HIPAA is a federal law that requires your medical records to be retained for 6 years at a federal level. However, most states also have their own medical retention laws, which can be more stringent than HIPAA stipulates. Look at the table below to see state-by-state medical retention record laws and regulations.
HIPAA privacy regulations allow patients the right to collect and view their health information, including medical and bill records, on-demand. A request for information must be granted within 30 days of the request. If there are extenuating circumstances, the covered entity must provide a reason within that 30-day time frame, and the records must still be provided within 60 days. Note: If you are a healthcare provider looking for a HIPAA compliant method to store patient records, we recommend Caspio. You can build your own solution and enhance patient experience with digital patient forms or even allow patients convenient access to their own records.
The statute of limitations for keeping medical records varies by state. Use this chart to see how long a medical provider is required to keep records until they are allowed to be destroyed. Additionally there are also Federal Guidelines that must be followed for specific instances such as Competitive Medical Plans, Department of Veteran Affairs, Device Tracking. This chart is available below the state chart.
State | Medical Doctors | Hospitals |
---|---|---|
Alabama | As long as may be necessary to treat the patient and for medical legal purposes. Ala. Admin. Code r. 545-X-4-.08 (2007). | 5 years. Ala. Admin. Code § 420-5-7.10 (adopting 42 C.F.R. § 482.24). |
Alaska | 6 years as stipulated by basic HIPAA regulations. | Adult Patients: 7 Years after patient discharge Minor Patients (Under 19): 7 Years after discharge or when the patient reaches the age of 21, whichever is longer. Alaska Stat. § 18.20.085(a) (2008). |
Arizona | Adult patients 6 years after the last date of services from the provider. Minor patients 6 years after the last date of services from the provider, or until patient reaches the age of 21 whichever is longer. Ariz. Rev. Stat. § 12-2297 (2008). | Adult patients 6 years after the last date of services from the provider. Minor patients 6 years after the last date of services from the provider, or until patient reaches the age of 21 whichever is longer. Ariz. Rev. Stat. § 12-2297 (2008). |
Arkansas | 6 years as stipulated by basic HIPAA regulations. | Adult patients 10 years after the last discharge, but master patient index data must be kept permanently. Minor patients Complete medical records must be retained 2 years after the age of majority (i.e., until patient turns 20). 016 24 Code Ark. Rules and Regs. 007 § 14(19) (2008). |
California | 6 years as stipulated by basic HIPAA regulations. | Adult patients 7 years following discharge of the patient. Minor patients 7 years following discharge or 1 year after the patient reaches the age of 18 (i.e., until patient turns 19) whichever is longer. Cal. Code Regs. tit. 22, § 70751(c) (2008). |
Colorado | 6 years as stipulated by basic HIPAA regulations. | Adult patients 10 years after the most recent patient care usage. Minor patients 10 years after the patient reaches the age of majority (i.e., until patient turns 28). 6 Colo. Code Regs. § 1011-1, chap. IV, 8.102 (2008). |
Connecticut | 7 years from the last date of treatment, or, upon the death of the patient, for 3 years. Conn. Agencies Regs. § 19a-14-42 (2008). | 10 years after the patient has been discharged. Conn. Agencies Regs. §§ 19-13-D3(d)(6) (2008). |
Delaware | 7 years from the last entry date on the patient’s record. Del. Code Ann. tit. 24, §§ 1761 and 1702 (2008). | 6 years as stipulated by basic HIPAA regulations. |
Disctrict of Columbia | Adult Patients: 3 years after last seeing the patient. Minor patients 3 years after last seeing the patient or 3 years after patient reaches the age of 18 (i.e., until patient turns 21). D.C. Mun. Regs. tit. 17, § 4612.1 (2008). | 10 years following the date of discharge of the patient. D.C. Mun. Regs. tit. 22, § 2216 (2008). |
Florida | 5 years from the last patient contact. Fla. Admin. Code Ann. 64B8- 10.002(3) (2008). | Public hospitals: 7 years after the last entry. Florida Department of State, General Records Schedule GS4 for Public Hospitals, Health Care Facilities and Medical Providers, (2007), http://dlis.dos.state.fl.us/barm/genschedul es/GS04.pdf (accessed September 12, 2008). |
Georgia | 10 years from the date the record item was created. See Ga. Code Ann. § 31-33- 2(a)(1)(A) and (B)(i) (2008). | Adult patients 5 years after the date of discharge. Minor patients 5 years past the age of majority (i.e., until patient turns 23). See Ga. Code Ann. §§ 31-33-2(a)(1)(B)(ii) (2008); 31-7-2 (2008) (granting the department regulatory authority over hospitals) and Ga. Comp. R. & Regs. 290- 9-7-.18 (2008). |
Hawaii | Adult patients Full medical records: 7 years after last data entry. Basic information (i.e., patient’s name, birth date, diagnoses, drugs prescribed, x-ray interpretations): 25 years after the last record entry. Minor patients Full medical records: 7 years after the patient reaches the age of majority (i.e., until patient turns 25). Basic information: 25 years after the minor reaches the age of majority (i.e., until patient turns 43). Haw. Rev. Stat. § 622-58 (2008). | Adult patients Full medical records: 7 years after last data entry. Basic information (i.e., patient’s name, birth date, diagnoses, drugs prescribed, xray interpretations): 25 years after the last record entry. Minor patients Full medical records: 7 years after the minor reaches the age of majority (i.e., until patient turns 25). Basic information: 25 years after the minor reaches the age of majority (i.e., until patient turns 43). Haw. Rev. Stat. § 622-58 (2008). |
Idaho | 6 years as stipulated by basic HIPAA regulations. | Clinical laboratory test records and reports: 5 years after the date of the test. Idaho Code Ann. § 39-1394 (2008). |
Illinois | 6 years as stipulated by basic HIPAA regulations. | 10 years. See 210 Ill. Comp. Stat. 85/6.17(c) (2008). |
Indiana | 7 Years. Burns Ind. Code Ann. § 16-39-7-1 (2008). | 7 Years. Burns Ind. Code Ann. § 16-39-7-1 (2008). |
Iowa | Adult patients 7 years from the last date of service. Minor patients 1 year after the minor attains the age of majority (i.e., until patient turns 19). See Iowa Admin. Code r. 653- 13.7(8) (2008); Iowa Code § 614.8 (2008). | 6 years as stipulated by basic HIPAA regulations. |
Kansas | 10 years from when professional service was provided. Kan. Admin. Regs. § 100-24-2 (a) (2008). | Adult patients Full records: 10 years after the last discharge of the patient. Minor patients Full records: 10 years or 1 year beyond the date that the patient reaches the age of majority (i.e., until patient turns 19) whichever is longer. Summary of destroyed records for both adults and minors—25 years. Kan. Admin. Regs. § 28-34-9a (d)(1) (2008). |
Kentucky | 6 years as stipulated by basic HIPAA regulations. | Adult patients 5 years from date of discharge. Minor patients 5 years from date of discharge or 3 years after the patient reaches the age of majority (i.e., until patient turns 21) whichever is longer. 902 Ky. Admin. Regs. 20:016 (2007). |
Louisiana | 6 years from the date a patient is last treated. La. Rev. Stat. Ann. § 40:1299.96(A)(3)(a) (2008). | 10 years from the date a patient is discharged. La. Rev. Stat. Ann. § 40:2144(F)(1) (2008). |
State | Medical Doctors | Hospitals |
---|---|---|
Maine | 6 years as stipulated by basic HIPAA regulations. | Adult patients 7 years. Minor patients 6 years past the age of majority (i.e., until patient turns 24). See 10-144 Me. Code R. Ch. 112, § XII.B.1 (2008). Patient logs and written x-ray reports— permanently. 10-144 Me. Code R. Ch. 112, § XV.C.5 (2008). |
Maryland | Adult patients 5 years after the record or report was made. Minor patients 5 years after the report or record was made or until the patient reaches the age of majority plus 3 years (i.e., until patient turns 21), whichever date is later. MD. Code Ann., Health–Gen. §§ 4-403(a)–(c) (2008). | Adult patients 5 years after the record or report was made. Minor patients 5 years after the report or record was made or until the patient reaches the age of majority plus 3 years (i.e., until patient turns 21), whichever date is later. MD. Code Ann., Health–Gen. §§ 4-403(a)–(c) (2008). |
Massachusetts | Adult patients 7 years from the date of the last patient encounter. Minor patients 7 years from date of last patient encounter or until the patient reaches the age of 9, whichever is longer. 243 Mass. Code Regs. 2.07(13)(a) (2008). | 30 years after the discharge or the final treatment of the patient. Mass. Gen. Laws ch. 111, § 70 (2008). |
Michigan | 7 years from the date of service. Mich. Comp. Laws § 333.16213 (2008). | 7 years from the date of service Mich. Comp. Laws § 333.20175 (2008). |
Minnesota | 6 years as stipulated by basic HIPAA regulations. | Most medical records: Permanently (in microfilm). Miscellaneous documents: Adult patients 7 years. Minor patients 7 years following the age of majority (i.e., until the patient turns 25). Minn. Stat. § 145.32 (2007) and Minn. R. 4642.1000 (2007). |
Mississippi | 6 years as stipulated by basic HIPAA regulations. | Adult patients Discharged in sound mind: 10 years. Discharged at death: 7 years.(2) Minor patients For the period of minority plus 7 years.(3) Miss. Code Ann. § 41-9-69(1) (2008). |
Missouri | 7 years from the date the last professional service was provided. Mo. Rev. Stat. § 334.097(2) (2008). | Adult patients 10 years. Minor patients 10 years or until patient’s 23rd birthday, whichever occurs later. Mo. Code Reg. tit. 19, § 30-094(15) (2008). |
Montana | 6 years as stipulated by basic HIPAA regulations. | Adult patients Entire medical record—10 years following the date of a patient’s discharge or death. Minor patients Entire medical record—10 years following the date the patient either attains the age of majority (i.e., until patient is 28) or dies, whichever is earlier. Core medical record must be maintained at least an additional 10 years beyond the periods provided above. Mont. Admin. R. 37.106.402(1) and (4) (2007). |
Nebraska | 6 years as stipulated by basic HIPAA regulations. | Adult patients 10 years following a patient’s discharge. Minor patients (under 19) 10 years or until 3 years after the patient reaches age of majority (i.e., until patient turns 22), whichever is longer. Neb. Admin. Code 175 § 9-006.07A5 (2008). |
Nevada | 5 years after receipt or production of health care record. Nev. Rev. Stat. § 629.051 (2007). | 5 years after receipt or production of health care record. Nev. Rev. Stat. § 629.051 (2007). |
New Hampshire | 7 years from the date of the patient’s last contact with the physician, unless the patient has requested that the records be transferred to another health care provider. N.H. Code Admin. R. Ann. Med 501.02(f)(8) (2008). | Adult patients 7 years after a patient’s discharge. Minor patients 7 years or until the minor reaches age 19, whichever is longer. N.H. Code Admin. R. Ann. He-P 802.06(h) (1994).(4) |
New Jersey | 7 years from the date of the most recent entry. N.J. Admin. Code § 13:35-6.5(b) (2008). | Adult patients 10 years following the most recent discharge. Minor patients 10 years following the most recent discharge or until the patient is 23 years of age, whichever is longer. Discharge summary sheets (all) 20 years after discharge. N.J. Stat. Ann. § 26:8-5 (2008). |
New Mexico | Adult patients 2 years beyond what is required by state insurance laws and by Medicare and Medicaid requirements. Minor patients 2 years beyond the date the patient is 18 (i.e., until the patient turns 20). N.M. Code R. § 16.10.17.10 (C) (2008). | Adult patients 10 years following the last treatment date of the patient. Minor patients Age of majority plus 1 year (i.e., until the patient turns 19). N.M. Stat. Ann. § 14-6-2 (2008); N.M. Code R. § 7.7.2.30 (2008). |
New York | Adult patients 6 years. Minor patients 6 years and until 1 year after the minor reaches the age of 18 (i.e., until the patient turns 19). N.Y. Education § 6530 (2008) (providing retention requirements in the definitions for professional misconduct of physicians). | Adult patients 6 years from the date of discharge. Minor patients 6 years from the date of discharge or 3 years after the patient reaches 18 years (i.e., until patient turns 21), whichever is longer. Deceased patients At least 6 years after death. N.Y. Comp. Codes R. & Regs. tit. 10, § 405.10(a)(4) (2008). |
North Carolina | 6 years as stipulated by basic HIPAA regulations. | Adult patients 11 years following discharge. Minor patients Until the patient’s 30th birthday. 10 A N.C. Admin. Code 13B.3903(a), (b) (2008). |
North Dakota | 6 years as stipulated by basic HIPAA regulations. | Adult patients 10 years after the last treatment date. Minor patients 10 years after the last treatment date or until the patient’s 21st birthday, whichever is later. N.D. Admin. Code 33-07-01.1-20(1)(b) (2007). |
Ohio | 6 years as stipulated by basic HIPAA regulations. | 6 years as stipulated by basic HIPAA regulations. |
Oklahoma | 6 years as stipulated by basic HIPAA regulations. | Adult patients 5 years beyond the date the patient was last seen. Minor patients 3 years past the age of majority (i.e., until the patient turns 21). Deceased patients 3 years beyond the date of death. Okla. Admin. Code § 310:667-19-14 (2008). |
Oregon | 6 years as stipulated by basic HIPAA regulations. | 10 years after the date of last discharge. Master patient index—permanently. Or. Admin. R. 333-505-0050(9) and (15) (2008). |
Pennsylvania | Adult patients At least 7 years following the date of the last medical service. Minor patients 7 years following the date of the last medical service or 1 year after the patient reaches age 21 (i.e., until patient turns 22), whichever is the longer period. 49 Pa. Code § 16.95(e) (2008). | Adult patients 7 years following discharge. Minor patients 7 years after the patient attains majority(5) or as long as adult records would be maintained. 28 Pa. Code § 115.23 (2008). |
State | Medical Doctors | Hospitals |
---|---|---|
Puerto Rico | 6 years as stipulated by basic HIPAA regulations. | 6 years as stipulated by basic HIPAA regulations. |
Rhode Island | 5 years unless otherwise required by law or regulation. R.I. Code R.14-140-031, § 11.3 (2008). | Adult patients 5 years following discharge of the patient. R.I. Code R. 14 090 007 § 27.10 (2008). Minor patients 5 years after patient reaches the age of 18 years (i.e., until patient turns 23). R.I. Code R. 14 090 007 § 27.10.1 (2008). |
South Carolina | Adult patients 10 years from the date of last treatment. Minor patients 13 years from the date of last treatment. S.C. Code Ann. § 44-115-120 (2007). | Adult patients 10 years. Minor patients Until the minor reaches age 18 and the “period of election” expires, which is usually 1 year after the minor reaches the age of majority (i.e., usually until patient turns 19). S.C. Code Ann. Regs. 61-16 § 601.7(A) (2007). See S.C. Code Ann. § 15-3-545 (2007).(7) |
South Dakota | When records have become inactive or for which the whereabouts of the patient are unknown to the physician. S.D. Codified Laws § 36-4-38 (2008). | Adult patients 10 years from the actual visit date of service or resident care. Minor patients 10 years from the actual visit date of service or resident care or until the minor reaches age of majority plus 2 years (i.e., until patient turns 20), whichever is later. See S.D. Admin. R. 44:04:09:08 (2008). |
Tennessee | Adult patients 10 years from the provider’s last professional contact with the patient. Minor patients 10 years from the provider’s last professional contact with the patient or 1 year after the minor reaches the age of majority (i.e., until patient turns 19), whichever is longer. Tenn. Comp. R. & Regs. 0880-2-.15 (2008). | Adult patients 10 years following the discharge of the patient or the patient's death during the patient's period of treatment within the hospital. Tenn. Code Ann. § 68-11-305(a)(1) (2008). Minor patients 10 years following discharge or for the period of minority plus at least one year (i.e., until patient turns 19), whichever is longer. Tenn. Code Ann. § 68-11-305(a)(2) (2008). |
Texas | Adult patients 7 years from the date of the last treatment. Minor patients 7 years after the date of the last treatment or until the patient reaches age 21, whichever date is later. 22 Tex. Admin. Code § 165.1(b) (2008).(8) | Adult patients 10 years after the patient was last treated in the hospital. Minor patients 10 years after the patient was last treated in the hospital or until the patient reaches age 20, whichever date is later. Tex. Health & Safety Code Ann. § 241.103 (2007); 25 Tex. Admin. Code § 133.41(j)(8) (2008).(8) |
Utah | 6 years as stipulated by basic HIPAA regulations. | Adult patients 7 years. Minor patients 7 years or until the minor reaches the age of 18 plus 4 years (i.e., patient turns 22), whichever is longer. Utah Admin. Code r. 432-100-33(4)(c) (2008). |
Vermont | 6 years as stipulated by basic HIPAA regulations. | 10 years. Vt. Stat. Ann. tit. 18, § 1905(8) (2007). |
Virginia | Adult patients 6 years after the last patient contact. Minor patients 6 years after the last patient contact or until the patient reaches age 18 (or becomes emancipated), whichever time period is longer. 18 Va. Admin. Code § 85-20-26(D) (2008). | Adult patients 5 years following patient’s discharge. Minor patients 5 years after patient has reached the age of 18 (i.e., until the patient reaches age 23). 12 Va. Admin. Code § 5-410-370 (2008). |
Washington | 6 years as stipulated by basic HIPAA regulations. | Adult patients 10 years following the patient’s most recent hospital discharge. Minor patients 10 years following the patient’s most recent hospital discharge or 3 years after the patient reaches the age of 18 (i.e., until the patient turns 21) whichever is longer. Wash. Rev. Code § 70.41.190 (2008). |
West Virginia | 6 years as stipulated by basic HIPAA regulations. | 6 years as stipulated by basic HIPAA regulations. |
Wisconsin | 5 years from the date of the last entry in the record. Wis. Admin. Code Med. § 21.03 (2008). | 5 years. Wis. Admin. Code Health & Family Services §§ 124.14(2)(c), 124.18(1)(e) (2008). |
Wyoming | 6 years as stipulated by basic HIPAA regulations. | 6 years as stipulated by basic HIPAA regulations. |
Type of Documentation | Retention Period | Citation/Reference |
---|---|---|
Abortions & related medical procedures | Must be maintained for three years. | 42 Code of Federal Regulations 50.309 |
Ambulatory/Outpatient/Day Surgery services | Not specified, would revert to the state statute, or the specific statute of limitations as outlined in the chart above. | 42 Code of Federal Regulations 416.47 |
Clinics/Rehabilitation Agencies/Public Health - Speech-Language Pathology Services | The state statute, or statute of limitations pertaining to medical records outlined in the chart above takes precedence. In the absence of direction from a state statute, federal regulations dictate that records should be helf for 5 years after the date of discharge. If the records belong to a minor then they need to be held for 3 years after the patient becomes of age OR 5 years after the date of patient discharge, whichever is longer. | 42 Code of Federal Regulations 485.721 (d) |
Clinics/Rehabilitation Agencies/Public Health - Outpatient Physical Therapy | The state statute, or statute of limitations pertaining to medical records outlined in the chart above takes precedence. In the absence of direction from a state statute, federal regulations dictate that records should be helf for 5 years after the date of discharge. If the records belong to a minor then they need to be held for 3 years after the patient becomes of age OR 5 years after the date of patient discharge, whichever is longer. | 42 Code of Federal Regulations 485.721 (d) |
Clinics - Rural Health | The state statutes outlined above take precedent. At a minimum, records are required to be kept for six years from the date of last entry. | 42 Code of Federal Regulations 491.10 (c) |
Competitve Medical Plans/Healthcare Plans/Healthcare Prepayment Plans | ||
Comprehensive outpatient rehabilitation facilities. Outpatient Rehabilitation Care. (CORFs) | Five years after patient has been discharged. | 42 Code of Federal Regulations 485.60 (c) |
Critical Access hospitals - Designated Eligible Rural Hospitals (CAHs) | Six years from patient discharge or date of last entry. Longer if required by a state statute outlined above OR if it is required in an ongoing proceeding/investigation. | 42 Code of Federal Regulations 485.628 (c) |
Department of Veterans Affairs | ||
Diagnostic and operation index file | There is a monthly listing that is destroyed after it is consolidated into a biannual listing. The biannual listing is destroyed 20 years after the date of report. | Records Control Schedule (RCS) 10-1, NC-15-76-10-, item 2 |
Disposition data files (Patient Treatment Files) | To be destroyed after one year and only after the patient treatment master record has been created. | Records Control Schedule (RCS) 10-1, NN-166-127, item 4a |
Gains and losses file | Destroy master set after one year. | Records Control Schedule (RCS) 10-1 Item 1100.38 |
Health Records Folder File or Consolidated Health Record (CHR) | Must be retained in the VA health care facility for 3 years after the last instance of care. Then converted to an Inactive Medical Record. | Records Control Schedule (RCS) 10-1, Item Number 6000.1, N1-15-91-6, item 1a |
Patient locator file | Must be retained in the medical facility for 75 years after the last instance of care. | Records Control Schedule (RCS) 10-1 - Item Number 1100.25 |
Register file | Destroyed after audit by VCS auditors (1 year must pass). | Records Control Schedule (RCS) 10-1, Item Number 5550.12 |
Tumor registry records and index cards | Must be retained at Veteran Affairs facility. Destroy 75 years after last update. | Records Control Schedule (RCS) 10-1, Item # 6675.1 |
The destruction of health information must be carried out following the federal and state laws outlined in the chart above. Additionally, records utilized in any active investigation or litigation must not be destroyed until the case has been closed. There is no set-in-stone requirements on how organizations destroy medical records. However, some states are required to notify patients how and when their records are being destroyed. The one caveat is that in the absence of superseding state law, records must be destroyed in a manner that allows for no chance of reconstruction of information.
Magnetic Tapes are Usually Destroyed by:
Paper Medical Records are Usually Destroyed by:
Microfilm Medical Records are Usually Destroyed by:
Computer Medical Records are Usually Destroyed by:
DVD Medical Records are Usually Destroyed by: