As this year comes to a close and it may be time for some practices to review which medical records can be archived. I have been asked several times over the years what is the “difference” between HIPAA retention rules and medical record retention requirements. Many organizations think these have the same requirements, and they do not!

HIPAA documentation retention:

HIPAA requires that your privacy and security rule policies, procedures, and documentation be retained for at least 6 years from the date of creation or the last date it was in effect. If a policy was implemented three years before it was revised, the original policy must be retained for a minimum of 9 years after its creation. If state privacy law is more stringent, then state law must be followed.

Here is an example of what is covered under HIPAA:

·       Audit logs of access to ePHI

·       Business associate agreements

·       Contingency plans

·       Employee sanction policy and documentation

·       Notice of Privacy Practices

·       Patient authorizations (unless included in their medical record)

·       Patient complaints and resolutions

·       Privacy policies (patient access, amendments, and authorizations)

·       Security incident reports and Breach notification documentation

·       Security policies (administrative, physical, and technical)

·       IT reports that include updates and device status


Medical record retention requirements:

Most people think HIPAA controls the medical record retention requirements, and it does not. HIPAA is a federal law, and each state has their own set of medical record retention requirements. State retention requirements can vary depending on the type of records and who they belong to.

Florida state law requires medical practices to maintain records for at least 5 years after the last visit. Hospitals are required to retain records for 7 years after the last visit.

Claims may be brought up to 7 years after the incident under the False Claims Act; however, on occasion, the time has been extended to 10 years.

Medicare managed care program providers must also retain their records for 10 years.

Some states required Pediatrics to retain records until the patient reaches the age of 23.

North Carolina has some of the lengthiest requirements, 11 years from the date of discharge and patients that are minors must be retained until 30 years of age.

It is recommended to retain any documentation that may be needed in a personal injury or breach of contract dispute for as long as necessary.

As you can see, there are many variables. To review requirements, click here:


Proper organization of patient records and dates can assist you when the time comes to purge your records. This can also protect you from storing unnecessary records that could be a liability should you suffer a data breach.

Keep up the good work and let us know if you need any help!

Friday, December 1, 2023

« Back