Medical records retention is an important part of delivering quality care and maintaining patient trust.
A proper retention schedule helps healthcare providers protect sensitive information, improve data security, and stay organized.
In this guide, we will explore medical records retention requirements, the role of the Health Insurance Portability and Accountability Act (HIPAA) in records retention, and industry best practices for managing medical records efficiently and securely.
By following these recommendations, you can stay compliant, protect patient privacy, and make managing health records simpler and more effective.
Quick Links:
- What is Medical Records Retention?
- Why is Medical Record Retention It Important?
- HIPAA’s Role In Records Retention
- State Specific Medical Retention Laws
- Best Practices For Managing Medical Records
- Key Components of an Effective Medical Retention Policy
- How To Create and Implement a Medical Record Retention Schedule
- Secure and Compliant Record Destruction
- The Role of Electronic Health Records (EHR) in Medical Records Retention
What is Medical Records Retention?
Medical records retention is the process of maintaining and storing patient health information (PHI) for a specific period of time as required by law. This includes both electronic and paper-based records containing private medical details, such as diagnoses, treatments, treatments, clinical notes, lab results, and medical history.
Proper medical records retention plays a key role in supporting patient care and ensuring the healthcare system runs smoothly.
Healthcare providers are encouraged to keep records organized to support long-term patient treatment and to prepare for potential situations like medical malpractice claims, licensing board reviews, or medical billing audits.
Why is Medical Records Retention Important?
Medical records retention, along with proper destruction, is critical for healthcare providers for several reasons:
- Legal Compliance: Healthcare organizations must must follow federal and state laws governing the storage and disposal of PII and PHI. Failing to comply can lead to penalties, fines, and legal complications.
- Continuity of Care: Accurate and well-maintained medical records ensure seamless communication and care coordination between providers, helping deliver better outcomes for patients.
- Operational Efficiency: Organized and accessible records improve resource management and make it easier to retrieve important information when needed.
- Risk Management: Implementing a comprehensive retention and destruction policy minimizes the risk of breaches and reduces the chances of legal disputes from mishandling records.
- HIPAA Compliance: Ensuring patient privacy and data security is a top priority for healthcare organizations, and adhering to the Health Insurance Portability and Accountability Act (HIPAA) is essential.
- Cost Savings: Securely disposing of outdated or unnecessary records helps reduce storage costs and lowers the risk of data breaches.
- Improved Quality of Care: Detailed, well-maintained records provide a comprehensive history of the treatment and care patients receive, contributing to better care planning and decision-making.
Upcoming Changes to Medical Retention
There’s been a growing trend toward longer retention periods for medical records, with some states now recommending keeping them for at least ten years instead of six years. This shift is largely to help guard against False Claims Act (FCA) violations and ensure that medical records are available for legal cases when they are needed.
Does HIPAA Have Records Retention Requirements?
HIPAA doesn’t set specific requirements for how long medical records should be kept. Instead, it focuses on ensuring the privacy and security of protected health information (PHI). However, it does require healthcare providers to retain certain compliance-related documentation—such as policies, procedures, and other records tied to its Privacy and Security Rules, for at least six years from the date they were created or last updated.
When it comes to medical records themselves, retention periods are typically determined by state medical records retention laws, which vary widely.
To stay compliant, healthcare providers should follow state guidelines listed below, while considering industry best practices to ensure they’re meeting both legal requirements and patient care needs.
Why Doesn’t HIPAA Have It’s Own Retention Requirements?
- HIPAA’s Focus: HIPAA is centered on protecting how protected health information (PHI) is handled, used, and shared. Its primary concern is privacy and security, not the duration of record retention.
- State Laws and Regulations: Retention periods are already governed by state laws, which outline the minimum time medical records must be kept. These laws can differ widely across states, and HIPAA avoids introducing conflicting requirements by deferring to existing state rules.
- Type of Records and Entities: Retention timelines often depend on the type of record or healthcare entity involved. For example, records for minors, psychiatric patients, or specific treatments may have unique requirements.
State-Specific Medical Records Retention Laws
While HIPAA sets the foundation for privacy and security, healthcare providers must also follow state-specific medical records retention laws. These laws determine how long records need to be kept and may vary significantly between states.
For example, some states require longer retention periods for certain records, such as those related to minors or substance abuse treatment. Understanding the specific regulations in your state is essential to ensure compliance and proper record management.
State | Law, Code, Or Regulation | Medical Doctors | Hospitals |
---|---|---|---|
Alabama | ALA. ADMIN. CODE r. 420-5-7-.13 | As long as may be necessary to treat the patient and for medical legal purposes. | 5 years |
Alaska | ALASKA STAT. § 18.20.085 | 6 years as stipulated by HIPAA | Adult patients: : 7 Years after patient discharge Minor patients: (Under 19): 7 Years after discharge or when the patient reaches the age of 21, whichever is longer. |
Arizona | ARIZ. REV. STAT. ANN. § 12-2297 | Adult patients: 6 years after the last date of services. Minor patients: 6 years after the last date of services, or until patient reaches the age of 21. | Adult patients: 6 years after the last date of services. Minor patients: 6 years after the last date of services, or until patient reaches the age of 21 whichever is longer. |
Arkansas | ARK. CODE R. § 007.05.17 | 6 years as stipulated by HIPAA. | Adult patients: 10 years after the last discharge, but master patient index data must be kept permanently. Minor patients: Complete medical records must be retained 2 years after the age of majority (i.e., until patient turns 20). |
California | 22 CA ADC §70751 | 6 years as stipulated by HIPAA. | Adult patients: 7 years after discharge. Minor patients: 7 years after discharge or 1 year after the patient reaches the age of 18 |
Colorado | 6 COLO. CODE REGS. § 1011-1: IV-8.102 | 6 years as stipulated by HIPAA. | Adult patients: 10 years after the most recent patient care usage. Minor patients: 10 years after the patient reaches the age of majority (i.e., until patient turns 28). |
Connecticut | CONN. AGENCIES REGS § 19-13-D3 | 7 years from the last date of treatment, or, upon the death of the patient, for 3 years. | 10 years after the patient has been discharged. |
Delaware | DEL. CODE ANN. tit. 24 § 1761 | 7 years from the last entry date on the patient’s record. | 6 years as stipulated by HIPAA. |
Disctrict of Columbia | § 3–1210.11. | 5 years from the date of last contact for an adult and a minimum period of 5 years after a minor reaches the age of majority. | 10 years following the date of discharge |
Florida | FLA. ADMIN. CODE ANN. r. 64B8-10.002 | 5 years from the last patient contact. | Public hospitals: 7 years after the last entry. |
Georgia | GA. COMP. R. & REGS. § 111- 8-40-.18 | 10 years from the date the record item was created. | Adult patients: 5 years after the date of discharge. Minor patients: 5 years past the age of majority (i.e., until patient turns 23). |
Hawaii | HAW. REV. STAT. § 622-58 | Adult patients: Full medical records: 7 years after last data entry. Basic information: 25 years after the last record entry. Minor patients: Full medical records: 7 years after the patient reaches the age of majority (i.e., until patient turns 25). Basic information: 25 years after the minor reaches the age of majority. | Adult patients: Full medical records: 7 years after last data entry. Basic information: 25 years after the last record entry. Minor patients: Full medical records: 7 years after the minor reaches the age of majority (i.e., until patient turns 25). Basic information: 25 years after the minor reaches the age of majority (i.e., until patient turns 43). |
Idaho | IDAHO CODE ANN. § 39- 1394 | 6 years as stipulated by HIPAA. | Clinical laboratory test records and reports: 5 years after the date of the test. |
Illinois | 210 ILL. COMP. STAT. § 85/6.17 | 6 years as stipulated by HIPAA | 10 years. |
Indiana | IND. CODE § 16-39-7-1 | 7 Years. | 7 Years. |
Iowa | IOWA ADMIN. CODE R. 653-13.7(8) | Adult patients: 7 years from the last date of service. Minor patients: 1 year after the minor attains the age of majority (i.e., until patient turns 19). | 6 years as stipulated by basic HIPAA regulations. |
Kansas | KAN. ADMIN. REGS. § 28- 34-9a | 10 years from when professional service was provided. | Adult patients: Full records: 10 years after the last discharge of the patient. Minor patients: Full records: 10 years or 1 year beyond the date that the patient reaches the age of majority. |
Kentucky | 902 KY. ADMIN. REGS. 20:275 | 6 years or if a minor, |
Adult patients: 5 years from date of discharge. Minor patients: 5 years from date of discharge or 3 years after the patient reaches the age of majority. |
Louisiana | LA. REV. STAT. ANN.§ 40:1165.1 | 6 years from the date a patient is last treated. | 10 years from the date a patient is discharged. |
Maine | 22 MRS §1711 | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 7 years. Minor patients: 6 years past the age of majority. Patient logs and written x-ray reports— permanently. |
Maryland | MD. CODE REGS. §10.01.16.04 | Adult patients: 5 years after the record or report was made. Minor patients: 5 years after the report or record was made or until the patient reaches the age of majority plus 3 years. | Adult patients: 5 years after the record or report was made. Minor patients: 5 years after the report or record was made or until the patient reaches the age of majority plus 3 years. |
Massachusetts | 243 MASS. CODE REGS. § 2.07 | 7 years from the date of the last patient encounter or until the date that a minor patient reaches 18 years of age, whichever is longer. | 30 years after the discharge or the final treatment of the patient. |
Michigan | MICH. COMP. LAWS § 333.16213 | 7 years from the from the date of the patient’s discharge or last treatment. | 7 years from the from the date of the patient’s discharge or last treatment. |
Minnesota | MINN. STAT. § 145.32 | 6 years as stipulated by HIPAA | Most medical records: Permanently (in microfilm). Miscellaneous documents: Adult patients: 7 years. Minor patients: 7 years following the age of majority. |
Mississippi | MISS. CODE ANN. § 41-9- 69 | 6 years as stipulated by basic HIPAA regulations. | Adult patients: Discharged in sound mind: 10 years. Discharged at death: 7 years. Minor patients: For the period of minority plus 7 years. |
Missouri | MO. REV. STAT. § 334.097 | 7 years from the date the last professional service was provided. | Adult patients: 10 years. Minor patients: 10 years or until patient’s 23rd birthday, whichever occurs later. |
Montana | MONT. CODE ANN. § 50-16-513 and MONT. CODE ANN. § 50-16-513 | 6 years as stipulated by HIPAA. | Adult patients: Entire medical record—10 years following the date of a patient’s discharge or death. Minor patients: Entire medical record—10 years following the date the patient either attains the age of majority (i.e., until patient is 28) or dies, whichever is earlier. Core medical record must be maintained at least an additional 10 years beyond the periods provided above. |
Nebraska | 175 NEB. ADMIN CODE §9-006 | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 10 years following a patient’s discharge. Minor patients: (under 19) 10 years or until 3 years after the patient reaches age of majority (i.e., until patient turns 22), whichever is longer. |
Nevada | NEV. REV. STAT. § 629.051 | 5 years after receipt or production of health care record. | 5 years after receipt or production of health care record. |
New Hampshire | N.H. CODE ADMIN. R. ANN. He-P 802.20 | 7 years from the date of the patient’s last contact with the physician, unless the patient has requested that the records be transferred to another health care provider, or one year after reaching age 18 in the case of a minor. | Adult patients: 7 years after a patient’s discharge. Minor patients: 7 years or until the minor reaches age 19, whichever is longer. |
New Jersey | N.J. STAT. ANN. § 26:8-5 | 7 years from the date of the most recent entry. | Adult patients: 10 years following the most recent discharge. Minor patients: 10 years following the most recent discharge or until the patient is 23 years of age, whichever is longer. Discharge summary sheets (all) 20 years after discharge. |
New Mexico | N.M. CODE R. § 16.10.17.10 | Adult patients: 10 years following the last treatment date of the patient. Minor patients: Must be retained until the patient is 21 years old. | Adult patients: 10 years following the last treatment date of the patient. Minor patients: Must be retained until the patient is 21 years old. |
New York | N.Y. COMP. CODES R. & REGS. § 405.10 | Six years from the date of discharge or three years after the patient’s age of majority (18 years), whichever is longer, or at least six years after death. | Adult patients: 6 years from the date of discharge. Minor patients: 6 years from the date of discharge or 3 years after the patient reaches 18 years (i.e., until patient turns 21), whichever is longer. Deceased patients At least 6 years after death. |
North Carolina | 10A N.C. ADMIN. CODE §13B.3903 | Adult patients: 11 years following discharge. Minor patients: Until the patient’s 30th birthday. | Adult patients: 11 years following discharge. Minor patients: Until the patient’s 30th birthday. |
North Dakota | N.D. ADMIN. CODE § 33-07-01.1-20 | 10 years after the patient’s last visit. | Adult patients: 10 years after the last treatment date. Minor patients: 10 years after the last treatment date or until the patient’s 21st birthday, whichever is later. |
Ohio | Rule 3701-83-11 | 6 years after discharge | 6 years after discharge |
Oklahoma | OKLA. ADMIN. CODE §310:667-19-14 | Adult patients: 5 years beyond the date the patient was last seen. Minor patients: 3 years past the age of majority (i.e., until the patient turns 21). Deceased patients 3 years beyond the date of death. | Adult patients: 5 years beyond the date the patient was last seen. Minor patients: 3 years past the age of majority (i.e., until the patient turns 21). Deceased patients 3 years beyond the date of death. |
Oregon | OAR 333-505-0050 | 10 years after the date of last discharge. | 10 years after the date of last discharge. Master patient index—permanently. |
Pennsylvania | 28 PA. CODE § 115.23 | Adult patients: At least 7 years following the date of the last medical service. Minor patients: 7 years following the date of the last medical service or 1 year after the patient reaches age 21 (i.e., until patient turns 22), whichever is the longer period. | Adult patients: 7 years following discharge. Minor patients: 7 years after the patient attains majority(5) or as long as adult records would be maintained. |
Puerto Rico | None | 5 years last discharge. Minors: records must be kept until the patient is 26 years old ( 5 years after the patient reaches the age of majority) | 5 years last discharge. Minors: records must be kept until the patient is 26 years old ( 5 years after the patient reaches the age of majority) |
Rhode Island | 230-RICR-20-60-4 | 5 years unless otherwise required by law or regulation. | Adult patients: 5 years following discharge of the patient. Minor patients: 5 years after patient reaches the age of 18 years (i.e., until patient turns 23). |
South Carolina | S.C. CODE ANN. § 44-115-120 | Adult patients: 10 years from the date of last treatment. Minor patients: 13 years from the date of last treatment. | Adult patients: 10 years. Minor patients: Until the minor reaches age 18 and the "e;period of election"e; expires, which is usually 1 year after the minor reaches the age of majority (i.e., usually until patient turns 19). |
South Dakota | S.D. Codified Laws § 36-4-38 | When records have become inactive or for which the whereabouts of the patient are unknown to the physician. | Adult patients: 10 years from the actual visit date of service or resident care. Minor patients: 10 years from the actual visit date of service or resident care or until the minor reaches age of majority plus 2 years (i.e., until patient turns 20), whichever is later. |
Tennessee | Tenn. Comp. R. & Regs. 0880-02-.15 | Adult patients: 10 years from the provider’s last professional contact with the patient. Minor patients: 10 years from the provider’s last professional contact with the patient or 1 year after the minor reaches the age of majority (i.e., until patient turns 19), whichever is later. | Adult patients: 10 years following the discharge of the patient or the patient’s death during the patient’s period of treatment within the hospital. Minor patients: 10 years following discharge or for the period of minority plus at least one year (i.e., until patient turns 19), whichever is later. |
Texas | 22 TEX. ADMIN. CODE § 165.1 | Adult patients: 7 years from the date of the last treatment. Minor patients: 7 years after the date of the last treatment or until the patient reaches age 21, whichever date is later. | Adult patients: 10 years after the patient was last treated in the hospital. Minor patients: 10 years after the patient was last treated in the hospital or until the patient reaches age 20, whichever date is later. |
Utah | UTAH ADMIN. CODE §432-100-33 | 6 years as stipulated by HIPAA. | Adult patients: 7 years. Minor patients: 7 years or until the minor reaches the age of 18 plus 4 years (i.e., patient turns 22), whichever is longer. |
Vermont | 12-5-14 VT. CODE R. §946 | 6 years as stipulated by HIPAA. | 10 years. |
Virginia | 18 VA. ADMIN. CODE § 85-20-26 & 12 VA. ADMIN. CODE § 5-410-370 | Adult patients: 6 years after the last patient contact. Minor patients: 6 years after the last patient contact or until the patient reaches age 18 (or becomes emancipated), whichever time period is longer. | Adult patients: 5 years following patient’s discharge. Minor patients: 5 years after patient has reached the age of 18 (i.e., until the patient reaches age 23). |
Washington | WASH. REV. CODE § 70.41.190 | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 10 years following the patient’s most recent hospital discharge. Minor patients: 10 years following the patient’s most recent hospital discharge or 3 years after the patient reaches the age of 18 (i.e., until the patient turns 21) whichever is longer. |
West Virginia | H. B. 4396 | 6 years as stipulated by HIPAA. | 6 years as stipulated by HIPAA. |
Wisconsin | WIS. ADMIN. CODE DHS Med 21.03 | 5 years from the date of the last entry in the record. | 5 years. |
Wyoming | WYO. STAT. ANN. § 35-2-606 | 10 years from the date of last treatment. | 10 years from the date of last treatment. |
Sources:
*Links to each relevant law are provided in the “Law, code, or regulation” column. As laws change or are repealed in each legislative session, we will update these to reflect any changes made.
Important: The information contained within this page is provided as a reference with the understanding that this page and all authors of content, are not rendering legal information or advice. The information provided about state medical record retention laws is accurate to the date of the most recent update, and are subject to change at any time. For more information on any specific law, please consult your state’s official website.
Best Practices for Medical Records Retention
Develop a Comprehensive Medical Records Retention Policy
A well-crafted medical records retention policy is extremely important for healthcare providers. This policy should include retention periods, storage methods, and destruction procedures for each type of record, taking into account both federal laws and the state retention regulations in the chart above.
Implement Robust Security Measures
To ensure HIPAA compliance and protect patient data, healthcare providers should implement security measures for both electronic and paper-based records. These may include:
- Access Controls: Limit access to medical records to authorized personnel only, using unique user IDs and strong passwords.
- Data Encryption: Encrypt ePHI during storage and transmission to protect against unauthorized access or data breaches.
- Physical Security: Implement measures like locked storage rooms, security cameras, and alarm systems to safeguard paper-based records.
Monitor and Audit Recordkeeping Practices
Conduct regular audits to identify potential issues or areas for improvement in your medical records retention processes. This includes reviewing your organization’s adherence to these retention periods, evaluating records storage conditions, and ensuring that records are properly disposed of once their retention period expires.
Train Staff on Medical Records Retention and HIPAA Compliance
HIPAA compliance and medical records retention training is essential for maintaining a secure and compliant healthcare environment. Regular training sessions can help employees understand their responsibilities and the importance of adhering to these policies and procedures.
Establish a Document Destruction Process
Proper disposal of expired medical records prevents unauthorized access PHI and protects patient privacy. Implement a secure and compliant document destruction process that includes:
- Shredding: Paper-based records should be cross-cut shredded to ensure the information is unreadable and irrecoverable.
- Electronic Deletion: Securely delete electronic records using data wiping software that overwrites the data multiple times.
- Third-Party Destruction: If utilizing a third-party shredding service, ensure they adhere to HIPAA regulations and provide a certificate of destruction upon completion.
Key Components of an Effective Medical Record Retention Policy
An effective medical record retention policy should include the following components:
- Purpose: Clearly define the goals and objectives of the policy, such as compliance with applicable laws and organizational efficiency.
- Scope: Specify which records the policy applies to, including paper, electronic, and other media types.
- Responsibilities: Assign responsibility for policy implementation and enforcement to specific individuals or departments.
- Retention Periods: Establish retention periods for each record type, based on legal requirements and operational needs.
- Storage and Preservation: Outline the procedures for secure storage and preservation of records during their retention period.
- Destruction: Detail the methods and processes for securely destroying records once their retention period has expired.
How To Create and Implement a Medical Record Retention Schedule
A record retention schedule serves as a roadmap for determining how long records should be retained and when they should be destroyed. Follow these steps to create and implement an effective record retention schedule:
- Inventory: Conduct a comprehensive inventory of all records held by the organization, including their format and location.
- Categorize: Organize records into categories based on their function, content, or regulatory requirements.
- Research: Identify federal, state, and industry-specific regulations governing record retention and destruction.
- Establish Retention Periods: Determine the appropriate retention period for each record category, taking into account legal requirements and organizational needs.
- Document: Create a written retention schedule, clearly outlining the retention periods and destruction procedures for each record category.
- Train and Communicate: Train staff on the record retention schedule and ensure that it is effectively communicated throughout the organization.
- Monitor and Update: Regularly review and update the retention schedule to reflect changes in regulations, industry standards, and organizational needs.
Secure and Compliant Record Destruction
To ensure the secure and compliant destruction of records, healthcare organizations should adhere to the following best practices:
- Develop a Destruction Policy: Create a written policy outlining the methods and processes for securely destroying records, including the individuals or departments responsible for overseeing the process.
- Select Appropriate Destruction Methods: Choose destruction methods that render the records unreadable, indecipherable, and irretrievable. Common methods include shredding, incineration, and degaussing for electronic media.
- Establish a Chain of Custody: Implement a secure chain of custody procedure to track records from the point of collection to final destruction, ensuring accountability and reducing the risk of unauthorized access.
- Conduct Regular Audits: Regularly audit the record destruction process to verify compliance with the destruction policy and applicable regulations.
- Obtain a Certificate of Destruction: Upon completion of the destruction process, obtain a certificate of destruction from the service provider or internal department responsible for the task. This document serves as evidence of compliance with legal and regulatory requirements.
- Update the Retention Schedule: After records have been securely destroyed, update the retention schedule to reflect their disposal and maintain accurate documentation.
The Role of Electronic Health Records (EHR) in Medical Records Retention
The adoption of Electronic Health Records (EHR) systems has significantly impacted medical records retention over the last decade. EHRs offer numerous benefits in terms of efficiency, accessibility, and security over paper records systems, making them an invaluable tool for healthcare organizations.
Advantages of EHR in Medical Records Retention
- Streamlined Access: EHR systems allow healthcare providers to access patient records quickly and easily, improving collaboration and continuity of care.
- Enhanced Security: With features like access controls, audit trails, and encryption, EHR systems offer robust security measures to protect sensitive patient data.
- Automated Retention: EHR systems can be configured to automate retention periods and deletion processes, ensuring compliance with federal and state regulations.
Selecting an EHR System for Your Healthcare Organization
When choosing an EHR system, consider factors such as:
- HIPAA Compliance: Ensure the EHR system adheres to HIPAA regulations and provides necessary security features to safeguard PHI.
- Interoperability: Evaluate the system’s ability to communicate and exchange information with other healthcare systems, facilitating seamless coordination between providers.
- Customization: Select a system that can be tailored to your practice’s specific needs and workflows, improving efficiency and user satisfaction.
Migrating to an EHR System: A Seamless Transition for Medical Practices
The process of migrating from traditional paper-based medical records to an Electronic Health Records (EHR) system can be a complex yet rewarding endeavor for medical practices.
To ensure a smooth transition, organizations should start by creating a detailed migration plan that outlines the necessary steps and timelines. Begin by assembling a dedicated team comprising representatives from various departments, including IT, administration, and clinical staff, to oversee and manage the migration process. Next, evaluate and select an EHR system that meets your organization’s specific requirements, as discussed in the previous section.
Once the system is chosen, initiate staff training on the new EHR to promote user adoption and minimize disruption to daily operations.
The actual migration process involves transferring existing patient records to the new system, which can be done through manual data entry, a medical records scanning service, or leveraging data conversion tools. Ensuring data accuracy and integrity during this step is crucial, so be prepared to allocate sufficient time and resources for thorough data validation.
After the migration is complete, establish a period of parallel operation where both paper and electronic records are maintained, allowing your team to verify the accuracy and completeness of the transferred data before fully transitioning to the EHR system. By following these guidelines and adopting a well-structured approach, medical practices can successfully migrate to an EHR system, reaping the benefits of improved efficiency, enhanced patient care, and streamlined medical records retention.
What comes next?
Effective record retention and destruction practices are crucial for healthcare organizations to ensure legal compliance, safeguard patient information, and maintain operational efficiency. By implementing a comprehensive record retention policy and schedule, as well as adhering to best practices in secure record destruction, healthcare organizations can reduce risks, protect sensitive data, and fulfill their obligations to both patients and regulatory authorities.