How long does HIPAA require medical practices to keep patient records after the last visit?
The short answer: HIPAA does not set a retention period for medical records
This is one of the most common misconceptions in healthcare recordkeeping. The HIPAA Privacy Rule does not specify how long a medical practice must keep a patient’s clinical record after the last visit. There is no federal “HIPAA number” — no required six years, seven years, or ten years for the chart itself.
What HIPAA actually requires is something narrower. Covered entities must retain their HIPAA compliance documentation — privacy policies, notices of privacy practices, authorizations, risk assessments, and similar records — for a set minimum period (commonly cited as six years from creation or from when the document was last in effect). That obligation applies to the administrative paperwork that proves compliance, not to the patient’s diagnostic and treatment record.
So what determines how long patient records are kept?
Retention of the actual medical record is generally driven by:
- State law. Each state sets its own minimum retention periods for medical records, and these vary widely. Many require several years after the last patient encounter; some extend longer for minors (often until a defined number of years past the age of majority).
- Other federal programs. Conditions of participation for Medicare and Medicaid, and other federal rules, can impose their own retention minimums for providers who bill those programs.
- Professional and accreditation standards. Licensing boards and accrediting bodies may set expectations.
- Litigation and liability exposure. Malpractice statutes of limitations frequently influence how long prudent practices keep records.
Practical guidance
Treat HIPAA as the floor for compliance documentation, and treat the strictest applicable requirement as the rule for the clinical record. A defensible approach is to build a retention schedule that maps each record type to its longest binding obligation, document the legal basis, and apply consistent, documented disposition when the period ends.
Because requirements differ by state and program, verify the specific periods with current state statutes and your legal or compliance counsel rather than relying on a single national figure. For broader context on retention scheduling principles, see our fundamentals topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ARMA International — ARMA International
How to cite this page
APA
RM University Editorial. (2026). How long does HIPAA require medical practices to keep patient records after the last visit?. Records Management University. https://www.recordsmgmt.org/questions/how-long-hipaa-require-keeping-patient-records-after-last-visit/
MLA
RM University Editorial. "How long does HIPAA require medical practices to keep patient records after the last visit?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-long-hipaa-require-keeping-patient-records-after-last-visit/.
Related questions
- An employee left and had work records saved only on their personal phone or laptop — how do we recover them?
- Are the outputs of generative AI tools like ChatGPT and Copilot considered records that have to be retained?
- Can a company use a single global retention schedule across multiple countries or do different national laws force separate ones?
- Can an employee be personally fined or fired for deleting records they were supposed to keep?
- Can blockchain make records tamper-proof, and does an immutable ledger satisfy recordkeeping and retention requirements?