Retention and Destruction of Health Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to set forth national standards for electronic health care transactions.  Subsequently, additional rules have been published under HIPAA which set further standards for the handling and safeguarding of protected health information (PHI). These rules protect an individual’s private health information from being revealed without permission or consent.  Under HIPAA regulations, protected health information is any form of identifiable info related to a person’s health status, whether present, past, or future.

HIPAA records retention rules apply when a HIPAA-covered entity collects information concerning healthcare services or payment for health care services.  Examples of HIPAA-covered entities include healthcare providers, health plans, healthcare clearinghouses, and various other businesses that use health information.

Under HIPAA, every provider and business that handles protected information must develop a policy for retention and disposal of medical records.  Entities that do not create and enforce a strong medical record retention and destruction policy put themselves are risk for compliance violations.

HIPAA Rules on Medical Records

HIPAA medical records retention rules exist to ensure healthcare providers are fully responsible for protecting sensitive patient information. HIPAA stipulates how long healthcare organizations should retain PHI, how to store it safely, and when to destroy it.

Patient medical records, diagnostic images, operative notes, lab test results, prescriptions, and treatment plans are examples of health information that enjoy the protection of the HIPAA act.  But the act is not just about health information. A medical record with identification numbers, gender, ethnicity, contact info, and birth dates also has a retention and destruction policy.

Recently, there have been many data breaches and attacks targeted at health providers and insurers. These attacks are the reasons compliance with the act is more vital than ever before.

HIPAA and State Retention Requirements

HIPAA protects an extensive range of medical records and PHI and specifies their designated retention time. HIPAA rules require that covered entities must maintain protected health information for six years after its date of creation or its last effective date, whichever is later.

HIPAA rules supersede any contradictory state laws governing the retention and destruction of health information. However, any state’s law that requires a retention period for medical records that is more stringent than HIPAA’s requirement remains in effect and supersedes the federal law.

For example, many states in the USA require the retention of medical records for seven years so the state law would apply in these cases.  And, most states require that children’s medical records be handled differently. In most cases, state laws require the provider to retain a minor child’s records for a specified length of time after the child reaches the age of 18 or 21. It’s best to research the retention and destruction policy of medical records in your state.

Different Medical Records and Their Retention Periods

As stated before, HIPAA protections apply to many different types of PHI including patient records, diagnostic images, prescription records, billing records, etc. and requires that all protected health information be retained for a period of six years from its creation date or that date it was last effective, whichever is later.

There are a few cases where it is wise to hang on to medical records for a longer period of time.  For a work-related injury, OSHA regulations state that medical records belonging to employees must be kept throughout employment plus 30 years. False Claims Act lawsuits can be brought for up to 10 years, so providers that handles Medicare and Medicaid would be wise to retain these records for at least this length of time.

Many medical providers choose to be on the safe side when it comes to the retention of medical records, using the following guidelines:

  • Adult health records: 10 years after last use date
  • Health records for minors: Majority age combined with the existing statute of limitations
  • Adult diagnostic images: Five years
  • Minors diagnostic images: Five years following the majority age
  • Disease index: 10 years
  • Operative index: 10 years
  • Register of Death/Birth: Forever
  • Physician Index: 10 years

For a more information on retention periods for medical records, providers may wish to consult the American Health Information Management Association.

Common Ways to Store Medical Records

Many medical healthcare providers are pivoting from paper to digital record management. Even with the shift to digital, most providers still have substantial old paper documents to retain. Ensuring the confidential retention of these medical records is vital for compliance.

Thankfully, the secure retention of these medical records is possible with designated storage facilities. These facilities must be highly secure, yet you must be able to access the information stored there when necessary. Part of HIPAA requirements are that patients must be able to access their private health information on request.

HIPAA and States on Destruction

Like retention, the destruction of health information must comply with state and federal laws.

After the HIPAA records retention period for has been satisfied, information may be safely disposed of through secure shredding. Some states require the healthcare service provider to produce an abstract that notifies patients their records have been destroyed and certifies the information is now unreadable.

Except where there are contravening state laws, the destruction of HIPAA records should ensure that reconstructing the information on them is not possible. HIPAA-covered entities also must keep a record of:

  • Destruction date
  • Destruction method
  • Inclusive dates
  • Description of destroyed medical information
  • Signatures of witnesses to the destruction

It’s highly recommended that healthcare organizations rely on third-party businesses to handle the retention and destruction of health information. If you destroy HIPAA records with this model, your contract with the third-party service provider must have the following:

  • Destruction method
  • Disposal method
  • Security against breaches
  • Indemnification for the third party
  • Liability insurance details

HIPAA Compliant Ways to Destroy Medical Records

The correct method for the retention and destruction of medical records is a function of their format. For laserdiscs and microfilms, you’ll have to pulverize them. You have to demagnetize tapes and cut DVDs into tiny bits.

Because the bulk of private health information is still in paper form, off-site shredding via a third party like Armstrong Archives is ideal. The third party can transport the documents via a locked container before it is shredded with industrial-grade shredding equipment.

Industrial shredders use the cross-cut shredding method to ensure the destruction meets HIPAA standards.


Below are answers to some common questions about the retention and destruction of health information:

Do Hospitals Destroy Medical Records?

Yes, hospitals destroy medical records. Rather than investing in all the needed equipment, most hospitals rely on third-party records management providers to destroy their medical records in a HIPAA-compliant manner.

What Happens to Medical Records and PHI After 10 years?

Federal law allows medical providers to destroy medical records after six years but some states require a longer retention period. If the medical records pertain to a child, you may be required to retain them for more than 10 years.  If you are not sure, it’s best to consult a HIPAA attorney or a records management company for more information.

What Happens to Medical Records When Doctors Retire?

The HIPAA act asks retiring physicians to assign a custodian to manage subsequent information releases for patients.  The custodian handles patient requests for their records in the future.  Another physician or a records storage facility can be the custodian for patient files when a physician retires.

Trust an Experienced Health Records Management Company

When it comes to the proper retention and destruction of health information, it is essential that you have the right partner who can help you maintain HIPAA compliance.  Armstrong Archives has been working with physicians, hospitals, insurance companies, and other medical providers for decades.  We can store your health information for as long as required, help you access it whenever necessary, and then perform secure destruction when the time is right.  Contact us today!

Sherri Taylor

Posted By: Sherri Taylor – President/Managing Partner

Sherri Taylor is the Managing Partner and President of Armstrong Archives, one of the largest independent records and information management companies in the Dallas/Ft Worth area.

2022-12-09T15:59:24-06:00July 9th, 2021|Records Storage|

Share This Story, Choose Your Platform!

Stay connected

Call Us Today For Your Document Storage and Scanning Solutions


Contact Info

1515 Crescent Dr, Carrollton, TX 75006

Request Medical Records: 972-242-6059
Request a Quote: 972-242-7179

Go to Top