How Long Must a Doctor’s Office Keep Medical Records? The Attorney’s Guide To Record Retention

Are you an attorney wondering how long a doctor’s office must keep medical records? 

Accessing, transferring, and using these documents quickly is essential for winning cases, but knowing where to start can be a real headache. Attorneys often ask us questions like “How long must a doctor’s office keep medical records?” and “How long will record retrieval take?”

Understanding the legal obligations and guidelines surrounding medical record retention can help you better advise your clients and collect necessary information on time.

Learn how we help law firms automate medical record retrieval.

Understanding Medical Record Retention: The Basics

Medical record retention and destruction policies dictate how custodians (like physicians, hospitals, and digital record keepers) can manage protected health information (PHI). Medical record retention standards reinforce HIPAA compliance and protect sensitive data from bad actors who might exploit information for personal gain.

State laws provide the authority to regulate and enforce medical record retention and destruction. However, it is primarily up to individual healthcare organizations to establish and deploy policies compliant with these expectations.

How Long Must a Doctor’s Office Keep Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) outlines privacy and security regulations for healthcare providers. They must comply with these guidelines to avoid major fines and other operation-inhibiting penalties. Despite the comprehensive nature of this bill, it does not mention any rules regarding record retention duration.

However, HIPAA does provide information on record destruction. Custodians must destroy sensitive documents to prevent anyone else from accessing, reading, or reconstructing the contents. These destruction policies ensure that PHI does not fall into the wrong hands after the retention period.

In 2017, Affinity Health Plan, Inc. settled with the Department of Health and Human Services after several HIPAA-related destruction violations came to light. The company allegedly disclosed the private information of over 344,000 individuals when it released photocopies of medical documents to a leasing agent without adequately erasing the contents. The violation cost the company over $1.2 million, discouraging other healthcare providers from making the same mistakes. 

Medical Retention Rules

HIPAA dictates that a healthcare provider (or authorized custodian) must ensure access to a patient’s Designated Record Set for at least six years from their last effective date.

All policies, privacy practice notices, disposition of complaints, and other designations that relate to the Privacy Rule must also be accessible for up to six years from the date of its creation or effect — whichever comes later. 

HIPAA also requires any covered entities or business associates to implement best practices that protect the privacy of PHI, be it technical, administrative, or physical. These rules extend to the disposal of medical records once the State-mandated retention period expires.

Document Destruction Rules

How long must a doctor’s office keep medical records before they dispose of them? HIPAA goes to extra lengths outlining requirements for medical record destruction.

Here are some key elements of the record destruction process:

• Custodians must physically destroy paper documents using methods like shredding that prevent unauthorized viewers from reconstructing them.
• Healthcare providers should overwrite the internal memory of fax machines, printers, or other devices that may contain sensitive PHI after deleting it.
• HIPAA dictates that a healthcare provider should take reasonable steps to completely destroy stored media in electronic or physical devices. This guideline discourages individuals from simply throwing documents away in dumpsters, which an authorized viewer may sift through later.

How Long Must a Doctors Office Keep Medical Records After Death?

You may need to request documents from a deceased person for your case. Consequently, you may wonder, “How long do doctors keep medical records after death?” As you can see above, some states specify this in their codified healthcare procedures, but there is no universal standard.

Generally, you should expect most healthcare custodians to retain records for at least three to five years after death. Still, it’s best to ask your custodian directly to ensure clarity and a timely investigative process. This method helps you avoid surprise denials from organizations that may destroy patient records immediately after death.

How Long Does the Average Record Release Request Take To Complete?

The average record request can take several days or weeks to complete, depending on the records you need and the state you’re in.

HIPAA requires healthcare providers to respond to all record requests within 30 days. In some states, the required turnaround time is as short as 15 days.

According to HIPAA, healthcare providers may extend their turnaround time deadline by an additional 30 days if they provide a written reason for the delay with an anticipated delivery date. Potential reasons for delays may include:

• Archived records that require additional efforts to pull,
• Off-site records that cannot be readily accessed,
• Overwhelming request volumes that require additional time to catch up.

Need help getting medical records quickly without lifting a finger? Find out how CaseBinder automates record retrieval.

Why Do Doctors Have Medical Document Retention Policies?

It may be tempting to ask, “How long must a doctor’s office keep medical records, and why can’t they hold them forever?” without knowing why these retention policies are in place. Hospitals implement these standards for several practical reasons.

While indefinitely retaining documents can benefit patients and attorneys, they can create significant clutter for the custodian. On the other hand, destroying PHI too soon could create confusion during the treatment process and have legal implications for the facility.

Record retention policies comply with federal and state laws, contributing to a healthcare service’s efficiency, effectiveness, and organization. Let’s explore some of the reasons why hospitals prioritize these policies in more detail:

Cost Efficiency

Record retention rules help healthcare providers save money on storage costs and upkeep. They can efficiently optimize their physical and digital spaces by creating a retention calendar, giving them a clear basis for what to expect corresponding to their specific record volume needs. 

Additionally, routinely reviewing and destroying unneeded records allows healthcare workers to free up space for active patients. Reducing physical and electronic storage space minimizes overhead costs and resources spent on document management.

Many healthcare organizations are investing in modern EHR technology (and compliant release of information solutions to boost EHR interoperability) to extend record retention durations and provide maximum storage for hundreds of patients. As space becomes less limited and regulations continue to evolve, attorneys may be able to request older documents that some providers might otherwise destroy.

Decision Making

Medical records serve as a rich data source, aiding in decision-making processes. Physicians and healthcare professionals use past medical records to inform treatment plans, while administrators use them for resource allocation or process improvement initiatives.

Record retention also helps healthcare organizations improve new policies and plans by allowing employees to access and review old records.

For example, suppose a physician wants to adjust their public relations policy or marketing tactics. In this case, they would need to assess customer insights and patient needs from previous years.

It can be easy to forget that protected health information benefits both the patient and the custodian. Hence, keeping records longer than the minimum duration is standard for many organizations.

Compliance

As mentioned, federal and state laws oblige hospitals to retain medical records for a certain period. Failure to adhere to these regulatory guidelines can result in hefty fines, penalties, or other legal consequences.

We will outline each state and territory’s record retention requirements in a later section, but for now, understand that these policies are essential for protecting patient safety, reputation, and identity. Adhering to record retention guidelines is also practical for tax purposes and medical chart audits. 

Compliance laws change from time to time. A healthcare provider may update their retention policies frequently based on ever-evolving government and patient expectations. Keeping up with your state’s local laws can give you an idea of what to expect when collecting data for your case.

Access Control

How long must a doctor’s office keep medical records to ensure quality access control?

In most cases, many individuals gain or lose authorization before reaching the minimum retention period of a document. Consequently, healthcare providers must use caution when training staff or transferring records to third-party professionals.

Hospitals ensure that only authorized personnel can access patient records by having a well-defined record retention policy.

Rights to access play an essential role in a healthcare provider’s record retention policy. Here are some of the individuals that may have access to PHI:

• Patients: Patients have the right to access, view, and use their medical records when they see fit. Blocking access to documents can lead to HIPAA complaints and investigations. Patients can request their information for various reasons, including evidence in lawsuits.
• Attorneys: As an attorney, you can represent your client during the request of information (ROI) process. You may inquire about specific records, ask for HIPAA-compliant disclosures, and use PHI to build a case on behalf of the patient.
• Authorized Healthcare Employees: Record retrieval specialists and staff curate and protect patient data year-round. They generally have weeks of physical and digital storage training, demonstrating a comprehensive understanding of HIPAA laws and regulations.
• Legal Guardians: Parents and legal guardians can access their children’s medical records until their children turn 18. This standard varies depending on the state in which you live.
• Insurance Companies: Insurance companies can request medical information under some circumstances. As an attorney, you are responsible for communicating with payors to ensure the safe and steady flow of medical data when needed.
• The Government: Sometimes, the state or federal government may have the authorization to access individual patients’ medical data. For example, the Occupational Safety and Health Administration (OSHA) may become involved after a workplace accident.

Protection of Documents

How long must a doctor’s office keep medical records for maximum protection?

Retention policies ensure the preservation and protection of important documents. Healthcare employees securely store and monitor records considered vital to the hospital’s operation or those required for future legal scenarios.

Most facilities stack their records in large boxes behind a lock and key. An effective retention policy helps eliminate this wasteful behavior. Hospitals with effective record retention policies cover both physical and digital data — providing nuanced procedures for both mediums. 

Healthcare IT specialists also routinely update EHR software and technology to prevent unnecessary data loss during power outages or natural disasters. 

Physicians who must store paper records on-site usually invest in weatherproof cabinets and other measures to protect PHI.

Location Convenience

Having a streamlined record retention policy also aids with location convenience. When you or a healthcare worker needs to access a record, knowing its precise location saves time and streamlines the retrieval process.

Suppose your client’s records are sitting in a room off-site from the hospital, and the only person with a key is somewhere else. Finding and accessing the documents quickly can be difficult, delaying your client’s case and frustrating the court.

A document retention policy will also help organize records according to specific parameters. Custodians can arrange them based on importance, medium, sector (client, customers, investors), or filing date.

Decluttering

Have you ever walked into a record room to see piles of boxes bursting with papers? Cluttered spaces are a common problem for medium and small medical facilities.

Destruction policies help healthcare employees organize their storage spaces over time. Keeping only necessary records makes the system more manageable and leads to more efficient data retrieval.

Cleaner storage space also helps record staff retrieve data quickly and monitor secure spaces more efficiently. 

How Do Most Hospitals Store Patient Records?

In the modern age, it is common for most healthcare providers to accept both physical and digital patient medical records. Digitizing information speeds up record retrieval and provides more on-site space for PHI.

Let’s explore each of these mediums to determine which request of information may be suitable for your case investigation:

Physical Copies

Hospitals and other medical facilities traditionally keep paper records in secure file bins. Today, more and more healthcare organizations are digitizing these records to avoid some of the problems associated with physical record keeping. Here are some of the reasons paper records may not be available during your request:

1. Storage Space: As mentioned above, keeping paper records takes up space. Hospitals may suffer from disorganization, exponentially slowing the retrieval process as physicians treat more patients.
2. Security: Monitoring and maintaining paper records is challenging the more they pile up. Organizations that still practice physical record keeping must hire additional security and invest in effective locks and cameras, among other things.
3. Risks of Damage: Fire, water stains, pest activity, and paper deterioration can all cause irreversible damage to a physical record. Healthcare organizations may switch to digital to maintain proper compliance and avoid mishaps that prevent you or your client from accessing vital records.
4. Transportation: Many healthcare organizations do not have the time or workforce necessary to safely transport physical records in and out of storage. This problem could lead to accidental disclosure, loss, or other issues leading to legal violations during the record retrieval process.
5. Searchability Concerns: Sifting through paper documents can be time-consuming and prevent you from getting the records you need within deadlines. Many physicians move to digitization to reduce retrieval delays and free up staff.
6. Material Cost: Paper and ink will add up over time. Printing copies for attorneys and patients can add another layer of monitoring and compliance concerns.
7. Duplication Problems: Few healthcare organizations make physical copies to “back up” original documents. Consequently, lost papers may result in right-to-access violations and prevent you from getting the information needed to support your client’s case.

Digital Copies

The move toward digital record keeping helps healthcare employees comply with HIPAA rules and regulations, providing a pathway toward secure retention and destruction. Here are some of the advantages of requesting digital records for your case:

• Healthcare providers can share and collaborate with you efficiently, improving request turnaround times.
• All parties involved in the record release process can enjoy increased security and encryption features with modern ROI technology.
• Custodians can back up digital records to protect against data loss, ensuring that you receive all the information you need for your case
• Digital ROI technology offers scalability, so a custodian will always be able to address your questions and concerns throughout the data retrieval process.
• You can access more information without needing to schedule expensive transportation or storage services.

How Long Must a Doctor’s Office Keep Medical Records State-by-State

You may wonder, “How long must a doctor’s office keep medical records in my state?” Every state implements different rules on retention duration and destruction. Find your state below for a detailed breakdown of minimum medical record retention periods for documents held by physicians and facilities.

Last Updated: March 2026

Alabama

Alabama physicians must retain records for at least seven years from the last professional contact. For minors, physician records must be kept until at least two years after the age of majority or seven years from the last professional contact, whichever is longer.

Alaska

Alaska hospitals must retain adult patient records for at least seven years after discharge. For patients who were under 19 at discharge, hospital records must be kept until at least two years after the patient reaches age 19 or seven years after discharge, whichever is longer.

Arizona

Arizona providers must retain records for at least six years from the last date of service. For minors, records must be kept until age 21 or six years from the last service date, whichever is longer.

Arkansas

Arkansas hospital rules require medical records to be retained for at least 10 years after the last discharge.

California

California physicians must maintain medical records for at least seven years after the last date of service.

Colorado

Colorado hospital and facility rules require patient records to be preserved for 10 years after the most recent patient care usage of the medical record. For minors, records generally must be kept during the period of minority plus 10 years, or 10 years after the most recent patient usage, whichever is later.

Connecticut

Connecticut providers covered by the Public Health Code Medical Records Regulations must retain medical records for at least seven years from the last date of treatment, or for three years after the patient’s death. If a malpractice, unprofessional conduct, or negligence claim has been made, the records must be retained until the matter is resolved.

Delaware

Delaware physicians must maintain patient records for at least seven years from the last entry date in the patient’s medical record when a patient leaves care for seven years without requesting a transfer. This law also allows unclaimed records to be permanently disposed of seven years after a physician discontinues practice, leaves the state, terminates the patient relationship, dies, or after a custodian is appointed, depending on the circumstance.

District of Columbia (D.C.)

District of Columbia physicians must keep records for at least three years after the last visit, or three years after a minor patient turns 18.

Florida

Florida physicians must retain patient records for at least five years from the last patient contact. Separate facility rules may impose different hospital retention periods.

Georgia

Georgia physicians must maintain complete treatment records for at least 10 years from the patient’s last office visit. Hospitals must retain medical records until at least the fifth anniversary of discharge, and for minors at least five years after the age of majority.

Hawaii

Hawaii health care providers must retain medical records for at least seven years after the last data entry. For minors, records must be retained during minority plus seven years after the patient reaches the age of majority. Even after a full record is destroyed, the provider or successor must preserve basic information from the record for 25 years after the last entry.

Idaho

Idaho law permits certain hospital record categories to be destroyed only after specific retention periods. Under Idaho Code § 39-1394, clinical laboratory test records and reports may be destroyed five years after the date of the test, and x-ray films may be destroyed five years after exposure or five years after the patient reaches the age of majority, whichever is later.

Illinois

Illinois hospital rules require patient records to be retained for at least 10 years from creation. For minors, records must be kept until age 23 or 10 years, whichever is later.

Indiana

Indiana providers must retain original health records or microfilms for at least seven years. This state’s law separately requires providers to keep x-ray films for at least five years, and original mammogram films and reports for at least five years, or 10 years if no additional mammograms are performed.

Iowa

Iowa physicians must retain medical records for at least seven years from the last date of service. For minor patients, retention is tied to Iowa Code section 614.8 through the same Board rule. Iowa’s physician rule also requires a records custodian arrangement when a physician closes a practice, dies, or becomes incapacitated.

Kansas

Kansas physicians must maintain patient records for a minimum of 10 years from the date the licensee provided the professional service recorded. Hospitals must keep each medical record on file for 10 years after the date of last discharge, or one year beyond the date a minor patient reaches the age of majority, whichever is longer.

Kentucky

Kentucky hospital regulations require medical records to be retained for at least six years from discharge, or if the patient is a minor, three years after the patient reaches the age of majority, whichever is longer. Other Kentucky facility rules, including for freestanding or mobile technology units, use the same six-years-or-three-years-after-majority framework.

Louisiana

Louisiana physicians must retain medical and dental records for at least six years from the date the patient is last treated. Hospitals must retain hospital records for a minimum of 10 years from the date the patient is discharged.

Maine

Maine hospital licensing rules require records to be retained for seven years, and for minors at least six years after reaching the age of majority.

Maryland

Maryland providers may not destroy adult patient records until at least seven years after the record or report was made. For minors, records generally must be retained until the patient reaches the age of majority plus seven years, unless a lawful transfer or notice process is used.

Massachusetts

Massachusetts physicians must retain adult patient records for at least seven years from the last encounter. If the patient was a minor on the date of the last encounter, the record must be kept for at least seven years from the last encounter or until the patient reaches age 18, whichever is longer.

Michigan

Michigan health facilities and agencies must retain records for at least seven years from the date of service. If the patient was less than 18 years old on the date of service, records generally must be kept until the patient’s 19th birthday or for at least seven years from the date of service, whichever is longer. Michigan law also requires 15 years for records described in the statute’s sexual-assault treatment provision.

Minnesota

Minnesota hospital statutes require hospitals to retain medical records for at least seven years. For minors, hospital records must be kept for seven years or until the patient reaches the age of majority, whichever occurs last.

Mississippi

Mississippi hospitals and physicians generally must retain adult patient records for at least 10 years. Minor records and records involving disability or death may have longer or different retention periods under the governing rule.

Missouri

Missouri physicians and hospitals generally must retain records for at least seven years.

Montana

Montana health care facilities other than hospitals must retain records for at least six years following discharge or death, or upon the closure of the facility. Hospitals must retain a patient’s entire medical record for at least 10 years following discharge or death, and for minors at least 10 years after the patient reaches majority or dies, if earlier.

Nebraska

Nebraska public hospital records must be retained for 10 years after the patient is discharged or expires, or three years after a minor patient reaches age 19, whichever is later.

Nevada

Nevada healthcare records generally must be retained for at least five years after their receipt or production. Records for patients who are less than 23 years old may not be destroyed under the same rule.

New Hampshire

New Hampshire physicians must retain a complete copy of patient medical records for at least seven years from the date of the patient’s last contact with the licensee. Hospitals must retain records for seven years after discharge, and for minor patients until at least one year after reaching age 18, but never less than seven years after discharge.

New Jersey

Physicians in New Jersey must retain treatment records for seven years from the date of the most recent entry.

New Mexico

New Mexico physicians must retain medical records they own for at least 10 years after the date of last treatment. Medical records for minor patients must be kept until the patient reaches age 21 under the physician rule. Hospital rules require a written preservation policy with a retention period of 10 years following the patient’s last treatment date, and for minors until the age of majority plus one year.

New York

New York physicians must retain patient records for at least six years, and records of minor patients for at least six years and until one year after the patient reaches age 21. Hospitals must retain patient records for at least six years from discharge, and children’s records for at least six years or until age 21, whichever is later.

North Carolina

North Carolina hospitals must retain adult medical records for at least 11 years following discharge. They must retain minor records until the patient’s 30th birthday.

North Dakota

North Dakota licensees must retain medical records for at least seven years from the last date of service. Beginning January 1, 2024, the rule also requires a designated representative or entity to ensure records obligations are met if the licensee dies or becomes incapacitated.

Ohio

Ohio healthcare facilities must retain medical records for at least six years from discharge.

Oklahoma

Oklahoma physician practices must retain medical records for at least five years beyond the date the patient was last seen, or three years beyond the patient’s death. For minors, records must be retained for three years past the age of majority.

Oregon

Oregon Medical Board guidance advises licensees to keep patient records for a minimum of 10 years after the patient’s last contact with the licensee.

Pennsylvania

Pennsylvania physicians must retain medical records for at least seven years from the date of the last medical service for which a medical record entry is required. For minor patients, physician records must be retained until one year after the patient reaches majority. Pennsylvania facilities covered by the cited facility rule must keep records for at least seven years following discharge, and for minors until majority and then for seven years or as long as adult records are maintained.

Rhode Island

Rhode Island providers must store patients’ medical records for at least seven years after the most recent patient encounter, regardless of whether the patient is alive or dead.

South Carolina

South Carolina physicians must retain records for at least 10 years for adult patients and 13 years for minors, measured from the last date of treatment. Hospital regulations say records may not be disposed of before 10 years, and minors’ records must be retained until after the period of election following majority expires.

South Dakota

South Dakota facilities must retain medical records for at least 10 years from the actual visit date of service or patient care. For minors, records must be kept until the patient reaches the age of majority plus an additional two years, but never less than 10 years from the actual visit date of service or patient care.

Tennessee

Tennessee physicians must retain medical records for at least 10 years from the physician’s or supervisees’ last professional contact with the patient. For minors, physician records must be kept until at least one year after majority or 10 years from last professional contact, whichever is longer. Tennessee hospitals must retain records for at least 10 years following discharge or death during treatment, and for minors the period of minority plus one year or 10 years, whichever is longer.

Texas

Texas physicians must retain medical records for at least seven years from the date of last treatment. Hospitals may not authorize destruction until at least 10 years after the patient was last treated in the hospital, or for minors until age 20 or 10 years, whichever is later.

Utah

Utah hospital rules require medical records to be kept for at least seven years, and minors’ records until age 18 plus four years, but never less than seven years.

Vermont

Vermont treats failing to retain client records for seven years as unprofessional conduct unless a profession-specific law allows a shorter period. Longer retention periods still control when another law or agency rule requires more.

Virginia

Virginia practitioners must retain records for at least six years following the last patient encounter.

Washington

Washington hospitals must retain medical records for at least 26 years from the date the record was created. The Washington Medical Commission guidance recommends that practitioners retain adult records for at least 10 years from the last patient contact, minor records until age 21, and decedent records for six years after death.

West Virginia

West Virginia Board of Medicine guidance recommends that licensees retain records for at least 10 years after the last entry into the record or the last date of service, whichever is later.

Wisconsin

Wisconsin providers must retain treatment records for at least seven years after treatment is completed. For minors, records must be kept until at least age 19 or seven years, whichever is longer.

Wyoming

Wyoming hospital rules require hospitals to maintain medical records in accordance with the legally approved retention schedules for publicly funded hospitals established by the Wyoming State Archives and the State Records Committee.

ChartRequest Can Simplify Your Record Requests With Modern ROI Software and Services

Are you ready to simplify your record retrieval process with a team you can trust?

At ChartRequest, we help attorneys across the country save time and reduce data retrieval costs. Our experts work hard to get the needed data, by regularly reminding providers about your requests and following escalation protocols if they don’t respond quickly.

Discover how CaseBinder automates record retrieval at a lower cost, or set up a brief personalized call to learn more.

Frequently Asked Questions