The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to set forth national standards for electronic health care transactions. Subsequently, additional rules have been published under HIPAA which set further standards for the handling and safeguarding of protected health information (PHI). These rules protect an individual’s private health information from being revealed without permission or consent. Under HIPAA regulations, protected health information is any form of identifiable info related to a person’s health status, whether present, past, or future.

HIPAA records retention rules apply when a HIPAA-covered entity collects information concerning healthcare services or payment for health care services. Examples of HIPAA-covered entities include healthcare providers, health plans, healthcare clearinghouses, and various other businesses that use health information.

Under HIPAA, every provider and business that handles protected information must develop a policy for retention and disposal of medical records. Entities that do not create and enforce a strong medical record retention and destruction policy put themselves are risk for compliance violations.

HIPAA Rules on Medical Records

HIPAA medical records retention rules exist to ensure healthcare providers are fully responsible for protecting sensitive patient information. HIPAA stipulates how long healthcare organizations should retain PHI, how to store it safely, and when to destroy it.

  1. Right to See Your Health Info
    You can look at and get a copy of your health details. This helps you know more about your health and make good choices.
  2. General Right to Look at Info
    If you ask, health plans and doctors must let you see your health info. You can also ask them to send this info to someone you choose.
  3. What Info Can You See?
    You can see records like doctor visits, bills, and other health details. But doctors don’t have to make new records just for you.
  4. Info You Can’t See
    Some details, like notes from a therapist or info for court cases, are private. You can’t see these.
  5. People Who Can See Info for You
    someone helps you make health choices, they can also see your health info.
  6. How to Ask for Your Info
    Doctors might ask you to write down your request. They’ll check to make sure it’s you asking.
  7. Getting Your Info
    Doctors will give you the info how you want, like on paper or by email. If they can’t, they’ll find another way you both agree on.
  8. How Long Doctors Can Take
    Doctors have 30 days to give you the info. They can take 30 more days if they need more time but have to tell you why.
  9. Cost for Copies
    Doctors can charge a small fee for making copies of your info.
  10. When Doctors Can Say No
    Sometimes, doctors can say no to your request. For example, if it’s a private note or if it’s not safe. You can ask someone else to check if the doctor’s reason is okay.
  11. Sending Your Info to Someone Else
    You can tell your doctor to send your health info to another person you pick.

Patient medical records, diagnostic images, operative notes, lab test results, prescriptions, and treatment plans are examples of health information that enjoy the protection of the HIPAA act. But the act is not just about health information. A medical record with identification numbers, gender, ethnicity, contact info, and birth dates also has a retention and destruction policy.

Recently, there have been many data breaches and attacks targeted at health providers and insurers. These attacks are the reasons compliance with the act is more vital than ever before.

HIPAA and State Retention Requirements

HIPAA protects an extensive range of medical records and PHI and specifies their designated retention time. HIPAA rules require that covered entities must maintain protected health information for six years after its date of creation or its last effective date, whichever is later.

HIPAA rules supersede any contradictory state laws governing the retention and destruction of health information. However, any state’s law that requires a retention period for medical records that is more stringent than HIPAA’s requirement remains in effect and supersedes the federal law.

For example, many states in the USA require the retention of medical records for 7 years so the state law would apply in these cases. And, most states require that children’s medical records be handled differently. In most cases, state laws require the provider to retain a minor child’s records for a specified length of time after the child reaches the age of 18 or 21. It’s best to research the retention and destruction policy of medical records in your state.

Different Medical Records and Their Retention Periods

As stated before, HIPAA protections apply to many different types of PHI including patient records, diagnostic images, prescription records, billing records, etc. and requires that all protected health information be retained for a period of six years from its creation date or that date it was last effective, whichever is later.

There are a few cases where it is wise to hang on to medical records for a longer period of time. For a work-related injury, OSHA regulations state that medical records belonging to employees must be kept throughout employment plus 30 years. False Claims Act lawsuits can be brought for up to 10 years, so providers that handles Medicare and Medicaid would be wise to retain these records for at least this length of time.

Many medical providers choose to be on the safe side when it comes to the retention of medical records, using the following guidelines:

  • Adult health records: 10 years after last use date
  • Health records for minors: Majority age combined with the existing statute of limitations
  • Adult diagnostic images: Five years
  • Minors diagnostic images: Five years following the majority age
  • Disease index: 10 years
  • Operative index: 10 years
  • Register of Death/Birth: Forever
  • Physician Index: 10 years

For a more information on retention periods for medical records, providers may wish to consult the American Health Information Management Association.

Examples of Medical Record Types to Consider

  1. Patient History Records
  2. Physical Examination Records
  3. Laboratory Test Results
  4. Radiology Reports (e.g., X-rays, MRIs)
  5. Surgical Reports
  6. Medication and Prescription Records
  7. Immunization Records
  8. Allergy and Sensitivity Records
  9. Pathology Reports
  10. Consultation Notes
  11. Treatment Plans
  12. And more…

Common Ways to Store Medical Records

Many medical healthcare providers are pivoting from paper to digital record management. Even with the shift to digital, most providers still have substantial old paper documents to retain. Ensuring the confidential retention of these medical records is vital for compliance.

Thankfully, the secure retention of these medical records is possible with designated storage facilities. These facilities must be highly secure, yet you must be able to access the information stored there when necessary. Part of HIPAA requirements are that patients must be able to access their private health information on request.

HIPAA and States on Destruction

Like retention, the destruction of health information must comply with state and federal laws.

After the HIPAA records retention period for has been satisfied, information may be safely disposed of through secure shredding. Some states require the healthcare service provider to produce an abstract that notifies patients their records have been destroyed and certifies the information is now unreadable.

Except where there are contravening state laws, the destruction of HIPAA records should ensure that reconstructing the information on them is not possible. HIPAA-covered entities also must keep a record of:

  • Destruction date
  • Destruction method
  • Inclusive dates
  • Description of destroyed medical information
  • Signatures of witnesses to the destruction

It’s highly recommended that healthcare organizations rely on third-party businesses to handle the retention and destruction of health information. If you destroy HIPAA records with this model, your contract with the third-party service provider must have the following:

  • Destruction method
  • Disposal method
  • Security against breaches
  • Indemnification for the third party
  • Liability insurance details

HIPAA Compliant Ways to Destroy Medical Records

Shredding Paper Records: Paper records containing PHI should be shredded or otherwise destroyed to render the information unreadable, indecipherable, and cannot be reconstructed.

Locked Dumpsters for Bulk Destruction: When disposing of a large volume of PHI, it’s recommended to deposit the information in locked dumpsters that are only accessible by authorized individuals.

Professional Disposal Companies: For bulk destruction, maintaining PHI in a secure area until a professional disposal company removes and destroys it is advisable. Ensure to have a Business Associate Agreement with the entity responsible for the destruction.

Clearing and Purging Electronic Media: Electronic PHI (ePHI) stored on devices should be cleared and purged. This means removing all data so that it cannot be easily retrieved.

Physical Destruction of Electronic Media: Methods include disintegration, pulverization, melting, incinerating, or shredding of the electronic media.

Training: All workforce members involved in the destruction process, or those supervising others, must receive training on the PHI destruction policies and procedures.State-Specific Rules: Some states have stricter medical records destruction rules than HIPAA. It’s essential to be aware of and comply with these state-specific regulations.

The correct method for the retention and destruction of medical records is a function of their format. For laserdiscs and microfilms, you’ll have to pulverize them. You have to demagnetize tapes and cut DVDs into tiny bits.

Because the bulk of private health information is still in paper form, off-site shredding via a third party like Armstrong Archives is ideal. The third party can transport the documents via a locked container before it is shredded with industrial-grade shredding equipment.

Industrial shredders use the cross-cut shredding method to ensure the destruction meets HIPAA standards.


Below are answers to some common questions about the retention and destruction of health information:

Do Hospitals Destroy Medical Records?

Yes, hospitals destroy medical records. Rather than investing in all the needed equipment, most hospitals rely on third-party records management providers to destroy their medical records in a HIPAA-compliant manner.

What Happens to Medical Records and PHI After 10 years?

Federal law allows medical providers to destroy medical records after six years but some states require a longer retention period. If the medical records pertain to a child, you may be required to retain them for more than 10 years. If you are not sure, it’s best to consult a HIPAA attorney or a records management company for more information.

What Happens to Medical Records When Doctors Retire?

The HIPAA act asks retiring physicians to assign a custodian to manage subsequent information releases for patients. The custodian handles patient requests for their records in the future. Another physician or a records storage facility can be the custodian for patient files when a physician retires.

Trust an Experienced Health Records Management Company

When it comes to the proper retention and destruction of health information, it is essential that you have the right partner who can help you maintain HIPAA compliance. Armstrong Archives has been working with physicians, hospitals, insurance companies, and other medical providers for decades. We can store your health information for as long as required, help you access it whenever necessary, and then perform secure destruction when the time is right. Contact us today!

Similar Posts