2023 Medical Records Retention Laws By State

Medical Records Retention Laws by State

HIPAA is a federal law that requires your medical records to be retained for 6 years at a federal level. However, most states also have their own medical retention laws, which can be more stringent than HIPAA stipulates. Look at the table below to see state-by-state medical retention record laws and regulations.

Release of Medical Records Laws

HIPAA privacy regulations allow patients the right to collect and view their health information, including medical and bill records, on-demand. A request for information must be granted within 30 days of the request. If there are extenuating circumstances, the covered entity must provide a reason within that 30-day time frame, and the records must still be provided within 60 days. Note: If you are a healthcare provider looking for a HIPAA compliant method to store patient records, we recommend Caspio. You can build your own solution and enhance patient experience with digital patient forms or even allow patients convenient access to their own records.

How Long Each State Requires to Keep Medical Records

The statute of limitations for keeping medical records varies by state. Use this chart to see how long a medical provider is required to keep records until they are allowed to be destroyed. Additionally there are also Federal Guidelines that must be followed for specific instances such as Competitive Medical Plans, Department of Veteran Affairs, Device Tracking. This chart is available below the state chart.

Medical Records Retention Laws by State

StateMedical DoctorsHospitals
AlabamaAs long as may be necessary to
treat the patient and for medical
legal purposes.
Ala. Admin. Code r. 545-X-4-.08
(2007).
5 years.
Ala. Admin. Code § 420-5-7.10 (adopting
42 C.F.R. § 482.24).
Alaska6 years as stipulated by basic HIPAA regulations.Adult Patients: 7 Years after patient discharge
Minor Patients (Under 19):
7 Years after discharge or when the patient reaches the age of 21, whichever is longer.
Alaska Stat. § 18.20.085(a) (2008).
ArizonaAdult patients
6 years after the last date of
services from the provider.
Minor patients
6 years after the last date of
services from the provider, or until
patient reaches the age of 21
whichever is longer.
Ariz. Rev. Stat. § 12-2297 (2008).
Adult patients
6 years after the last date of services from
the provider.
Minor patients
6 years after the last date of services from
the provider, or until patient reaches the
age of 21 whichever is longer.
Ariz. Rev. Stat. § 12-2297 (2008).
Arkansas6 years as stipulated by basic HIPAA regulations.Adult patients
10 years after the last discharge, but
master patient index data must be kept
permanently.
Minor patients
Complete medical records must be retained
2 years after the age of majority (i.e., until
patient turns 20).
016 24 Code Ark. Rules and Regs. 007 §
14(19) (2008).
California6 years as stipulated by basic HIPAA regulations.Adult patients
7 years following discharge of the patient.
Minor patients
7 years following discharge or 1 year after
the patient reaches the age of 18 (i.e.,
until patient turns 19) whichever is longer.
Cal. Code Regs. tit. 22, § 70751(c) (2008).
Colorado6 years as stipulated by basic HIPAA regulations.Adult patients
10 years after the most recent patient care
usage.
Minor patients
10 years after the patient reaches the age
of majority (i.e., until patient turns 28).
6 Colo. Code Regs. § 1011-1, chap. IV,
8.102 (2008).
Connecticut7 years from the last date of
treatment, or, upon the death of
the patient, for 3 years.
Conn. Agencies Regs. § 19a-14-42
(2008).
10 years after the patient has been
discharged.
Conn. Agencies Regs. §§ 19-13-D3(d)(6)
(2008).
Delaware7 years from the last entry date on
the patient’s record.
Del. Code Ann. tit. 24, §§ 1761 and
1702 (2008).
6 years as stipulated by basic HIPAA regulations.
Disctrict of ColumbiaAdult Patients:
3 years after last seeing the patient.
Minor patients
3 years after last seeing the patient
or 3 years after patient reaches the
age of 18 (i.e., until patient turns
21).
D.C. Mun. Regs. tit. 17, § 4612.1
(2008).
10 years following the date of discharge of the patient.
D.C. Mun. Regs. tit. 22, § 2216 (2008).
Florida5 years from the last patient
contact.
Fla. Admin. Code Ann. 64B8-
10.002(3) (2008).
Public hospitals: 7 years after the last
entry.
Florida Department of State, General
Records Schedule GS4 for Public Hospitals,
Health Care Facilities and Medical
Providers, (2007),
http://dlis.dos.state.fl.us/barm/genschedul
es/GS04.pdf (accessed September 12,
2008).
Georgia10 years from the date the record
item was created.
See Ga. Code Ann. § 31-33-
2(a)(1)(A) and (B)(i) (2008).
Adult patients
5 years after the date of discharge.
Minor patients
5 years past the age of majority (i.e., until
patient turns 23).
See Ga. Code Ann. §§ 31-33-2(a)(1)(B)(ii)
(2008); 31-7-2 (2008) (granting the
department regulatory authority over
hospitals) and Ga. Comp. R. & Regs. 290-
9-7-.18 (2008).
HawaiiAdult patients
Full medical records: 7 years after
last data entry.
Basic information (i.e., patient’s
name, birth date, diagnoses, drugs
prescribed, x-ray interpretations):
25 years after the last record entry.
Minor patients
Full medical records: 7 years after
the patient reaches the age of
majority (i.e., until patient turns 25).
Basic information: 25 years after the
minor reaches the age of majority
(i.e., until patient turns 43).
Haw. Rev. Stat. § 622-58 (2008).
Adult patients
Full medical records: 7 years after last data
entry.
Basic information (i.e., patient’s name,
birth date, diagnoses, drugs prescribed, xray interpretations): 25 years after the last
record entry.
Minor patients
Full medical records: 7 years after the
minor reaches the age of majority (i.e.,
until patient turns 25).
Basic information: 25 years after the minor
reaches the age of majority (i.e., until
patient turns 43).
Haw. Rev. Stat. § 622-58 (2008).
Idaho6 years as stipulated by basic HIPAA regulations.Clinical laboratory test records and reports:
5 years after the date of the test.
Idaho Code Ann. § 39-1394 (2008).
Illinois6 years as stipulated by basic HIPAA regulations.10 years.
See 210 Ill. Comp. Stat. 85/6.17(c)
(2008).
Indiana7 Years.
Burns Ind. Code Ann. § 16-39-7-1
(2008).
7 Years.
Burns Ind. Code Ann. § 16-39-7-1
(2008).
IowaAdult patients
7 years from the last date of service.
Minor patients
1 year after the minor attains the
age of majority (i.e., until patient
turns 19).
See Iowa Admin. Code r. 653-
13.7(8) (2008); Iowa Code § 614.8
(2008).
6 years as stipulated by basic HIPAA regulations.
Kansas10 years from when professional
service was provided.
Kan. Admin. Regs. § 100-24-2 (a)
(2008).
Adult patients
Full records: 10 years after the last
discharge of the patient.
Minor patients
Full records: 10 years or 1 year beyond the
date that the patient reaches the age of
majority (i.e., until patient turns 19)
whichever is longer.
Summary of destroyed records for both
adults and minors—25 years.
Kan. Admin. Regs. § 28-34-9a (d)(1)
(2008).
Kentucky6 years as stipulated by basic HIPAA regulations.Adult patients
5 years from date of discharge.
Minor patients
5 years from date of discharge or 3 years
after the patient reaches the age of
majority (i.e., until patient turns 21)
whichever is longer.
902 Ky. Admin. Regs. 20:016 (2007).
Louisiana6 years from the date a patient is
last treated.
La. Rev. Stat. Ann. §
40:1299.96(A)(3)(a) (2008).
10 years from the date a patient is
discharged.
La. Rev. Stat. Ann. § 40:2144(F)(1)
(2008).

(Continued) Medical Records Retention Laws by State

StateMedical DoctorsHospitals
Maine6 years as stipulated by basic HIPAA regulations.Adult patients
7 years.
Minor patients
6 years past the age of majority (i.e., until
patient turns 24).
See 10-144 Me. Code R. Ch. 112, § XII.B.1
(2008).
Patient logs and written x-ray reports—
permanently.
10-144 Me. Code R. Ch. 112, § XV.C.5
(2008).
MarylandAdult patients
5 years after the record or report
was made.
Minor patients
5 years after the report or record
was made or until the patient
reaches the age of majority plus 3
years (i.e., until patient turns 21),
whichever date is later.
MD. Code Ann., Health–Gen.
§§ 4-403(a)–(c) (2008).
Adult patients
5 years after the record or report was
made.
Minor patients
5 years after the report or record was
made or until the patient reaches the age
of majority plus 3 years (i.e., until patient
turns 21), whichever date is later.
MD. Code Ann., Health–Gen.
§§ 4-403(a)–(c) (2008).
MassachusettsAdult patients
7 years from the date of the last
patient encounter.
Minor patients
7 years from date of last patient
encounter or until the patient
reaches the age of 9, whichever is
longer.
243 Mass. Code Regs. 2.07(13)(a)
(2008).
30 years after the discharge or the final
treatment of the patient.
Mass. Gen. Laws ch. 111, § 70 (2008).
Michigan7 years from the date of service.
Mich. Comp. Laws § 333.16213
(2008).
7 years from the date of service
Mich. Comp. Laws § 333.20175 (2008).
Minnesota6 years as stipulated by basic HIPAA regulations.Most medical records: Permanently (in
microfilm).
Miscellaneous documents:
Adult patients
7 years.
Minor patients
7 years following the age of majority (i.e.,
until the patient turns 25).
Minn. Stat. § 145.32 (2007) and Minn. R.
4642.1000 (2007).
Mississippi6 years as stipulated by basic HIPAA regulations.Adult patients
Discharged in sound mind: 10 years.
Discharged at death: 7 years.(2)
Minor patients
For the period of minority plus 7 years.(3)
Miss. Code Ann. § 41-9-69(1) (2008).
Missouri7 years from the date the last
professional service was provided.
Mo. Rev. Stat. § 334.097(2)
(2008).
Adult patients
10 years.
Minor patients
10 years or until patient’s 23rd birthday,
whichever occurs later.
Mo. Code Reg. tit. 19, § 30-094(15)
(2008).
Montana6 years as stipulated by basic HIPAA regulations.Adult patients
Entire medical record—10 years following
the date of a patient’s discharge or death.
Minor patients
Entire medical record—10 years following
the date the patient either attains the age
of majority (i.e., until patient is 28) or dies,
whichever is earlier.
Core medical record must be maintained at
least an additional 10 years beyond the
periods provided above.
Mont. Admin. R. 37.106.402(1) and (4)
(2007).
Nebraska6 years as stipulated by basic HIPAA regulations.Adult patients
10 years following a patient’s discharge.
Minor patients (under 19)
10 years or until 3 years after the patient
reaches age of majority (i.e., until patient
turns 22), whichever is longer.
Neb. Admin. Code 175 § 9-006.07A5
(2008).
Nevada5 years after receipt or production
of health care record.
Nev. Rev. Stat. § 629.051 (2007).
5 years after receipt or production of
health care record.
Nev. Rev. Stat. § 629.051 (2007).
New Hampshire7 years from the date of the
patient’s last contact with the
physician, unless the patient has
requested that the records be
transferred to another health care
provider.
N.H. Code Admin. R. Ann. Med
501.02(f)(8) (2008).
Adult patients
7 years after a patient’s discharge.
Minor patients
7 years or until the minor reaches age 19,
whichever is longer.
N.H. Code Admin. R. Ann. He-P 802.06(h)
(1994).(4)
New Jersey7 years from the date of the most
recent entry.
N.J. Admin. Code § 13:35-6.5(b)
(2008).
Adult patients
10 years following the most recent
discharge.
Minor patients
10 years following the most recent
discharge or until the patient is 23 years of
age, whichever is longer.
Discharge summary sheets (all)
20 years after discharge.
N.J. Stat. Ann. § 26:8-5 (2008).
New MexicoAdult patients
2 years beyond what is required by
state insurance laws and by
Medicare and Medicaid
requirements.
Minor patients
2 years beyond the date the patient
is 18 (i.e., until the patient turns
20).
N.M. Code R. § 16.10.17.10 (C)
(2008).
Adult patients
10 years following the last treatment date
of the patient.
Minor patients
Age of majority plus 1 year (i.e., until the
patient turns 19).
N.M. Stat. Ann. § 14-6-2 (2008); N.M.
Code R. § 7.7.2.30 (2008).
New YorkAdult patients
6 years.
Minor patients
6 years and until 1 year after the
minor reaches the age of 18 (i.e.,
until the patient turns 19).
N.Y. Education § 6530 (2008)
(providing retention requirements
in the definitions for professional
misconduct of physicians).
Adult patients
6 years from the date of discharge.
Minor patients
6 years from the date of discharge or 3
years after the patient reaches 18 years
(i.e., until patient turns 21), whichever is
longer.
Deceased patients
At least 6 years after death.
N.Y. Comp. Codes R. & Regs. tit. 10, §
405.10(a)(4) (2008).
North Carolina6 years as stipulated by basic HIPAA regulations.Adult patients
11 years following discharge.
Minor patients
Until the patient’s 30th birthday.
10 A N.C. Admin. Code 13B.3903(a), (b)
(2008).
North Dakota6 years as stipulated by basic HIPAA regulations.Adult patients
10 years after the last treatment date.
Minor patients
10 years after the last treatment date or
until the patient’s 21st birthday, whichever
is later.
N.D. Admin. Code 33-07-01.1-20(1)(b)
(2007).
Ohio6 years as stipulated by basic HIPAA regulations.6 years as stipulated by basic HIPAA regulations.
Oklahoma6 years as stipulated by basic HIPAA regulations.Adult patients
5 years beyond the date the patient was
last seen.
Minor patients
3 years past the age of majority (i.e., until
the patient turns 21).
Deceased patients
3 years beyond the date of death.
Okla. Admin. Code § 310:667-19-14
(2008).
Oregon6 years as stipulated by basic HIPAA regulations.10 years after the date of last discharge.
Master patient index—permanently.
Or. Admin. R. 333-505-0050(9) and (15)
(2008).
PennsylvaniaAdult patients
At least 7 years following the date
of the last medical service.
Minor patients
7 years following the date of the
last medical service or 1 year after
the patient reaches age 21 (i.e.,
until patient turns 22), whichever is
the longer period.
49 Pa. Code § 16.95(e) (2008).
Adult patients
7 years following discharge.
Minor patients
7 years after the patient attains majority(5)
or as long as adult records would be
maintained.
28 Pa. Code § 115.23 (2008).

(Continued) Medical Records Retention Laws by State

StateMedical DoctorsHospitals
Puerto Rico6 years as stipulated by basic HIPAA regulations.6 years as stipulated by basic HIPAA regulations.
Rhode Island5 years unless otherwise required
by law or regulation.
R.I. Code R.14-140-031, § 11.3
(2008).
Adult patients
5 years following discharge of the patient.
R.I. Code R. 14 090 007 § 27.10 (2008).
Minor patients
5 years after patient reaches the age of 18
years (i.e., until patient turns 23).
R.I. Code R. 14 090 007 § 27.10.1 (2008).
South CarolinaAdult patients
10 years from the date of last
treatment.
Minor patients
13 years from the date of last
treatment.
S.C. Code Ann. § 44-115-120
(2007).
Adult patients
10 years.
Minor patients
Until the minor reaches age 18 and the
“period of election” expires, which is
usually 1 year after the minor reaches the
age of majority (i.e., usually until patient
turns 19).
S.C. Code Ann. Regs. 61-16 § 601.7(A)
(2007). See S.C. Code Ann. § 15-3-545
(2007).(7)
South DakotaWhen records have become inactive
or for which the whereabouts of the
patient are unknown to the
physician.
S.D. Codified Laws § 36-4-38
(2008).
Adult patients
10 years from the actual visit date of
service or resident care.
Minor patients
10 years from the actual visit date of
service or resident care or until the minor
reaches age of majority plus 2 years (i.e.,
until patient turns 20), whichever is later.
See S.D. Admin. R. 44:04:09:08 (2008).
TennesseeAdult patients
10 years from the provider’s last
professional contact with the
patient.
Minor patients
10 years from the provider’s last
professional contact with the
patient or 1 year after the minor
reaches the age of majority (i.e.,
until patient turns 19), whichever is
longer.
Tenn. Comp. R. & Regs. 0880-2-.15
(2008).
Adult patients
10 years following the discharge of the
patient or the patient's death during the
patient's period of treatment within the
hospital.
Tenn. Code Ann. § 68-11-305(a)(1)
(2008).
Minor patients
10 years following discharge or for the
period of minority plus at least one year
(i.e., until patient turns 19), whichever is
longer.
Tenn. Code Ann. § 68-11-305(a)(2)
(2008).
TexasAdult patients
7 years from the date of the last
treatment.
Minor patients
7 years after the date of the last
treatment or until the patient
reaches age 21, whichever date is
later.
22 Tex. Admin. Code § 165.1(b)
(2008).(8)
Adult patients
10 years after the patient was last treated
in the hospital.
Minor patients
10 years after the patient was last treated
in the hospital or until the patient reaches
age 20, whichever date is later.
Tex. Health & Safety Code Ann. § 241.103
(2007); 25 Tex. Admin. Code §
133.41(j)(8) (2008).(8)
Utah6 years as stipulated by basic HIPAA regulations.Adult patients
7 years.
Minor patients
7 years or until the minor reaches the age
of 18 plus 4 years (i.e., patient turns 22),
whichever is longer.
Utah Admin. Code r. 432-100-33(4)(c)
(2008).
Vermont6 years as stipulated by basic HIPAA regulations.10 years.
Vt. Stat. Ann. tit. 18, § 1905(8) (2007).
VirginiaAdult patients
6 years after the last patient
contact.
Minor patients
6 years after the last patient
contact or until the patient reaches
age 18 (or becomes emancipated),
whichever time period is longer.
18 Va. Admin. Code § 85-20-26(D)
(2008).
Adult patients
5 years following patient’s discharge.
Minor patients
5 years after patient has reached the age
of 18 (i.e., until the patient reaches age
23).
12 Va. Admin. Code § 5-410-370 (2008).
Washington6 years as stipulated by basic HIPAA regulations.Adult patients
10 years following the patient’s most
recent hospital discharge.
Minor patients
10 years following the patient’s most
recent hospital discharge or 3 years after
the patient reaches the age of 18 (i.e.,
until the patient turns 21) whichever is
longer.
Wash. Rev. Code § 70.41.190 (2008).
West Virginia6 years as stipulated by basic HIPAA regulations.6 years as stipulated by basic HIPAA regulations.
Wisconsin5 years from the date of the last
entry in the record.
Wis. Admin. Code Med. § 21.03
(2008).
5 years.
Wis. Admin. Code Health & Family Services
§§ 124.14(2)(c), 124.18(1)(e) (2008).
Wyoming6 years as stipulated by basic HIPAA regulations.6 years as stipulated by basic HIPAA regulations.

Federal Medical Record Destruction Policy

Type of DocumentationRetention PeriodCitation/Reference
Abortions & related medical proceduresMust be maintained for three years.42 Code of Federal Regulations 50.309
Ambulatory/Outpatient/Day Surgery servicesNot specified, would revert to the state statute, or the specific statute of limitations as outlined in the chart above.42 Code of Federal Regulations 416.47
Clinics/Rehabilitation Agencies/Public Health - Speech-Language Pathology ServicesThe state statute, or statute of limitations pertaining to medical records outlined in the chart above takes precedence. In the absence of direction from a state statute, federal regulations dictate that records should be helf for 5 years after the date of discharge. If the records belong to a minor then they need to be held for 3 years after the patient becomes of age OR 5 years after the date of patient discharge, whichever is longer.42 Code of Federal Regulations 485.721 (d)
Clinics/Rehabilitation Agencies/Public Health - Outpatient Physical TherapyThe state statute, or statute of limitations pertaining to medical records outlined in the chart above takes precedence. In the absence of direction from a state statute, federal regulations dictate that records should be helf for 5 years after the date of discharge. If the records belong to a minor then they need to be held for 3 years after the patient becomes of age OR 5 years after the date of patient discharge, whichever is longer.42 Code of Federal Regulations 485.721 (d)
Clinics - Rural HealthThe state statutes outlined above take precedent. At a minimum, records are required to be kept for six years from the date of last entry.42 Code of Federal Regulations 491.10 (c)
Competitve Medical Plans/Healthcare Plans/Healthcare Prepayment Plans
Comprehensive outpatient rehabilitation facilities. Outpatient Rehabilitation Care. (CORFs)Five years after patient has been discharged.42 Code of Federal Regulations 485.60 (c)
Critical Access hospitals - Designated Eligible Rural Hospitals (CAHs)Six years from patient discharge or date of last entry. Longer if required by a state statute outlined above OR if it is required in an ongoing proceeding/investigation.42 Code of Federal Regulations 485.628 (c)
Department of Veterans Affairs
Diagnostic and operation index fileThere is a monthly listing that is destroyed after it is consolidated into a biannual listing. The biannual listing is destroyed 20 years after the date of report.Records Control Schedule (RCS) 10-1, NC-15-76-10-,
item 2
Disposition data files (Patient Treatment Files)To be destroyed after one year and only after the patient treatment master record has been created.Records Control Schedule (RCS) 10-1, NN-166-127,
item 4a
Gains and losses fileDestroy master set after one year.Records Control Schedule (RCS) 10-1 Item 1100.38
Health Records Folder File or Consolidated Health Record (CHR)Must be retained in the VA health care facility for 3 years after the last instance of care. Then converted to an Inactive Medical Record.Records Control Schedule (RCS) 10-1, Item Number 6000.1, N1-15-91-6,
item 1a
Patient locator fileMust be retained in the medical facility for 75 years after the last instance of care.Records Control Schedule (RCS) 10-1 - Item Number 1100.25
Register fileDestroyed after audit by VCS auditors (1 year must pass).Records Control Schedule (RCS) 10-1, Item Number 5550.12
Tumor registry records and index cardsMust be retained at Veteran Affairs facility. Destroy 75 years after last update.Records Control Schedule (RCS) 10-1, Item # 6675.1

Medical Record Destruction Policy

The destruction of health information must be carried out following the federal and state laws outlined in the chart above. Additionally, records utilized in any active investigation or litigation must not be destroyed until the case has been closed. There is no set-in-stone requirements on how organizations destroy medical records. However, some states are required to notify patients how and when their records are being destroyed. The one caveat is that in the absence of superseding state law, records must be destroyed in a manner that allows for no chance of reconstruction of information.

Acceptable Destruction Methods of Medical Records

Magnetic Tapes are Usually Destroyed by:

Paper Medical Records are Usually Destroyed by:

Microfilm Medical Records are Usually Destroyed by:

Computer Medical Records are Usually Destroyed by:

DVD Medical Records are Usually Destroyed by:

Other Vital Records Laws

Share this: