Medical Records Retention Laws by State (2026 Guide)
Medical records retention laws determine how long hospitals, doctors, and other healthcare providers must keep your health information on file. These laws vary significantly from state to state, with retention periods ranging from 3 years in Wyoming to 20 years for hospitals in Massachusetts.
This guide covers every state's requirements, federal rules under HIPAA and Medicare, special rules for minors and deceased patients, your rights as a patient, and what happens when records are destroyed.
Federal Requirements: What HIPAA Actually Says
One of the most common misconceptions in healthcare law is that HIPAA requires providers to keep medical records for a specific number of years. It does not.
HIPAA Documentation vs. Medical Records
HIPAA requires covered entities to retain HIPAA-related administrative documentation (privacy policies, procedures, training records, business associate agreements, complaint records) for 6 years from the date of creation or last effective date under 45 CFR 164.530(j).
This 6-year requirement applies to HIPAA compliance paperwork, not to patient medical records. How long actual patient records must be kept is determined by state law.
Medicare and Medicaid Requirements
CMS Conditions of Participation set separate federal minimums for providers participating in Medicare or Medicaid:
| Provider Type | Minimum Retention | Authority |
|---|---|---|
| Hospitals | 5 years after discharge | 42 CFR 482.24 |
| Medicare providers (general) | 7 years from date of service | CMS guidelines |
| Medicare Part D sponsors | 10 years from date of service | CMS guidelines |
| OSHA employee health records | Employment + 30 years | 29 CFR 1910.1020 |
Which Law Controls?
The stricter requirement always applies. If state law requires 10 years and federal law requires 7 years, the provider must retain records for 10 years. If federal law requires 7 years and the state only requires 5, the provider must retain for 7 years.
HIPAA Record Retention: What the Law Actually Requires
The phrase "HIPAA record retention" causes significant confusion among patients and providers alike. Many people believe HIPAA mandates keeping medical records for 7 years. This is incorrect. The 7-year figure comes from Medicare, not HIPAA.
The 6-Year HIPAA Rule
Under 45 CFR 164.530(j), HIPAA requires covered entities to retain only administrative compliance documents for 6 years. These documents include:
- Privacy and security policies and procedures
- Risk assessments and security incident reports
- Breach notification documentation
- Workforce training records and acknowledgments
- Business Associate Agreements (BAAs)
- Patient complaint records and their resolution
- Notices of Privacy Practices
This is a document retention rule, not a medical record retention rule. The distinction matters because many healthcare organizations conflate the two and apply the wrong standard.
Where the "7 Year" Myth Comes From
The widespread belief that "HIPAA requires 7 years" originates from three sources:
Medicare's 7-year requirement. CMS requires Medicare providers to retain records for 7 years from the date of service. Because most healthcare providers participate in Medicare, this 7-year rule applies to them through CMS, not through HIPAA.
State laws. Many large states (California, Indiana, Pennsylvania, Texas, and others) set their retention period at 7 years. When providers in those states hear "7 years," they assume it comes from HIPAA.
Incorrect compliance training. Some compliance training materials state "HIPAA requires 7 years" without distinguishing between HIPAA administrative documentation requirements and state medical record retention laws.
What Providers Should Actually Do
Healthcare providers must follow three overlapping rules and keep records for whichever period is longest:
- HIPAA administrative documents: 6 years from creation or last effective date
- State medical record law: Varies by state (3 to 20 years)
- Federal program participation: 7 years for Medicare, 10 years for Medicare Part D
For most providers, the state law or Medicare requirement will be longer than the HIPAA administrative documentation rule. The AMA recommends a best practice of retaining all patient records for at least 10 years from the date of last treatment, regardless of state minimums.
Medical Records Retention by State
The table below shows retention requirements for all 50 states and the District of Columbia. Where states have different rules for hospitals and physician offices, both are listed. Click any state name to see that state's detailed retention law page.
| State | Adult Retention | Minor Retention | Key Statute |
|---|---|---|---|
| Alabama | 5-7 years | 5 yrs after age 19 | Ala. Admin. Code r. 540-X-9-.10 |
| Alaska | 7 years | 2 yrs after age 19 or 7 yrs (longer) | Alaska Stat. 18.20.085 |
| Arizona | 6 years | 3 yrs after age 18 or 6 yrs (later) | Ariz. Rev. Stat. 12-2297 |
| Arkansas | 10 years | 10 yrs or 2 yrs after age 18 (longer) | Ark. Code R. 007.05.17 |
| California | 7 years | 1 yr after age 18 (min 7 yrs) | Cal. HSC 123145 |
| Colorado | 10 years | Until age 28 | 6 CCR 1011-1 |
| Connecticut | 7 yrs (physicians); 10 yrs (hospitals) | Same as adult | Conn. Agencies Regs. 19a-14-42 |
| Delaware | 7 years (physicians) | Not specified | Del. Code tit. 24, 1761 |
| District of Columbia | 5 years | 5 yrs after majority | D.C. Code 3-1210.11 |
| Florida | 5 years | Same as adult | Fla. Stat. 395.3025 |
| Georgia | 10 years (physicians) | 5 yrs after majority | O.C.G.A. 31-33-2 |
| Hawaii | 7 years | 7 yrs after age 18 | Haw. Rev. Stat. 622-58 |
| Idaho | 5 years (hospitals) | Not specified | Idaho Code 39-1394 |
| Illinois | 10 years | Not specified | 735 ILCS 5/8-2001 |
| Indiana | 7 years | Not specified | 410 IAC 15-1-9 |
| Iowa | 7 years | 1 yr after age 18 | Iowa Admin. Code 653-13.7 |
| Kansas | 10 years | 1 yr after majority | Kan. Admin. Regs. 28-34-9a |
| Kentucky | 5 years (hospitals) | Until age 21 | 902 KAR 20:016 |
| Louisiana | 6 yrs (physicians); 10 yrs (hospitals) | Not specified | La. Rev. Stat. 40:2144 |
| Maine | 7 years | 6 yrs after age 18 | 10-144 CMR ch. 112 |
| Maryland | 5 years | Until age 25 | COMAR 10.01.16.04 |
| Massachusetts | 7 yrs (physicians); 20 yrs (hospitals) | Not specified | Mass. Gen. Laws ch. 111, 70 |
| Michigan | 7 years; 15 yrs (sensitive exams) | Not specified | MCL 333.16213 |
| Minnesota | 7 yrs (portions); permanent (core) | Not specified | Minn. Stat. 145.32 |
| Mississippi | 5 years | Not specified | 30 Miss. Admin. Code 2635 |
| Missouri | 7 yrs (physicians); 10 yrs (public hospitals) | Until age 23 (public hospitals) | Mo. Rev. Stat. 109.255 |
| Montana | 6 yrs (facilities); 10 yrs (physicians) | 10 yrs after majority | Mont. Admin. R. 37.106.314 |
| Nebraska | No mandatory period | Until age 22 | Neb. Rev. Stat. 71-8403 |
| Nevada | 5 years | Until age 23 | NAC 449.379 |
| New Hampshire | 7 years | 1 yr after age 18 (min 7 yrs) | N.H. Admin. Code He-P 802.20 |
| New Jersey | 7 yrs (physicians); 10 yrs (hospitals) | Until age 23 (hospitals) | N.J.A.C. 8:43G-15.2 |
| New Mexico | 10 years | Until age 21 | N.M. Stat. Ann. 14-6-2 |
| New York | 6 years | Until age 19 or 6 yrs (later) | N.Y. Educ. Law 6530 |
| North Carolina | 11 years (hospitals) | Until age 30 | 10A NCAC 13B .3903 |
| North Dakota | 10 years | Until age 21 or 10 yrs (later) | NDAC 33-07-01.1-20 |
| Ohio | 6 years | Not specified | Ohio Admin. Code 3701-83-19 |
| Oklahoma | 5 years | Not specified | OAC 310:667-19-14 |
| Oregon | 10 years | Not specified | Or. Admin. R. 333-505-0050 |
| Pennsylvania | 7 years | Until age 19 (1 yr after majority) | 49 Pa. Code 16.95 |
| Rhode Island | 5 yrs (hospitals); 7 yrs (physicians) | 5 yrs after age 18 | R.I. Gen. Laws 5-37-22 |
| South Carolina | 10 years | 13 years from last treatment | S.C. Code Ann. 44-115-120 |
| South Dakota | 10 years (guidance) | Not specified | S.D. Admin. R. 44:73:09:06 |
| Tennessee | 10 years | Until age 19-21 (longer) | Tenn. R. 1050-02-.18 |
| Texas | 7 years | Until age 21 or 7 yrs (longer) | 22 TAC 163.2 |
| Utah | 7 years | 3 yrs after age 18 (min 5 yrs) | Utah Admin. Code R432-100-33 |
| Vermont | 10 years | Not specified | VT Code R. 946 |
| Virginia | 5 yrs (hospitals); 6 yrs (physicians) | Until age 23 (hospitals) | 12 VAC 5-410-230 |
| Washington | 10 years | Until age 21 or 10 yrs (longer) | WAC 246-320-141 |
| West Virginia | Not specified | Not specified | W.Va. CSR 64-12-7.2 |
| Wisconsin | 5 years | Not specified | Wis. Admin. Code Med. 21.03 |
| Wyoming | 3 years | Not specified | Wyo. Stat. 35-2-606 |
States with the Longest Requirements
Several states require significantly longer retention periods than the national average.
Massachusetts requires hospitals to keep records for 20 years after discharge or final treatment under Mass. Gen. Laws ch. 111, 70. This is the longest single-state requirement in the country. Physician offices must retain records for 7 years.
Minnesota requires hospitals to permanently retain what the commissioner of health defines as the "individual permanent medical record" under Minn. Stat. 145.32. Other portions of the record may be divested after 7 years, but core records must be kept indefinitely.
North Carolina requires hospitals to retain records for 11 years after discharge under 10A NCAC 13B .3903. Records of minors must be kept until the patient's 30th birthday, the longest minor-specific requirement in the nation.
South Carolina requires physicians to retain records for 10 years, with an extended period of 13 years for records of minors under S.C. Code Ann. 44-115-120.
States with the Shortest Requirements
Wyoming has the shortest retention requirement at just 3 years for hospital records under Wyo. Stat. 35-2-606.
Florida, Kentucky, Nevada, Oklahoma, and Wisconsin all require only 5 years of retention for at least some provider types.
Nebraska does not impose a specific mandatory retention period in its statutes. However, providers may not destroy records after receiving a patient request under Neb. Rev. Stat. 71-8403.
West Virginia does not specify a duration but requires records to be preserved in their original form, microfilm, or electronic format.
Hospital vs. Physician Office Differences
Many states set different retention periods for hospitals and private physician offices. In some states, hospitals must keep records longer; in others, physician offices have the longer requirement.
| State | Hospital | Physician Office |
|---|---|---|
| Massachusetts | 20 years | 7 years |
| Louisiana | 10 years | 6 years |
| Connecticut | 10 years | 7 years |
| New Jersey | 10 years | 7 years |
| Virginia | 5 years | 6 years |
| Rhode Island | 5 years | 7 years |
| Montana | 6 years (facilities) | 10 years |
Pediatric and Minor Patient Records
Children's medical records receive special protection in most states. Because minors cannot file legal claims on their own behalf, many states extend the retention period until well after the child reaches the age of majority. This section pulls together all minor-specific retention requirements from the 50-state table above.
Why Pediatric Records Are Kept Longer
Two legal principles drive longer retention for pediatric records:
Statute of limitations tolling. In most states, the statute of limitations for medical malpractice does not begin to run until the minor reaches the age of majority (typically 18). A child injured at birth may have until age 20 or 21 to file a claim, depending on the state's limitations period.
Continuity of care. Pediatric vaccination records, growth charts, developmental assessments, and childhood illness histories all inform adult medical decisions. The American Academy of Pediatrics recommends pediatricians retain records indefinitely when feasible.
Minor Retention Requirements by State (Longest to Shortest)
The table below shows every state with a specific minor retention requirement, sorted from the longest to shortest period.
| State | Minor Retention Requirement | Effective Until Age |
|---|---|---|
| North Carolina | Until age 30 | 30 |
| Colorado | Until age 28 | 28 |
| Montana | 10 yrs after majority | 28 |
| Hawaii | 7 yrs after age 18 | 25 |
| Maryland | Until age 25 | 25 |
| Alabama | 5 yrs after age 19 | 24 |
| Maine | 6 yrs after age 18 | 24 |
| District of Columbia | 5 yrs after majority | 23 |
| Georgia | 5 yrs after majority | 23 |
| Missouri | Until age 23 (public hospitals) | 23 |
| Nevada | Until age 23 | 23 |
| New Jersey | Until age 23 (hospitals) | 23 |
| Rhode Island | 5 yrs after age 18 | 23 |
| Virginia | Until age 23 (hospitals) | 23 |
| Nebraska | Until age 22 | 22 |
| Arizona | 3 yrs after age 18 or 6 yrs (later) | 21 |
| Alaska | 2 yrs after age 19 or 7 yrs (longer) | 21 |
| Kentucky | Until age 21 | 21 |
| New Mexico | Until age 21 | 21 |
| North Dakota | Until age 21 or 10 yrs (later) | 21+ |
| Texas | Until age 21 or 7 yrs (longer) | 21+ |
| Utah | 3 yrs after age 18 (min 5 yrs) | 21 |
| Washington | Until age 21 or 10 yrs (longer) | 21+ |
| Arkansas | 10 yrs or 2 yrs after age 18 (longer) | 20 |
| Tennessee | Until age 19-21 (longer) | 19-21 |
| California | 1 yr after age 18 (min 7 yrs) | 19 |
| Iowa | 1 yr after age 18 | 19 |
| Kansas | 1 yr after majority | 19 |
| New Hampshire | 1 yr after age 18 (min 7 yrs) | 19 |
| New York | Until age 19 or 6 yrs (later) | 19+ |
| Pennsylvania | Until age 19 (1 yr after majority) | 19 |
| South Carolina | 13 years from last treatment | Varies |
States not listed above (Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, Ohio, Oklahoma, Oregon, South Dakota, Vermont, West Virginia, Wisconsin, Wyoming) either apply the same retention period as adult records or do not specify a separate minor retention requirement.
How Long Do Pediatricians Keep Records?
Pediatricians follow the same state retention laws as other physicians, but practical considerations often push them to retain records longer. The AAP recommends that pediatric practices retain records for at least the period of the statute of limitations for medical malpractice in their state, measured from the patient's 18th birthday. In states with a 2-year statute of limitations, that means keeping records until the former patient turns 20 at minimum.
For pediatric specialties (pediatric surgery, pediatric cardiology, neonatology), the risk profile often justifies permanent retention of key records.
How Long to Keep Medical Records After a Patient Dies
A patient's death does not end the legal obligation to retain their medical records. Providers must continue to follow both state retention laws and federal rules for deceased patients.
State Retention Rules Still Apply
In most states, the retention clock is based on the date of last treatment or discharge, not the date of death. If a patient was last treated in 2020 and the state requires 7 years of retention, the records must be kept until 2027 regardless of whether the patient dies in 2021 or 2025.
A few states measure retention from the date of death:
- New York requires records to be kept for 6 years after the date of death under N.Y. Educ. Law 6530.
- Mississippi requires records of deceased patients to be retained for 7 years after death.
- Texas measures certain retention periods from the date of death for deceased patients under 22 TAC 163.2.
Medicare Records for Deceased Patients
Medicare providers must retain records for 7 years from the date of service, regardless of patient death. Hospitals participating in Medicare must keep records for at least 5 years after discharge under 42 CFR 482.24. These requirements do not change when a patient dies.
For Medicare beneficiaries who die during treatment, the 7-year retention period runs from the last date of service, not the date of death. However, because many Medicare patients are treated near the end of life, the two dates are often close together.
The 50-Year HIPAA Privacy Rule
HIPAA protects the individually identifiable health information of a deceased person for 50 years following the date of death under 45 CFR 164.502(f). During this period, the same HIPAA privacy protections apply as for a living patient.
This 50-year rule is a privacy protection, not a retention requirement. Providers are not required to keep records for 50 years. They must follow their state's retention schedule for how long to keep the records. But as long as the records exist within that 50-year window, they must be treated as protected health information.
After 50 years, the deceased individual's health information is no longer considered PHI and may be used or disclosed without regard to HIPAA restrictions.
Estate and Legal Considerations
Executors and personal representatives of a deceased patient have the same right to access medical records as the patient did. Under HIPAA, a personal representative of a deceased individual is anyone authorized under state law to act on behalf of the decedent or the estate.
Providers should retain records beyond the minimum retention period if:
- A wrongful death or malpractice lawsuit is pending or anticipated
- The estate is still being administered
- Insurance claims related to the patient's treatment are unresolved
- An investigation by a government agency is underway
Your Right to Access Medical Records
HIPAA gives patients (and their personal representatives) the legal right to access and obtain copies of their protected health information.
Response Time
Providers must act on a records request within 30 calendar days of receipt. They may extend by an additional 30 days with written notice explaining the delay. HHS encourages providers to respond as quickly as possible, noting that 30 days is the outer limit.
Fees
Providers may charge only "reasonable, cost-based" fees for copies. The fee may include the cost of labor for copying, supplies, and postage. It may not include the cost of searching for records, retrieving records, or maintaining records systems.
For electronic copies of records maintained electronically, providers may charge a flat fee of $6.50 or less (inclusive of all labor, supplies, and postage). This flat fee is an alternative to calculating actual costs.
What Providers Cannot Deny
Providers cannot deny access to your medical records because you have an unpaid bill, because the records are old, or because the request is inconvenient. Limited exceptions exist for psychotherapy notes, information compiled for legal proceedings, and certain lab results.
Information Blocking
The 21st Century Cures Act prohibits providers from engaging in "information blocking," defined as practices likely to interfere with access to, exchange of, or use of electronic health information. Penalties reach up to $1 million per violation for health IT developers. Provider-specific disincentives were finalized by HHS in June 2024.
What Happens When a Practice Closes
When a physician retires, relocates, or closes a practice, the provider must still ensure patient records are preserved for the required retention period. The American Medical Association recommends the following steps:
- Notify patients at least 60 days before closure
- Offer patients the option to transfer records to another provider
- Offer patients the option to receive a personal copy
- Notify the state medical board
- Arrange for a custodian to maintain records for the remaining retention period
- Destroy any records that have exceeded the retention period using HIPAA-compliant methods
Some states have specific closure requirements. North Carolina requires hospitals that discontinue operations to store records with a retrieval-service business for 11 years. Georgia requires providers who retire or sell their practice to give patients notice under O.C.G.A. 31-33-2.
Medical Record Retention and Destruction Policy
Every healthcare organization should have a written record retention and destruction policy. Without one, staff have no clear guidance on when records can be destroyed, which increases the risk of both premature destruction and indefinite accumulation of records.
What a Retention and Destruction Policy Should Cover
A compliant policy should address each of the following areas:
Retention schedule. List every record type (patient charts, billing records, radiology images, lab results, consent forms) and the retention period for each. Base retention periods on the applicable state law, federal requirements, and the organization's malpractice insurance recommendations.
Legal holds. Define the process for suspending destruction when records are subject to litigation, government investigation, or audit. Records under legal hold must not be destroyed regardless of their age.
Destruction methods. Specify approved methods: shredding, burning, or pulverizing for paper records; clearing, purging/degaussing, or physical destruction for electronic media.
Destruction documentation. Require a destruction log that records the date, method, description of records destroyed, and the name of the person who performed or witnessed the destruction.
Business associate requirements. If a third party handles destruction, the policy must require a Business Associate Agreement and verification that the vendor follows HIPAA-compliant destruction methods.
Employee training. Staff must be trained on the policy at hire and at regular intervals. Training records must be retained for 6 years under HIPAA.
When Can Medical Records Be Destroyed?
Medical records can be destroyed only after all of the following conditions are met:
- The state-mandated retention period has expired
- Any applicable federal retention period (Medicare, OSHA) has expired
- No legal hold is in effect for those records
- No pending patient request for records exists
- The statute of limitations for malpractice claims has expired
If all five conditions are satisfied, records may be destroyed using approved methods.
Proper Destruction Methods
HIPAA requires that medical records be rendered "essentially unreadable, indecipherable, and otherwise cannot be reconstructed" when destroyed.
Paper records: shredding, burning, or pulverizing.
Electronic records: clearing (overwriting with non-sensitive data), purging/degaussing (using a strong magnetic field), or physical destruction of the storage media.
Records may never be placed in dumpsters, recycling bins, or other publicly accessible receptacles. Providers may hire a business associate to handle disposal, but a business associate agreement must be in place.
State Notification Requirements
Most states do not require notification before destroying records that have exceeded the retention period. Notable exceptions include Mississippi, which requires 6 months' notice to patients before destruction, and Massachusetts, which requires hospitals to notify the Department of Public Health.
Penalties for Improper Destruction
HIPAA civil penalties for improper disposal of protected health information range from $141 to $2,134,831 per violation, depending on the level of negligence. Criminal penalties for knowing violations can reach $250,000 and 10 years imprisonment.
As of December 2025, HHS has resolved 54 Right of Access enforcement actions and collected over $144 million in HIPAA settlements and penalties since the program began.
Recent Changes (2024-2026)
Texas EHR Storage Requirement
Texas SB 1188, effective January 1, 2026, requires all electronic health records to be stored within the United States. This applies retroactively to all records regardless of when they were created.
Substance Use Disorder Records
The 42 CFR Part 2 final rule, effective April 16, 2024 with compliance required by February 16, 2026, aligns substance use disorder patient record protections with HIPAA. HHS OCR announced a new civil enforcement program for these records in February 2026.
HIPAA Security Rule Update
In December 2024, HHS published a proposed rule to strengthen cybersecurity requirements for electronic protected health information. The proposal would eliminate the distinction between "required" and "addressable" implementation specifications, making all security measures mandatory.
Sources and References
- HHS - Does HIPAA Require Covered Entities to Keep Medical Records?(hhs.gov).gov
- HHS - Individuals' Right under HIPAA to Access Health Information(hhs.gov).gov
- CMS - Medical Record Retention and Media Format(cms.gov).gov
- 42 CFR 482.24 - Condition of Participation: Medical Record Services(law.cornell.edu)
- 45 CFR 164.530(j) - HIPAA Documentation Requirements(law.cornell.edu)
- HHS - Disposal of Protected Health Information(hhs.gov).gov
- HHS - HIPAA Enforcement Highlights(hhs.gov).gov
- HealthIT.gov - Information Blocking(healthit.gov).gov
- HHS - 42 CFR Part 2 Final Rule (SUD Records)(hhs.gov).gov
- Texas SB 1188 - EHR Storage Requirements(capitol.texas.gov).gov
- HHS - Health Information of Deceased Individuals(hhs.gov).gov
- HHS - Must I Keep Decedent Information for 50 Years?(hhs.gov).gov
- HHS - Decedents FAQ(hhs.gov).gov
- AAP - Medical Record Retention(aap.org)