Medical Record Retention and Destruction

Requesting medical records is a complicated process, and requesting old records can be especially frustrating. It‘s frustrating to submit a request and wait weeks for a response, only to hear that the records are unavailable. This is especially true when discarded records are relevant to current treatment. 

Healthcare providers must retain medical records by law, but they don’t have to keep them forever. Before requesting old medical records, call the healthcare facility to find out about their medical record retention policy. Some healthcare providers keep or archive old medical records. In this case, they can still retrieve the records beyond the required timeframe, so it’s also worth checking.

Why Should Medical Records be Kept?

Regardless of the state and federal laws that regulate how long healthcare providers are required to keep medical records, maintaining patient information is wise. A thorough record of previous treatment and test results is a powerful tool for providing the best care possible. The short-term benefits of keeping records are obvious, but why do they need to be kept so long?

Consider a a patient being treated for a genetic issue. Over the course of treatment, the healthcare provider logs what does and does not help improve their condition. In 20 years, if there’s a recurrence, physicians can review the information and provide the correct treatment sooner. This information may also help if the patient’s child has the same issue.

Another example of when long-term medical record retention can help save lives is when the patient has a chronic condition or a disease that’s in remission. According to the National Cancer Institute, a patient who shows no signs or symptoms of cancer for five years is considered cured. Despite this, the Rogel Cancer Center claims that “Certain hormone-sensitive breast cancers can show up 20 years later as a spread cancer.”

Healthcare providers who maintain records long-term offers their patients a better chance of survival. It will be easier for the provider to diagnose the issue, the patient’s tests will have a precedent for comparison, and they can avoid treatments that cause negative reactions. 

Request your medical records today!

Back to the Table of Contents.

How Long must Medical Records be Kept?

Despite the benefits to maintaining medical records after they can legally be shredded and/or deleted, many healthcare providers decide against keeping them beyond this point. HIPAA requires healthcare providers to keep most records for at least 6 years. Many states implemented their own minimum time requirements for keeping records, generally requiring they be kept longer.

Until the Supreme Court case Cochise Consultancy, Inc. v. United States ex rel. Hunt in 2019, most healthcare professionals without state guidelines abided by the six-year statute of limitations for claims submitted to the FCA (False Claims Act). Now, experts suggest keeping all medical records for at least 10 years to protect against liability for such claims. 

Failure to maintain medical records for the required time can lead to significant penalties. If a patient requests records that the healthcare provider deleted early, the provider will be penalized for HIPAA noncompliance. 

In the case of medical malpractice, failure to produce records will more than likely eliminate the physician’s credibility. As such, keeping medical records longer is not a waste of storage space. Now that providers can keep records digitally, this is especially true. In order to serve the communities that depend on them, healthcare providers must protect themselves from liabilities that can cost their license.

Additionally, just like how some types of medical records have unique release guidelines, some types of medical records need to be kept longer. Healthcare providers may keep records of pneumonia treatment for about 10 years, cancer records for 30 years (or 8 years after patient death), and vaccination records permanently. 

Back to the Table of Contents.

Safely Destroying Old Medical Records

Simply deleting electronic medical record files from a computer is not enough to protect sensitive patient information from hackers. Have you accidentally deleted important files or folders and brought the hard drive to a specialist? Was the specialist able to recover them? If yes, this is because, when you delete a computer file, the data doesn’t just vanish. 

When you save a file, the computer writes the file’s code onto a hard drive and leaves directions for the computer. If you delete the file, the computer simply deletes these directions and allows the information to be overwritten. This process is significantly quicker than removing the data for each deleted file. As long as the provider uses the hard drive frequently, it’s also fairly safe. 

If the computer As such, computers that hold medical records need special care. There are a few options for safely deleting files and preparing hard drives for disposal. 

  • Use a file shredder program that will write over the deleted code’s space as files are deleted. This is an easy way to make sure sensitive files aren’t recovered, but additional care must be taken when choosing the files for deletion for that same reason. If you accidentally shred the wrong file, there’s no getting it back.
  • Use a drive wiper like CCleaner to regularly write over the computer’s available hard drive space. This gives the user more time to recover accidentally-deleted files than a shredding program without sacrificing security. 
  • Completely wipe your disc if the hard drive needs to be cleared for resale or disposal. Disk-wiping programs like Darik’s Boot and Nuke (DBAN) will erase everything on the hard drive. DBAN even wipes the operating system, so you should backup important files before this program is run.

Back to the Table of Contents.

Keep your own Medical Records


The best way to make sure yo
u have your medical records when you need them is to create a personal health record. The process of requesting your own medical records can be complicated, especially for somebody without prior experience.

Each individual request can take hours, however, including filling out authorization forms, finding and verifying the facility’s contact information, and calling for status updates about the request. Then it can still take up to 30 days to get the records, or 60 with a written notice.  

With ChartRequest, submitting a medical records request takes just minutes. Checking the status of an existing request takes just seconds once signed into the platform. You can send any additional questions via the provider chat built-in to each request. The best part? No phone calls are necessary throughout the entire process. 

Whether you’re a patient, a healthcare provider, or a law or insurance professional, ChartRequest has options specialized to best suit your release of information needs. Create your account today.

Back to the Table of Contents.