How long does HIPAA require a hospital to keep patient medical records, and is it different for minors?
A common misconception is that HIPAA sets a single retention period for patient medical records. It does not. Understanding what HIPAA actually requires—and where retention periods really come from—helps hospitals build defensible schedules.
What HIPAA Actually Requires
The HIPAA Privacy and Security Rules do not establish a national retention period for the underlying clinical record (the chart, imaging, lab results, and treatment notes). Instead, HIPAA requires covered entities to retain certain HIPAA compliance documentation—such as privacy policies, notices of privacy practices, authorizations, and records of disclosures—for six years from the date of creation or the date the document was last in effect, whichever is later.
In short: the six-year rule governs the paperwork that proves you followed HIPAA, not how long you must keep the medical chart itself.
Where Medical Record Retention Comes From
Retention of the actual patient record is generally set by state law and by program requirements such as Medicare conditions of participation, Medicaid, accreditation standards, and professional licensing rules. These vary widely.
Hospitals typically build a retention schedule by layering several obligations:
- State statutes and regulations for hospital and physician records
- Federal program rules (for example, Medicare requirements)
- Accreditation and licensing standards
- Anticipated litigation or audit needs
Because periods differ by jurisdiction, confirm the specific requirements in each state where you operate rather than relying on a single number.
Why Minors Are Treated Differently
For minors, retention is almost always longer. State laws commonly require records to be kept until the patient reaches the age of majority (often 18) plus an additional number of years—frequently tied to the statute of limitations for filing a claim. A record created for a young child may therefore need to be retained well into that person’s adulthood.
Building a Defensible Approach
Sound practice is to:
- Identify every applicable retention obligation, then keep records for the longest required period.
- Document the legal basis for each rule in your retention schedule.
- Apply legal holds that suspend destruction when litigation or investigation is reasonably anticipated.
- Dispose only through a consistent, documented process.
For broader context on aligning retention with legal and regulatory requirements, see the compliance standards topic hub. Always validate specific periods against current state law and program requirements before finalizing a schedule.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). How long does HIPAA require a hospital to keep patient medical records, and is it different for minors?. Records Management University. https://www.recordsmgmt.org/questions/how-long-does-hipaa-require-keeping-patient-medical-records-and-for-minors/
MLA
RM University Editorial. "How long does HIPAA require a hospital to keep patient medical records, and is it different for minors?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-long-does-hipaa-require-keeping-patient-medical-records-and-for-minors/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?