Arizona Medical Records Retention Laws (2026 Guide)
Overview of Arizona Medical Records Retention Laws
Last verified: March 2026. This page reflects current Arizona Revised Statutes Title 12, Chapter 13, Article 7.1 and Title 32, Chapter 31.
Table of Contents
- Overview of Arizona Medical Records Retention Laws
- General Retention Period: 6 Years for Adult Patients
- Records for Minor Patients
- Nursing Care Institutions
- Source Data Retention
- How HIPAA Interacts with Arizona Retention Law
- CMS and Medicare Retention Requirements
- Patient Access Rights in Arizona
- Fees for Medical Record Copies
- Proper Destruction of Medical Records
- Practice Closure and Sale Requirements
- Electronic Medical Records Considerations
- Statute of Limitations Considerations
- Consequences of Noncompliance
- Frequently Asked Questions
Arizona law establishes specific minimum timeframes for how long healthcare providers must keep patient medical records. The primary statute governing this area is A.R.S. § 12-2297, which sits within Title 12, Chapter 13, Article 7.1 of the Arizona Revised Statutes.
These retention requirements apply broadly to all healthcare providers operating in the state, including physicians, dentists, chiropractors, physical therapists, naturopathic doctors, and other licensed professionals. The rules serve two critical purposes: protecting patients who may need their records for ongoing treatment or legal matters, and protecting providers who may need records to defend against malpractice claims.
Arizona's retention framework also intersects with federal law in important ways. Providers who participate in Medicare, accept federal funding, or fall under HIPAA's reach face additional obligations that can extend beyond what state law alone requires.
General Retention Period: 6 Years for Adult Patients
Under A.R.S. § 12-2297, healthcare providers in Arizona must retain the original or copies of a patient's medical records for at least six years after the last date the adult patient received medical or healthcare services from that provider.
The six-year clock starts on the date of the patient's most recent visit or service, not the date the record was created. This distinction matters because a patient who visits a provider repeatedly over many years will have older records that remain subject to retention based on the most recent encounter.
For example, if a patient first visited a physician in 2018 and their last appointment was in January 2024, the provider must keep all of that patient's records until at least January 2030.
The phrase "unless otherwise required by statute or by federal law" at the beginning of the statute is significant. It means that other Arizona statutes or federal regulations can impose longer retention periods for specific types of records, and providers must follow whichever requirement is strictest.
| Patient Type | Minimum Retention Period | Statute |
|---|---|---|
| Adult patients | 6 years after last date of service | A.R.S. § 12-2297(A) |
| Minor patients | 3 years after age 18 OR 6 years after last service (whichever is later) | A.R.S. § 12-2297(B) |
| Nursing care institution patients | 6 years after discharge | A.R.S. § 12-2297(D) |
| Source data | 6 years from date of collection | A.R.S. § 12-2297(C) |
Records for Minor Patients
Arizona provides special protections for medical records belonging to children. Under A.R.S. § 12-2297(B), if the patient is a child, the provider must retain records for whichever period is longer:
- At least three years after the child's eighteenth birthday, or
- At least six years after the last date the child received medical or healthcare services
The "whichever is later" language is critical. Providers need to calculate both dates and use the one that falls further in the future.
Consider a child who was last treated at age 10 in 2020. Under the six-year rule, retention would expire in 2026. Under the age-based rule, the child turns 18 in 2028, and three years after that is 2031. Because 2031 is later, the provider must keep the records until at least 2031.
Conversely, if a 16-year-old received treatment in 2024, the six-year rule would require retention until 2030. The age-based rule would require retention until 2027 (three years after turning 18 in 2024). In this case, the six-year rule controls because 2030 is later.
This dual-calculation approach ensures that minors always have access to their childhood medical records for a reasonable period after reaching adulthood.
Nursing Care Institutions
Nursing care institutions, as defined in A.R.S. § 36-401, follow a slightly different retention trigger. Under A.R.S. § 12-2297(D), these facilities must retain patient records for six years after the date of the patient's discharge.
The discharge date replaces the "last date of service" trigger used for other providers. For minor patients in nursing care settings, the same dual-calculation rule applies: the facility retains records for whichever is longer between three years after the child turns 18 or six years after discharge.
This provision recognizes the unique nature of nursing care settings where patients may have extended stays and where discharge represents a clear end point for the provider-patient relationship.
Source Data Retention
A.R.S. § 12-2297(C) addresses source data separately. Source data may be maintained separately from the medical record itself, but the provider must retain it for six years from the date of collection.
Source data includes raw test results, diagnostic imaging files, lab work, and other primary data that forms the basis for entries in the medical record. The six-year retention period runs from when the data was collected, not from the patient's last visit. This can create situations where source data from early in a treatment relationship expires before the overall medical record retention obligation ends.
Providers should be aware that while Arizona law permits maintaining source data separately, they should ensure their record management systems track retention deadlines for both the medical record and associated source data.
How HIPAA Interacts with Arizona Retention Law
The federal Health Insurance Portability and Accountability Act (HIPAA) does not establish its own medical records retention period. According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule defers to state law on how long medical records must be kept.
However, HIPAA does impose two important requirements that apply alongside Arizona's retention rules:
HIPAA Documentation Retention (6 Years)
While HIPAA does not set a retention period for medical records themselves, it does require covered entities to retain HIPAA-related documentation for six years. Under 45 C.F.R. § 164.530(j), covered entities must retain policies, procedures, notices of privacy practices, disposition of complaints, and other actions or documentation required by the Privacy Rule for six years from the date of creation or the date when the document was last in effect, whichever is later.
This means that Arizona providers who are HIPAA-covered entities (which includes most healthcare providers who transmit health information electronically) must maintain two parallel retention timelines: one for the medical records under A.R.S. § 12-2297 and one for HIPAA compliance documentation under 45 C.F.R. § 164.530(j).
Safeguards During Retention
HIPAA requires appropriate administrative, technical, and physical safeguards to protect the privacy of medical records throughout the entire retention period. This means Arizona providers cannot simply store old records in an unsecured location. The same protections that apply to active patient files also apply to records being stored solely for retention compliance.
CMS and Medicare Retention Requirements
Healthcare providers who participate in Medicare face additional federal retention requirements through the Centers for Medicare and Medicaid Services (CMS). Under 42 C.F.R. § 424.516(f), Medicare providers and suppliers must retain medical records for a minimum of seven years from the date of service.
This is one year longer than Arizona's six-year state requirement, so Medicare-participating providers in Arizona must follow the seven-year federal standard for Medicare patients. For dual-eligible patients (those covered by both Medicare and Medicaid), the longer retention period applies.
Medicare Part D prescription drug plan sponsors and their downstream entities face an even longer requirement of 10 years under 42 C.F.R. § 423.504(i).
| Requirement | Retention Period | Authority |
|---|---|---|
| Arizona state law (adults) | 6 years from last service | A.R.S. § 12-2297 |
| HIPAA compliance documents | 6 years from creation or last effective date | 45 C.F.R. § 164.530(j) |
| Medicare (general) | 7 years from date of service | 42 C.F.R. § 424.516(f) |
| Medicare Part D sponsors | 10 years | 42 C.F.R. § 423.504(i) |
Because A.R.S. § 12-2297 explicitly defers to longer federal requirements with its "unless otherwise required by federal law" language, Arizona providers participating in Medicare should default to the seven-year standard for all Medicare-related records.
Patient Access Rights in Arizona
Arizona law grants patients a clear right to access their own medical records. Under A.R.S. § 12-2293, on the written request of a patient or the patient's healthcare decision maker, the provider in possession of the records must provide access to or copies of those records.
Patients may submit their requests electronically if the provider's notice of privacy practices or website explains how to do so.
When Providers Can Deny Access
A.R.S. § 12-2293 permits providers to deny access in limited circumstances, including when:
- Providing access would endanger the patient's safety
- Disclosure would cause substantial harm to a third party
- Releasing the information would compromise confidential sources
- Access would interfere with correctional facility security
When a provider denies access, they must document the determination and provide the patient with a written explanation. The provider must still release any portions of the record that are not subject to a valid denial basis.
HIPAA's 30-Day Deadline
Under federal HIPAA rules at 45 C.F.R. § 164.524, covered entities must respond to access requests within 30 calendar days. If additional time is needed, the provider may take up to one 30-day extension (for a total of 60 days), but they must notify the patient in writing of the delay and the expected completion date within the initial 30-day window.
HHS has emphasized that the 30-day period is an outer limit; providers should respond as quickly as possible.
Fees for Medical Record Copies
Under A.R.S. § 12-2295, providers may charge a "reasonable fee" for reproducing medical records and may require advance payment.
However, Arizona law prohibits providers from charging fees in several important situations:
- Continuity of care: Providers cannot charge when sending records to another healthcare provider for the purpose of continuing the patient's care.
- Patient seeking healthcare: Providers cannot charge the patient when the demonstrated purpose is obtaining healthcare.
- Healthcare decision makers: No fee applies when the patient's authorized decision maker requests records for care purposes.
- Regulatory boards: The Arizona Medical Board, Board of Osteopathic Examiners, and health department officials receive records without charge.
- Social Security appeals: Patients appealing a denial of Social Security benefits receive one free copy per year upon submitting the appropriate representative form (SSA-1696).
- No records found: Providers cannot charge a fee if no records are located in response to a request.
The statute does not set a specific per-page dollar amount. Instead, it requires that fees be "reasonable," which gives providers discretion within legal bounds.
Proper Destruction of Medical Records
Once the retention period expires, Arizona providers are not required to keep records indefinitely. However, the method of destruction matters significantly under both state and federal law.
Arizona Requirements
Under A.R.S. § 32-3211, health professionals must have a written protocol that includes procedures for disposing of unclaimed medical records after a specified period of time and after making good-faith efforts to contact the patient.
This means providers cannot simply shred records on the expiration date without first attempting to notify patients and give them an opportunity to obtain copies.
HIPAA Destruction Standards
The HHS Office for Civil Rights requires covered entities to implement reasonable safeguards when disposing of protected health information (PHI). While HIPAA does not mandate a specific destruction method, it prohibits disposal in locations accessible to the public, such as open dumpsters or public recycling bins.
Acceptable destruction methods include:
- Paper records: Shredding, burning, pulping, or pulverizing
- Electronic media: Clearing (overwriting with non-sensitive data), purging (degaussing), or physically destroying the media (disintegration, melting, incinerating, or shredding)
- Third-party vendors: Providers may hire a business associate to handle destruction, but a Business Associate Agreement (BAA) must be in place under HIPAA
Providers should maintain a record of destruction activities, including the date, method, and description of records destroyed, even though HIPAA does not explicitly require a destruction log.
Practice Closure and Sale Requirements
When an Arizona healthcare provider retires, closes, or sells their practice, patient records do not simply disappear. A.R.S. § 12-2297 requires providers to take "reasonable measures" to ensure records remain retained for the full statutory period.
Notification Obligation
Under A.R.S. § 32-3211, if a health professional terminates or sells their practice and patient records will not remain in the same physical location, the provider must notify each patient in a timely manner before the termination or sale. The notice must inform patients about:
- The future location of their medical records
- How the patient can access those records
Transfer to New Provider
When a practice is sold, the purchasing provider typically assumes responsibility for maintaining the existing patient records. The sale agreement should clearly address record custody, ongoing retention obligations, and access procedures.
Records Custodian Options
Providers who close a practice without transferring to a successor have several options:
- Contracting with a medical records custodian service to store and manage records for the remaining retention period
- Transferring records to another local provider who agrees to maintain them
- Arranging with a hospital or health system to house the records
Regardless of the approach, the retiring or closing provider retains ultimate responsibility for ensuring compliance with retention requirements.
Written Protocol Requirement
A.R.S. § 32-3211 requires all licensed health professionals to maintain a written protocol for secure storage, transfer, and access of medical records. This protocol must be confirmed during relicensure. Providers who cannot demonstrate a compliant protocol face disciplinary action for unprofessional conduct.
Electronic Medical Records Considerations
Arizona law permits providers to retain either originals or copies of medical records, which includes electronic formats. Under A.R.S. § 32-1264, licensed providers must make "legible permanent and contemporaneous written or electronic records" of all diagnoses, evaluations, and treatments.
Electronic health records (EHRs) must be retrievable in paper form. This requirement ensures that even if a provider uses a fully digital system, the records can be printed and provided to patients, courts, or regulatory bodies upon request.
Providers storing records electronically should ensure their systems include:
- Adequate backup and disaster recovery procedures
- Access controls that comply with HIPAA Security Rule requirements
- Audit trails documenting who accessed or modified records
- The ability to produce paper copies on demand
- A migration plan for when software systems are upgraded or replaced
The retention period for electronic records is the same as for paper records. Switching from paper to electronic storage does not reset or alter the retention timeline.
Statute of Limitations Considerations
Although not directly part of the records retention statute, Arizona's statute of limitations for medical malpractice claims has practical implications for how long providers may want to keep records.
Under A.R.S. § 12-542, the general statute of limitations for personal injury claims (including medical malpractice) is two years from when the cause of action accrues. However, the discovery rule can delay the start of this clock if the injury was not immediately apparent.
For minors, the statute of limitations is typically tolled (paused) until the child reaches age 18, which means a malpractice claim could potentially be filed years after treatment.
Because of these variables, many legal professionals recommend retaining records beyond the minimum statutory period, particularly for pediatric patients. The six-year retention minimum under A.R.S. § 12-2297 provides a reasonable baseline, but providers treating children or handling high-risk procedures may want to consider longer voluntary retention.
Consequences of Noncompliance
Arizona takes medical records retention seriously. Under A.R.S. § 12-2297(F), a health professional who does not comply with the retention requirements commits an act of unprofessional conduct.
Unprofessional conduct can trigger disciplinary proceedings by the provider's licensing board, which may result in:
- Formal reprimand or censure
- Required continuing education
- Practice restrictions or supervision requirements
- License suspension or revocation in severe cases
Additionally, under A.R.S. § 32-3211, health professionals must confirm compliance with their written medical records protocol during relicensure. Failure to maintain a compliant protocol is itself grounds for disciplinary action.
Beyond state licensing consequences, providers who are HIPAA-covered entities also face potential federal enforcement for improper destruction or failure to safeguard records during the retention period. HHS Office for Civil Rights penalties for HIPAA violations can range from $137 to over $2 million per violation category per year.
Employee vs. Practice Owner Responsibility
A.R.S. § 12-2297(E) provides an important distinction: a person licensed under Title 32 who works as an employee of a healthcare provider is not responsible for storing or retaining medical records. However, employees remain responsible for compiling and recording patient information in the customary manner. The storage and retention obligation falls on the practice owner or the entity that employs the provider.
Frequently Asked Questions
Sources and References
- A.R.S. § 12-2297 - Retention of Records(azleg.gov).gov
- A.R.S. § 12-2293 - Release of Medical Records to Patients(azleg.gov).gov
- A.R.S. § 12-2295 - Charges for Medical Records(azleg.gov).gov
- A.R.S. § 32-3211 - Medical Records Protocol(azleg.gov).gov
- A.R.S. § 12-2294 - Release of Medical Records to Third Parties(azleg.gov).gov
- A.R.S. § 36-401 - Definitions (Healthcare Institutions)(azleg.gov).gov
- A.R.S. § 12-542 - Statute of Limitations for Personal Injury(azleg.gov).gov
- HIPAA Privacy Rule Summary - HHS(hhs.gov).gov
- HIPAA Right of Access Guidance - HHS(hhs.gov).gov
- Disposal of Protected Health Information FAQ - HHS(hhs.gov).gov
- CMS Medical Record Maintenance and Access Requirements(cms.gov).gov
- 45 C.F.R. § 164.524 - Access of Individuals to PHI(govinfo.gov).gov