Paubox blog: HIPAA compliant email - easy setup, no portals or passcodes

Understanding medical record retention requirements by state

Written by Kirsten Peremore | March 28, 2023

Medical record retention requirements change from state to state, and in some cases, they change a lot. Retention periods typically fall between five and ten years, but there are notable exceptions. One Acta Informatica Medica study stated thatthe health record serves several purposes and must be retained to meet those purposes,and those purposes directly shape how long records are kept

West Virginia, for example, requires certain records to be kept indefinitely. States such as Kentucky and Florida take a different approach, setting outpatient retention timelines that hinge on discharge dates rather than a fixed number of years.

Eleven states require adult medical records to be kept for 10 years, while 15 mandate shorter periods. North Carolina stands out with an eleven-year requirement, and Massachusetts goes even further, enforcing a thirty-year retention period. 

State law, rather than federal guidance like Medicare’s Conditions of Participation, typically drives these differences. A hospital's practices study confirms that these timelines are shaped by statutes, liability concerns, and care continuity, sincelaws, continuous patient care needs, defense of professional liability actions, education and research all influence how long health information will be retained.”

 

The biggest misconception HIPAA versus record retention

HIPAA does not set deadlines for how long most clinical records must be kept. That responsibility sits largely with the states, and the rules vary widely. In many places, retention periods run under ten years, while other states require certain records to be kept much longer. HIPAA’s role is narrower. 

The problem is that many providers assume HIPAA overrides all other retention laws. It does not. When state statutes demand longer retention, those stricter rules apply and take priority.

According to a study by the American Health Information Management Association,the health record is multifaceted and demanded by diverse interests. Whether the record is paper, electronic, or a hybrid, policies and procedures are critical to the record management process and are necessary to meet an organization’s needs.”

Another common misunderstanding is the idea that HIPAA’s privacy obligations encourage early destruction once minimum retention periods expire. In practice, the opposite often happens. Many healthcare organizations keep records far longer than required because of operational needs, research value, and long-term liability concerns that go well beyond HIPAA. 

More than half choose to retain adult and minor records permanently. Those decisions are driven less by HIPAA and more by state law, Medicare requirements, and day-to-day clinical realities. Confusion also surrounds electronic records. Some facilities assume EHR systems preserve data forever, even without formal retention policies.

 

HIPAA requires document retention what you must keep and why

According to the study ‘Archiving the Phenome: Clinical Records Deserve Long-term Preservation,Retention policies for clinical records are set primarily by the states, although the federal government mandates minimum maintenance periods for certain classes of patients and selected types of information.”

Covered entities have to keep certain HIPAA paperwork for six years. HIPAA does, however, require covered entities and business associates to retain specific types of documents to ensure the privacy and security of protected health information (PHI). 

The following list outlines the documents and retention requirements:

  • Privacy Rule Policies & Procedures: Keep written policies and procedures for protecting PHI for six years from the date they were created or last updated, whichever is later.
  • Privacy Rule Complaints: Keep records of complaints about PHI privacy for six years from the date the complaint was received.
  • Privacy Rule Disposition/Actions: Keep documentation of investigations and actions taken in response to privacy complaints for six years from the date the action was completed.
  • Security Rule Policies & Procedures: Keep written policies and procedures for safeguarding electronic PHI for six years from the date they were created or last updated, whichever is later.
  • Security Rule Assessments/Risk Analysis: Keep records of security risk assessments for six years from the date the assessment was completed.
  • Security Rule Breach Notifications: Keep documentation of notifications sent regarding PHI breaches for six years from the date the notification was sent.

That requirement exists to show accountability for privacy and security controls. It also sits completely apart from clinical record retention. It supports patient rights, such as providing an accounting of disclosures going back six years, and helps organizations resolve complaints or breach inquiries. In practice, proper retention reduces legal risk while still leaving room for research and other permitted uses when waivers or exceptions apply.

 

When federal law extends retention beyond HIPAA

Federal laws require keeping certain medical records longer than HIPAA does, mainly for specific federal programs or high-risk types of information. These include: 

  • Medicare Conditions of Participation: Hospitals must keep records for at least 5 years, which goes beyond HIPAA’s 6-year rule for compliance documents.
  • Department of Veterans Affairs: Inactive medical records can be retired to Federal Records Centers and are not destroyed until 75 years after the last episode of care if they are designated as perpetual or archived per National Archives disposition authorities.
  • OSHA (29 CFR 1910.1020): Employee health records related to toxic exposures must be kept for 30 years.
  • Medicare Advantage and Part D contracts: Clinical and payment records are kept for 10 years to support audits.
  • Federal Rules of Civil Procedure: Records must be retained during litigation to preserve evidence. This is a legal obligation, not a fixed calendar retention period.

 

State medical record retention requirements 2025 snapshot

Every state sets its own rules for how long patient records need to be kept. In some states, providers only have to keep records for as little as three years, while others require them to be held for ten years or more. The clock starts from the date of the patient’s last treatment.

Here’s an outline the retention policies (for hospitals) for each state, listed alphabetically: 

  • Alabama: Medical records must be retained for 5 years from the last date of service.​
  • Alaska: Adult records 7 years after discharge; minors until age 21 or longer.
  • Arizona: Adult records 6 years after last service; minors until age 21 or longer.
  • Arkansas: Adult hospital records 10 years after discharge; master patient index permanent.
  • California: At least 7 years after discharge; minors until age 19 or longer.
  • Colorado: Typically 10 years after last care for hospitals.
  • Connecticut: Hospitals generally 10 years after discharge.​
  • Delaware: Commonly 7 years minimum.
  • District of Columbia: Often 7 years minimum for practitioners; hospitals longer.
  • Florida: Physicians 5 years, hospitals 7 years post-last contact.​
  • Georgia: Many providers retain records for 10 years.
  • Hawaii: Often 7 years minimum for hospitals; minors longer.
  • Idaho: Often at least 7 years for adult records.
  • Illinois: Hospitals 10 years post-discharge.​
  • Indiana: Often 7 years minimum.
  • Iowa: Minimum often around 7 years or 10 for hospitals.
  • Kansas: Many providers 10 years minimum.
  • Kentucky: Often 6 years minimum for physicians; hospital rules vary.
  • Louisiana: Often 6 years after last treatment; hospitals 10 years.
  • Maine: Typically 7 years for adult records; minors past majority.
  • Maryland: Often 5 years minimum.
  • Massachusetts: Commonly 7 years; hospitals sometimes longer.
  • Michigan: Often 7 years minimum.
  • Minnesota: Many records retained at least 7 years.
  • Mississippi: Often 6–10 years depending on provider type.
  • Missouri: Often 7–10 years for medical records.
  • Montana: Often 10 years minimum.
  • Nebraska: Many hospital records 10 years; minors longer.
  • Nevada: Minimum 5 years; minors until age 23 or longer.
  • New Hampshire: Often 7 years minimum.
  • New Jersey: Typically 7–10 years depending on provider.
  • New Mexico: Commonly 10 years; minors until age 21 or longer.
  • New York: At least 6 years after discharge; minors until age 21 or longer.
  • North Carolina: Hospitals typically 11 years post‑discharge; minors until age 30.
  • North Dakota: Often 10 years after last treatment; minors until age 21.
  • Ohio: Commonly 6 years after discharge.
  • Oklahoma: Often 5 years after last seen; minors later.
  • Oregon: Hospitals often 10 years after last discharge.
  • Pennsylvania: Typically 7 years minimum; rules may vary.
  • Rhode Island: Physicians commonly hold 7 years; hospitals often ~5–7 years.
  • South Carolina: Adult records often 10 years; minors up to 13 years.
  • South Dakota: Retention norms vary widely; often treated as whileactive or whereabouts known.”
  • Tennessee: Often 10 years minimum.
  • Texas: Often 7–10 years depending on provider type.
  • Utah: Many medical providers retain records at least 6–7 years.
  • Vermont: Often 10 years minimum.
  • Virginia: Often 6–7 years minimum.
  • Washington: Many providers retain records at least 6–10 years.
  • West Virginia: Often 10 years minimum.
  • Wisconsin: Typically 5–7 years minimum.
  • Wyoming: Often 10 years minimum; minors often longer.

Best practices for storing and sharing records

Beyond knowing how long records must be kept, it’s just as necessary to think about how they’re stored and shared day to day. Good retention practices only work if the records stay secure the entire time.

Here are a few tips to keep in mind:

  • Store records in a secure location, such as a locked cabinet or a HIPAA compliant cloud storage service.
  • Back up electronic records regularly
  • Use HIPAA compliant methods to share documents, such as secure  HIPAA compliant email or a secure file-sharing service.
  • Implement access controls to ensure that only authorized individuals can access patient records.
  • Train employees on record-keeping policies and procedures to ensure compliance with regulations.

FAQs

When does the six-year HIPAA retention period start

The six-year period starts from the date the document was created or the date it was last in effect, whichever comes later.

 

Are minors’ records treated differently under HIPAA

HIPAA does not set special retention rules for minors. State laws usually require records to be kept until the child reaches adulthood plus additional years.

 

Do breach records have their own retention rule

Yes. Documentation related to breaches and notifications must be kept for six years under HIPAA.
View full post