Table Of Contents
- Quick Answer: How Long Must Medical Records Be Kept?
- How Long Do Hospitals Keep Medical Records?
- Release of Medical Records Laws
- How Long Each State Requires to Keep Medical Records
- Federal Medical Record Destruction Policy
- Medical Record Destruction Policy
- Acceptable Destruction Methods of Medical Records
- Frequently Asked Questions
- Related Articles
- Sources and Legal References
Last Updated: January 2026 | Verified against current state statutes and HIPAA regulations
Quick Answer: How Long Must Medical Records Be Kept?
Medical record retention requirements vary by state, ranging from 5 to 10+ years depending on where you live and whether you’re an adult or minor patient. Most states require doctors to keep records for 6-7 years, while hospitals often must retain them for 7-10 years.
| Key Point | Answer |
|---|---|
| Federal minimum (HIPAA) | 6 years |
| Most common state requirement | 7-10 years after last treatment |
| Minor patients | Until age 18-21, then standard retention period |
| Longest retention (Massachusetts hospitals) | 30 years |
| Can I request my records? | Yes, within 30 days per HIPAA |
How Long Do Hospitals Keep Medical Records?
HIPAA is a federal law that requires your medical records to be retained for 6 years at a federal level. However, most states also have their own medical retention laws, which can be more stringent than HIPAA stipulates.
Look at the table below to see state-by-state medical retention record laws and regulations.
Release of Medical Records Laws
HIPAA privacy regulations allow patients the right to collect and view their health information, including medical and bill records, on-demand. A request for information must be granted within 30 days of the request. If there are extenuating circumstances, the covered entity must provide a reason within that 30-day time frame, and the records must still be provided within 60 days.
Note: If you are a healthcare provider looking for a HIPAA compliant method to store patient records, we recommend Caspio. You can build your own solution and enhance patient experience with digital patient forms or even allow patients convenient access to their own records.
How Long Each State Requires to Keep Medical Records
The statute of limitations for keeping medical records varies by state. Use this chart to see how long a medical provider is required to keep records until they are allowed to be destroyed. Additionally, there are also Federal Guidelines that must be followed for specific instances such as Competitive Medical Plans, Department of Veteran Affairs, Device Tracking. This chart is available below the state chart.
Medical Records Retention Laws by State
| State | Medical Doctors | Hospitals |
|---|---|---|
| Alabama | As long as may be necessary to treat the patient and for medical legal purposes. Ala. Admin. Code r. 545-X-4-.08 (2007). | 5 years. Ala. Admin. Code § 420-5-7.10 (adopting 42 C.F.R. § 482.24). |
| Alaska | 6 years as stipulated by basic HIPAA regulations. | Adult Patients: 7 Years after patient discharge. Minor Patients (Under 19): 7 Years after discharge or when the patient reaches the age of 21, whichever is longer. Alaska Stat. § 18.20.085(a) (2008). |
| Arizona | Adult patients: 6 years after the last date of services from the provider. Minor patients: 6 years after the last date of services from the provider, or until patient reaches the age of 21 whichever is longer. Ariz. Rev. Stat. § 12-2297 (2008). | Adult patients: 6 years after the last date of services from the provider. Minor patients: 6 years after the last date of services from the provider, or until patient reaches the age of 21 whichever is longer. Ariz. Rev. Stat. § 12-2297 (2008). |
| Arkansas | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 10 years after the last discharge, but master patient index data must be kept permanently. Minor patients: Complete medical records must be retained 2 years after the age of majority (i.e., until patient turns 20). 016 24 Code Ark. Rules and Regs. 007 § 14(19) (2008). |
| California | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 7 years following discharge of the patient. Minor patients: 7 years following discharge or 1 year after the patient reaches the age of 18 (i.e., until patient turns 19) whichever is longer. Cal. Code Regs. tit. 22, § 70751(c) (2008). |
| Colorado | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 10 years after the most recent patient care usage. Minor patients: 10 years after the patient reaches the age of majority (i.e., until patient turns 28). 6 Colo. Code Regs. § 1011-1, chap. IV, 8.102 (2008). |
| Connecticut | 7 years from the last date of treatment, or, upon the death of the patient, for 3 years. Conn. Agencies Regs. § 19a-14-42 (2008). | 10 years after the patient has been discharged. Conn. Agencies Regs. §§ 19-13-D3(d)(6) (2008). |
| Delaware | 7 years from the last entry date on the patient’s record. Del. Code Ann. tit. 24, §§ 1761 and 1702 (2008). | 6 years as stipulated by basic HIPAA regulations. |
| District of Columbia | Adult Patients: 3 years after last seeing the patient. Minor patients: 3 years after last seeing the patient or 3 years after patient reaches the age of 18 (i.e., until patient turns 21). D.C. Mun. Regs. tit. 17, § 4612.1 (2008). | 10 years following the date of discharge of the patient. D.C. Mun. Regs. tit. 22, § 2216 (2008). |
| Florida | 5 years from the last patient contact. Fla. Admin. Code Ann. 64B8-10.002(3) (2008). | Public hospitals: 7 years after the last entry. Florida Department of State, General Records Schedule GS4 for Public Hospitals. |
| Georgia | 10 years from the date the record item was created. See Ga. Code Ann. § 31-33-2(a)(1)(A) and (B)(i) (2008). | Adult patients: 5 years after the date of discharge. Minor patients: 5 years past the age of majority (i.e., until patient turns 23). See Ga. Code Ann. §§ 31-33-2(a)(1)(B)(ii) (2008). |
| Hawaii | Adult patients: Full medical records: 7 years after last data entry. Basic information: 25 years after the last record entry. Minor patients: Full medical records: 7 years after the patient reaches the age of majority (i.e., until patient turns 25). Basic information: 25 years after the minor reaches the age of majority. Haw. Rev. Stat. § 622-58 (2008). | Same as Medical Doctors. Haw. Rev. Stat. § 622-58 (2008). |
| Idaho | 6 years as stipulated by basic HIPAA regulations. | Clinical laboratory test records and reports: 5 years after the date of the test. Idaho Code Ann. § 39-1394 (2008). |
| Illinois | 6 years as stipulated by basic HIPAA regulations. | 10 years. See 210 Ill. Comp. Stat. 85/6.17(c) (2008). |
| Indiana | 7 Years. Burns Ind. Code Ann. § 16-39-7-1 (2008). | 7 Years. Burns Ind. Code Ann. § 16-39-7-1 (2008). |
| Iowa | Adult patients: 7 years from the last date of service. Minor patients: 1 year after the minor attains the age of majority (i.e., until patient turns 19). See Iowa Admin. Code r. 653-13.7(8) (2008); Iowa Code § 614.8 (2008). | 6 years as stipulated by basic HIPAA regulations. |
| Kansas | 10 years from when professional service was provided. Kan. Admin. Regs. § 100-24-2 (a) (2008). | Adult patients: Full records: 10 years after the last discharge of the patient. Minor patients: Full records: 10 years or 1 year beyond the date that the patient reaches the age of majority whichever is longer. Summary of destroyed records for both adults and minors—25 years. Kan. Admin. Regs. § 28-34-9a (d)(1) (2008). |
| Kentucky | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 5 years from date of discharge. Minor patients: 5 years from date of discharge or 3 years after the patient reaches the age of majority whichever is longer. 902 Ky. Admin. Regs. 20:016 (2007). |
| Louisiana | 6 years from the date a patient is last treated. La. Rev. Stat. Ann. §40:1299.96(A)(3)(a) (2008). | 10 years from the date a patient is discharged. La. Rev. Stat. Ann. § 40:2144(F)(1) (2008). |
| Maine | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 7 years. Minor patients: 6 years past the age of majority (i.e., until patient turns 24). See 10-144 Me. Code R. Ch. 112, § XII.B.1 (2008). Patient logs and written x-ray reports—permanently. |
| Maryland | Adult patients: 5 years after the record or report was made. Minor patients: 5 years after the report or record was made or until the patient reaches the age of majority plus 3 years (i.e., until patient turns 21), whichever date is later. MD. Code Ann., Health–Gen. §§ 4-403(a)–(c) (2008). | Same as Medical Doctors. MD. Code Ann., Health–Gen. §§ 4-403(a)–(c) (2008). |
| Massachusetts | Adult patients: 7 years from the date of the last patient encounter. Minor patients: 7 years from date of last patient encounter or until the patient reaches the age of 9, whichever is longer. 243 Mass. Code Regs. 2.07(13)(a) (2008). | 30 years after the discharge or the final treatment of the patient. Mass. Gen. Laws ch. 111, § 70 (2008). |
| Michigan | 7 years from the date of service. Mich. Comp. Laws § 333.16213 (2008). | 7 years from the date of service. Mich. Comp. Laws § 333.20175 (2008). |
| Minnesota | 6 years as stipulated by basic HIPAA regulations. | Most medical records: Permanently (in microfilm). Miscellaneous documents: Adult patients: 7 years. Minor patients: 7 years following the age of majority (i.e., until the patient turns 25). Minn. Stat. § 145.32 (2007) and Minn. R. 4642.1000 (2007). |
| Mississippi | 6 years as stipulated by basic HIPAA regulations. | Adult patients: Discharged in sound mind: 10 years. Discharged at death: 7 years. Minor patients: For the period of minority plus 7 years. Miss. Code Ann. § 41-9-69(1) (2008). |
| Missouri | 7 years from the date the last professional service was provided. Mo. Rev. Stat. § 334.097(2) (2008). | Adult patients: 10 years. Minor patients: 10 years or until patient’s 23rd birthday, whichever occurs later. Mo. Code Reg. tit. 19, § 30-094(15) (2008). |
| Montana | 6 years as stipulated by basic HIPAA regulations. | Adult patients: Entire medical record—10 years following the date of a patient’s discharge or death. Minor patients: Entire medical record—10 years following the date the patient either attains the age of majority or dies, whichever is earlier. Core medical record must be maintained at least an additional 10 years beyond the periods provided above. Mont. Admin. R. 37.106.402(1) and (4) (2007). |
| Nebraska | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 10 years following a patient’s discharge. Minor patients (under 19): 10 years or until 3 years after the patient reaches age of majority, whichever is longer. Neb. Admin. Code 175 § 9-006.07A5 (2008). |
| Nevada | 5 years after receipt or production of health care record. Nev. Rev. Stat. § 629.051 (2007). | 5 years after receipt or production of health care record. Nev. Rev. Stat. § 629.051 (2007). |
| New Hampshire | 7 years from the date of the patient’s last contact with the physician, unless the patient has requested that the records be transferred to another health care provider. N.H. Code Admin. R. Ann. Med 501.02(f)(8) (2008). | Adult patients: 7 years after a patient’s discharge. Minor patients: 7 years or until the minor reaches age 19, whichever is longer. N.H. Code Admin. R. Ann. He-P 802.06(h) (1994). |
| New Jersey | 7 years from the date of the most recent entry. N.J. Admin. Code § 13:35-6.5(b) (2008). | Adult patients: 10 years following the most recent discharge. Minor patients: 10 years following the most recent discharge or until the patient is 23 years of age, whichever is longer. Discharge summary sheets (all): 20 years after discharge. N.J. Stat. Ann. § 26:8-5 (2008). |
| New Mexico | Adult patients: 2 years beyond what is required by state insurance laws and by Medicare and Medicaid requirements. Minor patients: 2 years beyond the date the patient is 18 (i.e., until the patient turns 20). N.M. Code R. § 16.10.17.10 (C) (2008). | Adult patients: 10 years following the last treatment date of the patient. Minor patients: Age of majority plus 1 year (i.e., until the patient turns 19). N.M. Stat. Ann. § 14-6-2 (2008); N.M. Code R. § 7.7.2.30 (2008). |
| New York | Adult patients: 6 years. Minor patients: 6 years and until 1 year after the minor reaches the age of 18 (i.e., until the patient turns 19). N.Y. Education § 6530 (2008). | Adult patients: 6 years from the date of discharge. Minor patients: 6 years from the date of discharge or 3 years after the patient reaches 18 years (i.e., until patient turns 21), whichever is longer. Deceased patients: At least 6 years after death. N.Y. Comp. Codes R. & Regs. tit. 10, § 405.10(a)(4) (2008). |
| North Carolina | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 11 years following discharge. Minor patients: Until the patient’s 30th birthday. 10 A N.C. Admin. Code 13B.3903(a), (b) (2008). |
| North Dakota | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 10 years after the last treatment date. Minor patients: 10 years after the last treatment date or until the patient’s 21st birthday, whichever is later. N.D. Admin. Code 33-07-01.1-20(1)(b) (2007). |
| Ohio | 6 years as stipulated by basic HIPAA regulations. | 6 years as stipulated by basic HIPAA regulations. |
| Oklahoma | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 5 years beyond the date the patient was last seen. Minor patients: 3 years past the age of majority (i.e., until the patient turns 21). Deceased patients: 3 years beyond the date of death. Okla. Admin. Code § 310:667-19-14 (2008). |
| Oregon | 6 years as stipulated by basic HIPAA regulations. | 10 years after the date of last discharge. Master patient index—permanently. Or. Admin. R. 333-505-0050(9) and (15) (2008). |
| Pennsylvania | Adult patients: At least 7 years following the date of the last medical service. Minor patients: 7 years following the date of the last medical service or 1 year after the patient reaches age 21 (i.e., until patient turns 22), whichever is the longer period. 49 Pa. Code § 16.95(e) (2008). | Adult patients: 7 years following discharge. Minor patients: 7 years after the patient attains majority or as long as adult records would be maintained. 28 Pa. Code § 115.23 (2008). |
| Rhode Island | 5 years unless otherwise required by law or regulation. R.I. Code R. 14-140-031, § 11.3 (2008). | Adult patients: 5 years following discharge of the patient. R.I. Code R. 14 090 007 § 27.10 (2008). Minor patients: 5 years after patient reaches the age of 18 years (i.e., until patient turns 23). R.I. Code R. 14 090 007 § 27.10.1 (2008). |
| South Carolina | Adult patients: 10 years from the date of last treatment. Minor patients: 13 years from the date of last treatment. S.C. Code Ann. § 44-115-120 (2007). | Adult patients: 10 years. Minor patients: Until the minor reaches age 18 and the “period of election” expires, which is usually 1 year after the minor reaches the age of majority (i.e., usually until patient turns 19). S.C. Code Ann. Regs. 61-16 § 601.7(A) (2007). |
| South Dakota | When records have become inactive or for which the whereabouts of the patient are unknown to the physician. S.D. Codified Laws § 36-4-38 (2008). | Adult patients: 10 years from the actual visit date of service or resident care. Minor patients: 10 years from the actual visit date of service or resident care or until the minor reaches age of majority plus 2 years (i.e., until patient turns 20), whichever is later. See S.D. Admin. R. 44:04:09:08 (2008). |
| Tennessee | Adult patients: 10 years from the provider’s last professional contact with the patient. Minor patients: 10 years from the provider’s last professional contact with the patient or 1 year after the minor reaches the age of majority (i.e., until patient turns 19), whichever is longer. Tenn. Comp. R. & Regs. 0880-2-.15 (2008). | Adult patients: 10 years following the discharge of the patient or the patient’s death during the patient’s period of treatment within the hospital. Tenn. Code Ann. § 68-11-305(a)(1) (2008). Minor patients: 10 years following discharge or for the period of minority plus at least one year (i.e., until patient turns 19), whichever is longer. Tenn. Code Ann. § 68-11-305(a)(2) (2008). |
| Texas | Adult patients: 7 years from the date of the last treatment. Minor patients: 7 years after the date of the last treatment or until the patient reaches age 21, whichever date is later. 22 Tex. Admin. Code § 165.1(b) (2008). | Adult patients: 10 years after the patient was last treated in the hospital. Minor patients: 10 years after the patient was last treated in the hospital or until the patient reaches age 20, whichever date is later. Tex. Health & Safety Code Ann. § 241.103 (2007); 25 Tex. Admin. Code § 133.41(j)(8) (2008). |
| Utah | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 7 years. Minor patients: 7 years or until the minor reaches the age of 18 plus 4 years (i.e., patient turns 22), whichever is longer. Utah Admin. Code r. 432-100-33(4)(c) (2008). |
| Vermont | 6 years as stipulated by basic HIPAA regulations. | 10 years. Vt. Stat. Ann. tit. 18, § 1905(8) (2007). |
| Virginia | Adult patients: 6 years after the last patient contact. Minor patients: 6 years after the last patient contact or until the patient reaches age 18 (or becomes emancipated), whichever time period is longer. 18 Va. Admin. Code § 85-20-26(D) (2008). | Adult patients: 5 years following patient’s discharge. Minor patients: 5 years after patient has reached the age of 18 (i.e., until the patient reaches age 23). 12 Va. Admin. Code § 5-410-370 (2008). |
| Washington | 6 years as stipulated by basic HIPAA regulations. | Adult patients: 10 years following the patient’s most recent hospital discharge. Minor patients: 10 years following the patient’s most recent hospital discharge or 3 years after the patient reaches the age of 18 (i.e., until the patient turns 21) whichever is longer. Wash. Rev. Code § 70.41.190 (2008). |
| West Virginia | 6 years as stipulated by basic HIPAA regulations. | 6 years as stipulated by basic HIPAA regulations. |
| Wisconsin | 5 years from the date of the last entry in the record. Wis. Admin. Code Med. § 21.03 (2008). | 5 years. Wis. Admin. Code Health & Family Services §§ 124.14(2)(c), 124.18(1)(e) (2008). |
| Wyoming | 6 years as stipulated by basic HIPAA regulations. | 6 years as stipulated by basic HIPAA regulations. |
Federal Medical Record Destruction Policy
| Type of Documentation | Retention Period | Citation/Reference |
|---|---|---|
| Abortions & related medical procedures | Must be maintained for three years. | 42 Code of Federal Regulations 50.309 |
| Ambulatory/Outpatient/Day Surgery services | Not specified, would revert to the state statute, or the specific statute of limitations as outlined in the chart above. | 42 Code of Federal Regulations 416.47 |
| Clinics/Rehabilitation Agencies/Public Health – Speech-Language Pathology Services | 5 years after the date of discharge. Minor patients: 3 years after the patient becomes of age OR 5 years after the date of patient discharge, whichever is longer. | 42 Code of Federal Regulations 485.721 (d) |
| Clinics/Rehabilitation Agencies/Public Health – Outpatient Physical Therapy | 5 years after the date of discharge. Minor patients: 3 years after the patient becomes of age OR 5 years after the date of patient discharge, whichever is longer. | 42 Code of Federal Regulations 485.721 (d) |
| Clinics – Rural Health | At a minimum, records are required to be kept for six years from the date of last entry. | 42 Code of Federal Regulations 491.10 (c) |
| Comprehensive outpatient rehabilitation facilities (CORFs) | Five years after patient has been discharged. | 42 Code of Federal Regulations 485.60 (c) |
| Critical Access hospitals (CAHs) | Six years from patient discharge or date of last entry. Longer if required by a state statute or if required in an ongoing proceeding/investigation. | 42 Code of Federal Regulations 485.628 (c) |
| Department of Veterans Affairs – Health Records | 3 years after the last instance of care, then converted to an Inactive Medical Record. Patient locator file: 75 years. | Records Control Schedule (RCS) 10-1 |
Medical Record Destruction Policy
The destruction of health information must be carried out following the federal and state laws outlined in the chart above. Additionally, records utilized in any active investigation or litigation must not be destroyed until the case has been closed.
There is no set-in-stone requirements on how organizations destroy medical records. However, some states are required to notify patients how and when their records are being destroyed. The one caveat is that in the absence of superseding state law, records must be destroyed in a manner that allows for no chance of reconstruction of information.
Acceptable Destruction Methods of Medical Records
Magnetic Tapes are Usually Destroyed by:
- Demagnetizing
Paper Medical Records are Usually Destroyed by:
- Burning
- Pulping
- Shredding
- Pulverizing
Microfilm Medical Records are Usually Destroyed by:
- Recycling
- Pulverizing
- Burning
Computer Medical Records are Usually Destroyed by:
- Magnetic Degaussing
DVD Medical Records are Usually Destroyed by:
- Shredding
- Cutting
Frequently Asked Questions
How long do doctors have to keep medical records?
Most states require doctors to keep medical records for 6-10 years after the last patient encounter. The federal minimum under HIPAA is 6 years.
How long do hospitals keep medical records?
Hospital retention periods vary widely by state, from 5 years (Nevada) to 30 years (Massachusetts). Most states require 7-10 years.
How long are minor patients’ records kept?
Minor patients’ records are typically kept until they reach the age of majority (18) plus an additional 3-7 years, depending on the state.
Can I request my medical records?
Yes. Under HIPAA, you have the right to access your medical records. Healthcare providers must respond to your request within 30 days.
What happens to medical records after the retention period?
After the required retention period, medical records must be destroyed in a manner that prevents any possibility of reconstruction. Methods include shredding, burning, or degaussing.
Related Articles
- How to Find Old Medical Records Online
- How Long Do Hospitals Keep Medical Records?
- Are 911 Calls Public Records?
- Does a Failed Drug Test Show Up on Your Record?
Sources and Legal References
| Source | Description |
|---|---|
| HHS HIPAA | Federal HIPAA regulations |
| 45 CFR § 164.530 | HIPAA retention requirements |
| State Administrative Codes | Individual state regulations (cited in table) |
Disclaimer: This information is provided for educational purposes and should not be considered legal advice. Medical record retention laws can change. Consult with a qualified healthcare attorney for advice on your specific situation.
]]>
Looking for clarification.
Sample patient:
Last date of service: June 2014
Does this chart need to be retained 7 years to the date
i.e. June 2021
or can it be shredded Jan 2021 having been retained
2014, 2015, 2016, 2017 ,2018, 2019 & 2020 : through 7 years?
Hello, medical record retention laws count the anniversary of each year as one year. Often times they can be kept further, but for legal purposes the records must be kept for 7 years to the date of the anniversary.