Yes, deleting medical records before the legally required retention period has passed is illegal in every U.S. state. State laws set minimum timeframes that healthcare providers must keep patient records, and destroying them early can result in fines, license revocation, and legal liability. However, once those retention periods expire, providers are not only allowed to destroy records but are expected to do so using approved methods that protect patient privacy.
What Federal Law Actually Requires
HIPAA, the main federal health privacy law, does not set a specific retention period for medical records. That surprises many people. According to HHS, the HIPAA Privacy Rule “does not include medical record retention requirements.” Instead, HIPAA requires that for however long a provider keeps your records, they must apply appropriate safeguards to protect your information, including during the disposal process.
This means the real rules about how long records must be kept come from your state, not from the federal government. HIPAA’s role is to ensure that records are protected while they exist and properly destroyed when it’s time to get rid of them.
How Long Your State Requires Records Be Kept
State retention laws vary dramatically, from as few as 3 years to as many as 25. The range breaks down roughly into three tiers:
- 3 to 5 years: States like Wyoming and Montana require hospitals and providers to retain records for just 3 years. Washington, D.C. similarly requires physicians to keep records for 3 years after the last patient visit.
- 6 to 9 years: Many states fall in this middle range, with 7 years being a common standard.
- 10 years or more: Massachusetts requires hospitals to retain records for 20 years after a patient’s final treatment. Connecticut requires children’s hospitals and long-term hospitals to keep records for 25 years after discharge.
Some states don’t set a single number at all. Their retention requirements depend on the type of provider (hospital vs. private practice vs. nursing facility) or the patient’s condition. North Carolina, for example, requires hospitals to keep records for 11 years after discharge, but if the patient is a minor, the hospital must hold on to the records until that patient turns 30.
Special Rules for Children’s Records
Records for minors almost always have longer retention requirements than adult records. The American Academy of Pediatrics recommends keeping pediatric records for at least 10 years or until the child reaches the age of majority plus the state’s statute of limitations for malpractice, whichever is longer.
The practical effect of this is significant. In many states, the statute of limitations for a malpractice claim doesn’t begin until the patient turns 18. So in a state with a two-year statute of limitations, a malpractice case related to newborn care could be filed 20 years after the baby was born. That means the hospital needs to retain those newborn records for at least two decades. Deleting them earlier could expose the provider to serious legal consequences if a claim surfaces.
Why Providers Can’t Just Delete Records They Don’t Want
The connection between medical records and malpractice lawsuits is the biggest reason premature deletion is treated so seriously. Medical records are the primary evidence in any malpractice case. If a provider destroys records while the statute of limitations for a potential claim is still open, courts can draw negative inferences, meaning a judge or jury may assume the destroyed records contained evidence of wrongdoing.
In New York, for instance, the statute of limitations for medical malpractice is two years and six months from the date of the incident or the end of continuous treatment. A provider who deletes records within that window is not just violating state retention law but potentially committing spoliation of evidence, which is a separate legal offense. This can lead to sanctions, adverse rulings, and in some cases criminal charges for obstruction.
Beyond malpractice, providers who prematurely destroy records can face disciplinary action from their state medical board, including suspension or revocation of their license. Some states treat intentional destruction of records during an active investigation as a criminal act.
Can You Request Your Own Records Be Deleted?
Patients generally cannot force a healthcare provider to delete their medical records before the state’s required retention period has passed. Providers have a legal obligation to maintain those records regardless of the patient’s wishes. This sometimes frustrates people who want certain information removed from their file, but the retention mandate exists to protect both the patient and the provider.
What you can do is request amendments to your records under HIPAA. If something in your file is inaccurate, you have the right to ask that it be corrected. The provider can deny the request, but they must attach your written disagreement to the record so that anyone reviewing it sees your objection.
How Records Are Legally Destroyed After Retention Expires
Once the required retention period is up, providers are expected to destroy records in ways that make the information completely unrecoverable. HIPAA doesn’t mandate one specific method, but HHS outlines acceptable approaches for both formats.
For paper records, acceptable methods include shredding, burning, pulping, or pulverizing the documents so that the information is unreadable and cannot be reconstructed. Simply tossing files into a dumpster is a HIPAA violation, even if the retention period has expired, because the patient information remains exposed.
For electronic records, providers can overwrite the data with non-sensitive information using specialized software, degauss the media by exposing it to a strong magnetic field that disrupts stored data, or physically destroy the media through shredding, melting, incinerating, or pulverizing it. Each provider is responsible for developing internal policies that fit their specific situation and ensure that no retrievable patient data remains.
Many practices hire specialized disposal vendors to handle destruction. Under HIPAA, these vendors are considered business associates and must sign agreements committing to the same privacy protections that apply to the healthcare provider itself.
What This Means If You’re Concerned About Your Records
If you’re worried that a provider deleted your records too soon, the first step is to check your state’s retention requirements. If the provider was required to keep records for 10 years and it’s only been 6, you have grounds to file a complaint with your state health department or medical board. You can also file a HIPAA complaint with the HHS Office for Civil Rights if you believe your protected health information was improperly disposed of.
If you’re trying to get old records and the provider says they no longer have them, the retention period may have legitimately expired. Providers in states with short retention windows (3 to 5 years) may have already destroyed records from years ago in full compliance with the law. Requesting copies of your records well before these deadlines pass is the most reliable way to ensure you always have access to your own medical history.

