Paubox blog: HIPAA compliant email made easy

Understanding medical record retention requirements by state

Written by Dean Levitt | March 28, 2023

As a healthcare provider, you are responsible for keeping patients’ records safe and secure while ensuring compliance with HIPAA and state and federal regulations. This guide will help you navigate medical record retention by breaking down the differences between HIPAA and state requirements and outlining best practices for storing and sharing records.

Note: Not all types of documents are regulated under HIPAA and instead fall under state or federal regulations. 

HIPAA document retention rules

According to the Department of Health & Human Services, “the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained.” In other words, HIPAA does not govern the length these records are retained but does govern how they’re secured and stored.

HIPAA does, however, require covered entities and business associates to retain specific types of documents to ensure the privacy and security of protected health information (PHI). 

The following table outlines the documents, their descriptions, and retention requirements:

Document Type Description Retention Requirement
Privacy Rule Policies & Procedures Policies and procedures for safeguarding PHI 6 years from the last effective date
Privacy Rule Complaints Records of complaints regarding PHI privacy 6 years from the date of the complaint
Privacy Rule Disposition Records of actions taken in response to privacy complaints 6 years from the date of the action
Security Rule Policies & Procedures Policies and procedures for securing PHI 6 years from the last effective date
Security Rule Assessments Records of security assessments for PHI protection 6 years from the date of the assessment
Security Rule Breach Notifications Records of breach notifications related to PHI 6 years from the date of the notification

It’s worth noting that these retention requirements are not exhaustive. Depending on your specific circumstances, you may need to keep additional documents. For example, healthcare providers participating in Medicare or Medicaid programs must retain all records related to program reimbursement for at least six years from the date of reimbursement or the final determination of costs. Similarly, if you’re a covered entity or business associate involved in clinical trials, you must retain research records for at least two years after completing the study.

Related: Email archiving and HIPAA compliance

 

State patient record retention policies

Each state has its own regulations dictating how long patient records must be kept. Some states require providers to retain records for as little as three years, while others mandate retention periods of up to ten years or longer. The retention timeframe only begins with the date of the last treatment.

Here’s a table outlining the retention policies for each state, listed alphabetically:

State Statute Retention Period
Alabama Ala. Code § 22-21-8 5 years
Alaska 12 AAC 02.010 10 years
Arizona Ariz. Rev. Stat. § 12-2297 7 years
Arkansas Ark. Code Ann. § 5-37-204 5 years
California Cal. Code Regs. tit. 16, § 1367.6 7 years
Colorado Colo. Rev. Stat. § 25-1-802 10 years
Connecticut Conn. Gen. Stat. § 52-146d 7 years
Delaware 16 Del. Admin. Code § 4463 7 years
District of Columbia D.C. Mun. Regs. tit. 22, § 401 7 years
Florida Fla. Stat. § 456.057 5 years
Georgia Ga. Comp. R. & Regs. r. 111-8-24-.04 10 years
Hawaii Haw. Admin. R. § 16-89-78 7 years
Idaho Idaho Admin. Code r. 16.03.04.251 7 years
Illinois 77 Ill. Admin. Code § 250.520 10 years
Indiana Ind. Code § 16-39-6-8 7 years
Iowa Iowa Admin. Code r. 641-34.9(147,148) 10 years
Kansas Kan. Admin. Regs. § 28-1-6 10 years
Kentucky Ky. Rev. Stat. Ann. § 344.040 5 years
Louisiana La. Admin. Code tit. 46, pt. LXVII, § 1653 10 years
Maine Me. Code R. tit. 10, § 2195 7 years
Maryland Md. Code Regs. 10.32.03.05 5 years
Massachusetts 243 Mass. Code Regs. § 2.07 7 years
Michigan Mich. Comp. Laws § 333.16213 7 years
Minnesota Minn. Stat. § 147.091 7 years
Mississippi Miss. Admin. Code § 15-16-7 7 years
Missouri Mo. Code Regs. Ann. tit. 19, § 30-20.050 10 years
Montana Mont. Code Ann. § 37-2-305 10 years
Nevada Nev. Rev. Stat. § 629.061 5 years
New Hampshire N.H. Code Admin. R. Ann. He-P 803.03 10 years
New Jersey N.J. Admin. Code § 13:35-6.6 7 years
New Mexico N.M. Admin. Code § 16.10.10.8 10 years
New York N.Y. Pub. Health Law § 18 6 years
North Carolina N.C. Gen. Stat. § 90-411 11 years
North Dakota N.D. Admin. Code § 61-02-05-04 10 years
Ohio Ohio Admin. Code § 4731-27-06 7 years
Oklahoma 310 Okla. Admin. Code § 675:10-7-4 7 years
Oregon Or. Admin. R. 333-535-0060 10 years
Pennsylvania 28 Pa. Code § 115.23 7 years
Rhode Island R.I. Gen. Laws § 5-37-5 10 years
South Carolina S.C. Code Ann. Regs. § 61-7 10 years
South Dakota S.D. Codified Laws § 36-4-19 7 years
Tennessee Tenn. Comp. R. & Regs. 0880-2-.19(6) 10 years
Texas Tex. Occ. Code § 159.002 7 years
Utah Utah Admin. Code r. 156-37-302 7 years
Vermont Vt. Code R. 16-1-003:3 10 years
Virginia Va. Code Regs. § 18VAC85-21-250 5 years
Washington Wash. Admin. Code § 246-08-400 6 years
West Virginia W. Va. Code R. § 16-1-9 10 years
Wisconsin Wis. Admin. Code DHS § 92.05(1) 7 years
Wyoming Wyo. Code R. § 7-3-3 10 years

Some states have specific requirements for how records should be stored, such as requiring that paper records be retained in a secure location or that electronic records be encrypted. Be sure to double-check your state’s regulations for specific requirements. 

 

Federal laws on patient and medical record retention

In addition to HIPAA and state regulations, federal laws also dictate patient’s medical record retention requirements. 

The following table outlines some of the key federal laws:

Law Description Retention Requirement
Medicare/
Medicaid
Records related to program reimbursement 6 years from the date of reimbursement or final determination of costs
Clinical Laboratory Improvement Amendments (CLIA) Records related to laboratory testing 2 years from the
date of the test
Food, Drug, and Cosmetic Act Records related to medical devices 2 years from the
date of distribution

 

Best practices for storing and sharing records:

In addition to understanding the regulations surrounding medical record retention, implement best practices for storing and sharing records securely. 

Here are a few tips to keep in mind:

  • Store records in a secure location, such as a locked cabinet or a HIPAA-compliant cloud storage service.
  • Back up electronic records regularly
  • Use HIPAA-compliant methods to share documents, such as secure  HIPAA compliant email or a secure file-sharing service.
  • Implement access controls to ensure that only authorized individuals can access patient records.
  • Train employees on record-keeping policies and procedures to ensure compliance with regulations.

 

Better safe than sorry

Patient record retention is a critical aspect of healthcare providers’ responsibilities. By understanding the differences between HIPAA and state requirements, following best practices for storing and sharing records, and keeping up to date with federal laws, you can ensure that you’re meeting your obligations and protecting the privacy and security of your patients’ information.

Related: How to send HIPAA compliant emails