How long do hospitals have to keep patient medical records under HIPAA and state retention laws?
The short answer is that HIPAA does not set a retention period for the medical records themselves. Instead, retention is driven mostly by state law and by the type of record, with HIPAA adding a separate requirement for its own compliance documentation. Records professionals should treat this as a layered problem rather than a single number.
What HIPAA Actually Requires
A common misconception is that HIPAA dictates how long patient charts must be kept. It does not. The HIPAA Privacy Rule requires that HIPAA-related documentation — policies, procedures, notices, authorizations, and other compliance records — be retained for a defined minimum period (generally six years from creation or last effective date). That obligation covers the paperwork demonstrating compliance, not the clinical record of care.
The medical record itself is governed elsewhere.
Where the Real Retention Rules Come From
Several overlapping sources set the actual retention clock for patient records:
- State medical-records and licensing laws. These are the primary driver and vary widely, commonly ranging from roughly six to ten years after the last patient encounter, with longer periods often applied.
- Minors’ records. Many states extend retention until the patient reaches the age of majority plus additional years, so pediatric records are typically kept far longer than adult records.
- Federal program rules. Participation in programs such as Medicare and Medicaid carries its own documentation-retention conditions for covered providers.
- Other obligations. Litigation holds, professional standards, accreditation requirements, and payer contracts can all extend how long a record must be preserved.
When multiple rules apply, the longest applicable period controls.
Practical Guidance for Records Programs
Because the answer depends on jurisdiction and record type, hospitals should build a retention schedule rather than rely on a single rule of thumb:
- Map each record category to its governing authority and document the legal basis.
- Apply the longest controlling period and account for special cases like minors.
- Suspend destruction immediately when a litigation hold or audit arises.
- Reassess as state statutes and program rules change over time.
A defensible schedule, consistently applied and well documented, is the goal — not memorizing a single number. For broader context on building compliant retention programs, see the federal records topic hub.
Always confirm current requirements with your state’s specific statutes and legal counsel before finalizing a schedule.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ARMA International — ARMA International
How to cite this page
APA
RM University Editorial. (2026). How long do hospitals have to keep patient medical records under HIPAA and state retention laws?. Records Management University. https://www.recordsmgmt.org/questions/how-long-hospitals-keep-medical-records-hipaa-state-law/
MLA
RM University Editorial. "How long do hospitals have to keep patient medical records under HIPAA and state retention laws?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-long-hospitals-keep-medical-records-hipaa-state-law/.
Related questions
- Are records created by federal contractors considered federal records?
- Big-bucket vs item-level retention schedules: how do I decide which approach to use?
- Can a federal employee be personally fined or jailed for deleting government records?
- Can federal employees conduct official business on personal devices or apps?
- Can I delete old federal records to free up storage space when our shared drive gets full?