Record retention in healthcare is the practice of storing, maintaining, and eventually disposing of patient medical records according to legal and regulatory timelines. There is no single federal law that dictates one universal retention period. Instead, healthcare providers navigate a patchwork of federal rules, state laws, and specialty-specific requirements that determine how long different types of records must be kept. Getting it wrong can mean fines reaching into the millions of dollars, lost evidence in malpractice cases, or gaps in patient care.
Why Retention Periods Exist
Medical records serve multiple purposes long after a patient visit ends. They support continuity of care if a patient returns years later, provide evidence in legal disputes, satisfy auditing requirements from insurers and government programs, and contribute to public health research. Retention rules exist to balance these needs against the cost and complexity of storing records indefinitely, especially for smaller practices handling both paper charts and electronic files.
What HIPAA Actually Requires
A common misconception is that HIPAA sets a specific retention period for medical records. It does not. The HIPAA Privacy Rule requires covered entities to apply appropriate safeguards to protect the privacy of medical records for however long those records are maintained, including during disposal. But the rule itself is silent on how many years you need to keep them.
What HIPAA does impose is a six-year retention requirement for certain administrative documents: privacy policies, patient authorization forms, notices of privacy practices, and other compliance-related paperwork. This six-year window applies to the documents that prove a practice followed the rules, not to the clinical records themselves. State laws fill that gap.
Federal Rules That Do Set Timelines
While HIPAA stays out of the retention question, other federal agencies are more specific.
The Centers for Medicare and Medicaid Services (CMS) requires providers who submit cost reports to retain all patient records for at least five years after the closure of the cost report. Providers participating in Medicare managed care programs face a longer window: 10 years.
The FDA requires sponsors of clinical drug trials to keep records for two years after a marketing application is approved. If the application is never approved, records must be kept for two years after the investigational drug stops being shipped and the FDA is notified.
Federal laboratory regulations add another layer. Pathology test reports must be retained for at least 10 years. Histopathology slides (tissue samples mounted on glass) must also be kept for 10 years. Cytology slide preparations, such as Pap smears, require a minimum of five years. Tissue blocks used in pathology must be stored for at least two years, and remnants of tissue must be preserved until a diagnosis is made.
How State Laws Change the Picture
Because HIPAA does not set a medical record retention period, state laws become the primary authority for most clinical records. These vary widely. Some states require records to be kept for as few as five years after a patient’s last encounter, while others mandate 10 years or more. A handful of states have no explicit statute at all, leaving providers to follow professional guidelines.
When a state law provides stronger privacy protections or longer retention periods than federal rules, the state law controls. HIPAA only preempts state laws that directly conflict with its requirements and offer less protection. In practice, this means healthcare organizations operating in multiple states often need to track different retention schedules for each location.
Pediatric Records Require Extra Time
Records for children are a special case because minors cannot file lawsuits on their own behalf. In many states, the statute of limitations for a malpractice claim does not begin until the patient turns 18. The American Academy of Pediatrics recommends retaining pediatric medical records for at least 10 years or until the age of majority plus the applicable state statute of limitations, whichever is longer.
The math can be surprising. In a state with a two-year statute of limitations, a malpractice case related to newborn care could theoretically be filed 20 years after delivery. That means the newborn’s records need to be stored for at least two decades. Pediatric practices that destroy records based on a generic retention schedule risk losing critical evidence.
Records of Deceased Patients
Death does not immediately end privacy protections or retention obligations. HIPAA’s Privacy Rule protects a deceased individual’s health information for 50 years following the date of death. After that 50-year window, the information is no longer classified as protected health information under federal law. State laws may impose shorter or longer obligations, but the 50-year federal floor is notably long and catches many providers off guard.
Penalties for Getting It Wrong
The financial consequences of mishandling records, whether through premature destruction, inadequate security, or improper disposal, fall under HIPAA’s four-tier penalty structure. As of August 2024, the tiers work as follows:
- Tier 1 (lack of knowledge): $141 to $71,162 per violation, capped at roughly $2.13 million per year for identical violations.
- Tier 2 (reasonable cause, not willful neglect): $1,424 to $71,162 per violation, with the same annual cap.
- Tier 3 (willful neglect, corrected within 30 days): $14,232 to $71,162 per violation.
- Tier 4 (willful neglect, not corrected): $71,162 to $2,134,831 per violation, with an annual cap matching the maximum.
These penalties apply per violation, meaning a single data breach affecting thousands of records can trigger penalties that multiply quickly. Beyond federal fines, state attorneys general can pursue additional penalties, and patients can file civil lawsuits if improper record handling causes them harm.
Paper vs. Electronic Records
The retention timeline does not change based on whether a record is stored on paper or in an electronic health record (EHR) system. A chart note from 2005 stored in a filing cabinet carries the same legal obligations as the same note scanned into a digital system. What does change is the practical challenge of maintaining access. Paper records degrade, flood, and burn. Electronic records require ongoing software maintenance, data migration as systems change, and cybersecurity protections for the entire retention period.
Many practices that transitioned from paper to EHR systems still have legacy paper charts in storage. Those older records remain subject to whatever retention period applied at the time of the patient encounter and must be secured and eventually destroyed according to the same rules as any active record.
Building a Practical Retention Schedule
Because no single rule covers everything, most healthcare organizations create a retention schedule that accounts for the longest applicable requirement across federal, state, and specialty-specific rules. A common approach is to identify the most conservative deadline for each record type and use that as the default. For general adult medical records, many organizations land on 10 years after the last patient encounter as a safe baseline, though specific circumstances may demand longer.
The schedule should also address how records are destroyed once the retention period expires. HIPAA requires that disposal methods make protected health information unreadable and unrecoverable. For paper, that typically means shredding or incineration. For electronic records, it means secure deletion or physical destruction of storage media. Simply deleting a file or tossing a chart in a dumpster does not meet the standard.