How long does HIPAA require healthcare providers to keep patient medical records, and is that different from state retention laws?
A common misconception is that HIPAA sets a single nationwide retention period for patient medical records. It does not. The answer depends on distinguishing two different things: the records HIPAA actually governs, and the medical records that state law governs.
What HIPAA Actually Requires
The HIPAA Privacy and Security Rules do impose a recordkeeping requirement, but it applies to HIPAA compliance documentation — not to the clinical record itself. Covered entities and business associates must retain documents such as privacy policies, notices of privacy practices, risk analyses, and records of disclosures. Federal regulation requires these compliance documents to be kept for a set period (generally six years from creation or from the date last in effect, whichever is later).
Importantly, HIPAA is largely silent on how long the underlying patient medical chart must be retained. That gap is filled by other authorities.
What State Law Governs
Retention of the actual medical record — chart notes, test results, imaging, treatment history — is set by state law and, in some cases, by federal program rules (for example, requirements tied to Medicare/Medicaid participation or conditions of certain federal grants).
State requirements vary widely and typically differ based on:
- Provider type (hospital, physician practice, pharmacy, nursing facility)
- Patient age — records for minors are usually kept until some years past the age of majority
- Record type — radiology, lab, and immunization records may carry their own periods
Because of this, the same record may face very different retention obligations in two neighboring states.
How the Two Fit Together
HIPAA does not preempt stricter state privacy or retention rules. The practical principle for records professionals is to apply the most stringent applicable requirement:
- Identify the longest retention period among all sources — state law, federal program rules, and HIPAA’s six-year documentation rule.
- Layer in any legal hold or litigation, audit, or research obligations, which can extend retention beyond the baseline.
- Document the legal citation behind each retention period in your schedule so decisions are defensible.
This “highest bar wins” approach keeps an organization compliant across overlapping regimes and supports defensible disposition once all obligations expire.
For a broader treatment of how to build and defend retention rules, see the retention and disposition topic hub. Always confirm current periods against your specific state statutes and applicable federal program requirements.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ARMA International — ARMA International
How to cite this page
APA
RM University Editorial. (2026). How long does HIPAA require healthcare providers to keep patient medical records, and is that different from state retention laws?. Records Management University. https://www.recordsmgmt.org/questions/how-long-does-hipaa-require-keeping-patient-medical-records-vs-state-laws/
MLA
RM University Editorial. "How long does HIPAA require healthcare providers to keep patient medical records, and is that different from state retention laws?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-long-does-hipaa-require-keeping-patient-medical-records-vs-state-laws/.
Related questions
- Can a company be fined for keeping records longer than the law requires?
- Can any manager authorize destroying records, or does it have to be someone specific?
- Can deleting emails too soon be considered illegal spoliation of evidence?
- Can different copies of the same document have different retention periods?
- Can GDPR storage limitation requirements force you to delete records you are legally required to keep elsewhere?