As a healthcare provider, you are responsible for keeping patients’ records safe and secure while ensuring compliance with HIPAA and state and federal regulations. This guide will help you navigate medical record retention by breaking down the differences between HIPAA and state requirements and outlining best practices for storing and sharing records.
Note: Not all types of documents are regulated under HIPAA and instead fall under state or federal regulations.
According to the Department of Health & Human Services, “the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained.” In other words, HIPAA does not govern the length these records are retained but does govern how they’re secured and stored.
HIPAA does, however, require covered entities and business associates to retain specific types of documents to ensure the privacy and security of protected health information (PHI).
The following table outlines the documents, their descriptions, and retention requirements:
| Document Type | Description | Retention Requirement |
| Privacy Rule Policies & Procedures | Policies and procedures for safeguarding PHI | 6 years from the last effective date |
| Privacy Rule Complaints | Records of complaints regarding PHI privacy | 6 years from the date of the complaint |
| Privacy Rule Disposition | Records of actions taken in response to privacy complaints | 6 years from the date of the action |
| Security Rule Policies & Procedures | Policies and procedures for securing PHI | 6 years from the last effective date |
| Security Rule Assessments | Records of security assessments for PHI protection | 6 years from the date of the assessment |
| Security Rule Breach Notifications | Records of breach notifications related to PHI | 6 years from the date of the notification |
It’s worth noting that these retention requirements are not exhaustive. Depending on your specific circumstances, you may need to keep additional documents. For example, healthcare providers participating in Medicare or Medicaid programs must retain all records related to program reimbursement for at least six years from the date of reimbursement or the final determination of costs. Similarly, if you’re a covered entity or business associate involved in clinical trials, you must retain research records for at least two years after completing the study.
Related: Email archiving and HIPAA compliance
Each state has its own regulations dictating how long patient records must be kept. Some states require providers to retain records for as little as three years, while others mandate retention periods of up to ten years or longer. The retention timeframe only begins with the date of the last treatment.
Here’s a table outlining the retention policies for each state, listed alphabetically:
| State | Statute | Retention Period |
| Alabama | Ala. Code § 22-21-8 | 5 years |
| Alaska | 12 AAC 02.010 | 10 years |
| Arizona | Ariz. Rev. Stat. § 12-2297 | 7 years |
| Arkansas | Ark. Code Ann. § 5-37-204 | 5 years |
| California | Cal. Code Regs. tit. 16, § 1367.6 | 7 years |
| Colorado | Colo. Rev. Stat. § 25-1-802 | 10 years |
| Connecticut | Conn. Gen. Stat. § 52-146d | 7 years |
| Delaware | 16 Del. Admin. Code § 4463 | 7 years |
| District of Columbia | D.C. Mun. Regs. tit. 22, § 401 | 7 years |
| Florida | Fla. Stat. § 456.057 | 5 years |
| Georgia | Ga. Comp. R. & Regs. r. 111-8-24-.04 | 10 years |
| Hawaii | Haw. Admin. R. § 16-89-78 | 7 years |
| Idaho | Idaho Admin. Code r. 16.03.04.251 | 7 years |
| Illinois | 77 Ill. Admin. Code § 250.520 | 10 years |
| Indiana | Ind. Code § 16-39-6-8 | 7 years |
| Iowa | Iowa Admin. Code r. 641-34.9(147,148) | 10 years |
| Kansas | Kan. Admin. Regs. § 28-1-6 | 10 years |
| Kentucky | Ky. Rev. Stat. Ann. § 344.040 | 5 years |
| Louisiana | La. Admin. Code tit. 46, pt. LXVII, § 1653 | 10 years |
| Maine | Me. Code R. tit. 10, § 2195 | 7 years |
| Maryland | Md. Code Regs. 10.32.03.05 | 5 years |
| Massachusetts | 243 Mass. Code Regs. § 2.07 | 7 years |
| Michigan | Mich. Comp. Laws § 333.16213 | 7 years |
| Minnesota | Minn. Stat. § 147.091 | 7 years |
| Mississippi | Miss. Admin. Code § 15-16-7 | 7 years |
| Missouri | Mo. Code Regs. Ann. tit. 19, § 30-20.050 | 10 years |
| Montana | Mont. Code Ann. § 37-2-305 | 10 years |
| Nevada | Nev. Rev. Stat. § 629.061 | 5 years |
| New Hampshire | N.H. Code Admin. R. Ann. He-P 803.03 | 10 years |
| New Jersey | N.J. Admin. Code § 13:35-6.6 | 7 years |
| New Mexico | N.M. Admin. Code § 16.10.10.8 | 10 years |
| New York | N.Y. Pub. Health Law § 18 | 6 years |
| North Carolina | N.C. Gen. Stat. § 90-411 | 11 years |
| North Dakota | N.D. Admin. Code § 61-02-05-04 | 10 years |
| Ohio | Ohio Admin. Code § 4731-27-06 | 7 years |
| Oklahoma | 310 Okla. Admin. Code § 675:10-7-4 | 7 years |
| Oregon | Or. Admin. R. 333-535-0060 | 10 years |
| Pennsylvania | 28 Pa. Code § 115.23 | 7 years |
| Rhode Island | R.I. Gen. Laws § 5-37-5 | 10 years |
| South Carolina | S.C. Code Ann. Regs. § 61-7 | 10 years |
| South Dakota | S.D. Codified Laws § 36-4-19 | 7 years |
| Tennessee | Tenn. Comp. R. & Regs. 0880-2-.19(6) | 10 years |
| Texas | Tex. Occ. Code § 159.002 | 7 years |
| Utah | Utah Admin. Code r. 156-37-302 | 7 years |
| Vermont | Vt. Code R. 16-1-003:3 | 10 years |
| Virginia | Va. Code Regs. § 18VAC85-21-250 | 5 years |
| Washington | Wash. Admin. Code § 246-08-400 | 6 years |
| West Virginia | W. Va. Code R. § 16-1-9 | 10 years |
| Wisconsin | Wis. Admin. Code DHS § 92.05(1) | 7 years |
| Wyoming | Wyo. Code R. § 7-3-3 | 10 years |
Some states have specific requirements for how records should be stored, such as requiring that paper records be retained in a secure location or that electronic records be encrypted. Be sure to double-check your state’s regulations for specific requirements.
In addition to HIPAA and state regulations, federal laws also dictate patient’s medical record retention requirements.
The following table outlines some of the key federal laws:
| Law | Description | Retention Requirement |
| Medicare/ Medicaid |
Records related to program reimbursement | 6 years from the date of reimbursement or final determination of costs |
| Clinical Laboratory Improvement Amendments (CLIA) | Records related to laboratory testing | 2 years from the date of the test |
| Food, Drug, and Cosmetic Act | Records related to medical devices | 2 years from the date of distribution |
In addition to understanding the regulations surrounding medical record retention, implement best practices for storing and sharing records securely.
Here are a few tips to keep in mind:
Patient record retention is a critical aspect of healthcare providers’ responsibilities. By understanding the differences between HIPAA and state requirements, following best practices for storing and sharing records, and keeping up to date with federal laws, you can ensure that you’re meeting your obligations and protecting the privacy and security of your patients’ information.
Related: How to send HIPAA compliant emails