or return, with evidence available upon request.
• Access and correction support: BA assists the covered entity in fulfilling patient rights within required timelines.

Maintain a central inventory of BAAs, track renewal dates, and retain each agreement as compliance documentation for at least six years after it is last in effect.

Exceptions to Return or Destruction of PHI

HIPAA recognizes that returning or destroying PHI may be infeasible in limited circumstances. Common exceptions include records that must be retained by law, data subject to a litigation hold, immutable audit logs, or backup media that cannot be segregated without undue burden.

How to handle exceptions correctly

• Document the specific reason return/destruction is infeasible and cite the governing requirement.
• Continue privacy and security protections, restrict access, and prohibit any new uses or disclosures.
• Apply a defined retention period for the residual PHI and schedule destruction when the exception ends.
• Encrypt at rest, monitor access, and keep an accounting of disclosures covering the required lookback.

Implementing Secure PHI Management Policies

A defensible program connects legal retention mandates to day‑to‑day operations. Treat PHI retention as a lifecycle discipline that integrates governance, technology, and vendor oversight for covered entities and their business partners.

Step‑by‑step roadmap

1. Inventory systems and data flows holding PHI; classify by record type and business purpose.
2. Map applicable laws, contracts, and accreditation rules; select the longest mandatory period per record category.
3. Publish a records retention schedule that distinguishes medical records from HIPAA compliance documentation.
4. Automate holds and time‑based disposition using EHR and content management tooling; validate with periodic sampling.
5. Standardize secure disposal procedures for paper and ePHI; require certificates of destruction and BAAs with vendors.
6. Train workforce annually and on role‑specific procedures; document attendance and competency.
7. Monitor with audits, incident trend reviews, and metrics (e.g., timely destructions, exceptions closed, vendor attestations).
8. Review the schedule at least annually and upon regulatory changes; update policies and communicate revisions.

Conclusion

In short, HIPAA mandates six‑year retention of compliance documentation, while state law primarily determines how long you keep patient records. Build policies that honor the longest applicable rule, dispose of PHI securely, set clear BAA obligations, and document any exceptions. This approach reduces risk and proves compliance with both privacy and security protections.

FAQs

What is the minimum retention period for PHI under HIPAA?

HIPAA does not set a national minimum for retaining patient medical records. It does require you to keep HIPAA compliance documentation—such as policies, risk analyses, training records, BAAs, and required logs—for six years from creation or last effective date. Your medical record retention period comes from state law and other applicable requirements.

How do state laws affect PHI retention requirements?

State laws typically establish how long you must keep medical records, and they vary by state, record type, and patient status. Many require 6–10 years for adults and longer for minors (often age of majority plus additional years). Always follow the longest applicable rule across state statutes, licensing, and payer or program contracts.

What are the secure disposal methods for PHI?

Use methods that prevent reconstruction: cross‑cut shredding, pulping, pulverizing, or incineration for paper; and NIST‑aligned secure wiping, cryptographic erasure, degaussing, or physical destruction for electronic media. Maintain chain‑of‑custody, obtain certificates of destruction, and ensure vendors operate under business associate agreements.

What obligations do business associates have regarding PHI after contract termination?

Under business associate agreements, BAs must return or destroy PHI promptly at termination. If return or destruction is infeasible, they may retain only what is necessary, must continue privacy and security protections, restrict all other uses or disclosures, and document the retention. The BAA and supporting records should be retained as compliance documentation for at least six years after last in effect.