Business News Daily receives compensation from some of the companies listed on this page. Advertising Disclosure

Medical Records Retention and HIPAA

Updated Oct 23, 2023

Table of Contents

Open row

Before EMRs digitized patient charts, physicians often ran out of physical storage space and had to destroy certain records. However, even EMRs don’t have unlimited storage and memory, so the need to destroy records hasn’t entirely disappeared. Keep in mind that destruction practices in violation of medical records retention laws are grounds for lawsuits. Below, learn how to retain and destroy medical records in compliance with the law. [Read related article: How to Implement an Electronic Health Records System]

What is medical records retention?

Medical records retention is the act of keeping your patient charts and other medical information on file. When you retain your records, you develop a track record of your treatment plans and quality of care. Proper medical records retention is advisable for successful long-term patient treatment. It’s also helpful when dealing with medical malpractice suits, licensing board complaints and medical billing audits. 

How long must medical records be retained?

Several factors determine the number of years for which you must retain medical records. 

Federal law

These federal laws pertain to medical record retention:

  • The Centers for Medicare & Medicaid Services (CMS) Hospital Conditions of Participation and Interpretive Guidelines. The federally funded Medicare and Medicaid programs are the largest payers in the United States. To keep your practice compliant with their regulations, you must retain all medical records for at least five years. Critical access hospitals must do so for six years.
  • OSHA hazardous substance rules. Medical personnel may sometimes be exposed to harmful agents such as pathogens on the job. If these agents significantly impact the well-being of a nurse, practitioner or other person involved in patient care, OSHA regulations take effect. OSHA mandates that you keep exposure records for 30 years.
  • HIPAA privacy regulations. Policies, procedures and disclosure accounting documents fall under the purview of the HIPAA Privacy Rule. According to these guidelines, you must retain these documents for six years.

State law

Most states have extensive regulations of their own regarding retaining or destroying medical records. Consult experts in your state about these laws and how they affect your medical records retention. Below are a few examples of state medical records retention guidance:

  • California practitioners must retain certain medical records for at least 10 years.
  • New York practitioners must keep all medical records on file for at least six years. Additionally, any obstetric and pediatric records must be kept until the child in question turns 19 years old.
  • Texas practitioners must retain medical records for at least seven years. Additionally, pediatric records must be retained until the child reaches at least 21 years of age.

Case law

Case law is a subset of state law concerning medical malpractice suits. It determines how long after the state’s statutory period a patient may file suit if they discover that medical malpractice led to their current complaints. Case law exists because some injuries or conditions aren’t immediately obvious signs of medical malpractice, which means that medical malpractice suits can sometimes be exempt from statutory limits. Confer with experts in your state to learn more.


Consult other practitioners and medical law experts in your area to determine which state and case laws govern your medical records retention.

Best practices for keeping and maintaining medical records

To keep your medical records retention in line with the guidance above, follow these best practices:

1. Know which types of information to record.

A patient’s medical records should include the following information:

  • Demographics
  • Reason for visit
  • Exams administered
  • Tests ordered
  • Exam and tests findings
  • Diagnoses
  • Treatment plans
  • Prescriptions and medications

To learn more about these types of information, read Business News Daily’s guide to patient charts.

Retain any records that physicians and specialists outside your practice send you for your own use with a patient, according to the same retention timeframes as your own records. Keep your practice’s medical billing documents regarding the patient too, so you can track which services were performed and paid for.

2. Record and store information the right way.

Several do’s and don’ts of medical recordkeeping can ensure that your patient charts are easily usable for any future purposes. 


  • Keep your notes objective.
  • Timestamp your notes.
  • Indicate both informed consent and patient refusal or noncompliance.
  • Record timestamped entries for all patient encounters, phone calls and electronic communications.


  • Write illegibly. You can always use electronic medical records and speech-to-text tools to eliminate messy handwriting.
  • Use abbreviations or ambiguous language.
  • Use offensive words or try to make jokes.
  • Make alterations or delete any old information without leaving a track record.
  • Store medical records at locations other than a medical office or warehouse. Residential medical record storage, including on computers, is not advised.

3. Prioritize confidentiality except when necessary exemptions arise.

In almost all cases, you need a patient’s written consent to share their medical records with other parties. Given this privacy concern, medical records retention is as much about keeping records on file as it is about securing them from unauthorized access. HIPAA-compliant EMRs, such as those we’ve reviewed on our medical software best picks page, come with safeguards that make this protection of connected medical devices seamless. [Read related article: EMR vs. EHR]

In the U.S., limited exceptions exist to regulations regarding medical record sharing and confidentiality. Some portions of U.S. law can allow the sharing of medical records without the patient’s consent if the following conditions are met:

  • When doing so is key to treating an emergency
  • If they are pertinent to local, state or federal public health agency programs regarding substance abuse or HIV research

4. Make medical records accessible to patients.

Although the burden of retaining medical records falls on your practice, all records belong to the patients named in them. So, set up your medical records in ways that make patient access easy. Medical software such as EHR systems and medical practice management system (PMS) patient portals streamline this access. Note that you must comply with all patient requests to share their medical records with any parties whom they request.

Key TakeawayKey takeaway

Since patients are ultimately the owners of their medical records, you must store your records in ways that patients can easily access, ideally through medical software.

5. Destroy medical records appropriately.

Eventually, all medical records will exist long enough that you’re no longer required to keep them. In this case, follow destruction best practices:

  • Confirm that confidential information will remain private during the destruction process.
  • Hire a record destruction agency rather than doing it yourself.
  • Create a log of all destroyed records that lists the name of the patient and the date of destruction.
Did You Know?Did you know

Retention isn’t the only portion of medical recordkeeping subject to laws and regulations – so is the destruction of medical records.

Medical record retention FAQs

Who owns electronic medical records?

Technically, patients own their electronic medical records. You remain responsible for storing them, but patients can demand access at any time. Patients can even demand that you hand over their records without retaining any copies.

What happens to medical records when a practice closes?

If your practice closes, you can’t just destroy your patient records and call it a day. After all, records belong to patients, not you. Notify your patients of your impending closure and inform them of their right to designate another practitioner as the holder of their records. Alternatively, you can release the patient’s records directly to them.

Can a doctor refuse to release medical records?

In almost all circumstances, doctors cannot refuse to release medical records when patients request them. Extremely limited exceptions may exist in certain states or localities, but it’s best to assume that when a patient demands their records, you should hand them over. 

However, you don’t have to release a patient’s medical records to a third party unless you receive direct authorization from the patient first. Getting the patient’s explicit permission for record release is best. This way, you avoid breaching the patient’s confidentiality and winding up with a lawsuit on your hands. After all, that’s one of your biggest reasons for following medical records retention guidelines in the first place.

Max Freedman
Contributing Writer at
Max Freedman is a content writer who has written hundreds of articles about small business strategy and operations, with a focus on finance and HR topics. He's also published articles on payroll, small business funding, and content marketing. In addition to covering these business fundamentals, Max also writes about improving company culture, optimizing business social media pages, and choosing appropriate organizational structures for small businesses.
Back to top
Desktop background imageMobile background image
In partnership with BDCBND presents the b. newsletter:

Building Better Businesses

Insights on business strategy and culture, right to your inbox.
Part of the network.