Kentucky Medical Records Retention Laws (2026 Guide)

Kentucky imposes specific medical records retention requirements on hospitals and certain healthcare facilities through state administrative regulations. The primary regulation is 902 KAR 20:016, which addresses hospital operations and services, including how long patient records must be preserved after discharge.

Understanding these rules is important for healthcare providers, patients seeking access to their records, and administrators responsible for records management and compliance. This guide covers state and federal retention requirements, patient access rights, proper destruction methods, and what happens to records when a practice closes.

Hospital Medical Records Retention Under 902 KAR 20:016

Kentucky's primary retention requirement for hospital medical records is found in 902 KAR 20:016, titled "Hospitals; operations and services." This regulation is administered by the Kentucky Cabinet for Health and Family Services, Department for Public Health.

Under this regulation, hospitals licensed in Kentucky must retain complete medical records for a minimum of five years from the date of the patient's discharge, transfer, or death. After the required retention period ends, the completed medical record is placed in an inactive file.

The regulation covers all general acute care hospitals operating under a Kentucky license. This includes medical records for every inpatient and outpatient who receives evaluation or treatment at the facility.

What Hospital Records Must Include

Kentucky hospitals are required to maintain medical records that are accurately written, promptly completed, properly filed, and readily accessible. At a minimum, hospital medical records should include:

• Patient identification and demographic information
• Medical history and physical examination findings
• Diagnostic and therapeutic orders
• Clinical observations, progress notes, and nursing notes
• Reports of procedures, tests, and their results
• Operative reports for surgical patients
• Discharge summaries
• Consent forms and authorizations

All records must be maintained in a manner that protects them from loss, damage, or unauthorized access throughout the retention period.

Retention Requirements for Minor Patients

Kentucky applies a longer retention period when the patient is a minor at the time of treatment. Under 902 KAR 20:016, hospitals must retain medical records for minors for five years from the date of discharge or until the patient reaches age 21, whichever period is longer.

The age of majority in Kentucky is 18 under KRS 2.015. By requiring retention until age 21 (three years beyond the age of majority), Kentucky provides former minor patients a window to access their childhood medical records as adults.

For example, if a child receives hospital treatment at age 10, the standard five-year retention period would expire when the child is 15. Because the minor rule requires records to be kept until age 21, the hospital must retain those records for 11 years rather than five.

This extended retention is particularly important for:

• Young adults who need childhood medical history for ongoing care
• Legal proceedings that may arise after the patient reaches adulthood
• Insurance claims that reference childhood medical events
• Disability determinations requiring early medical documentation

Physician Office and Private Practice Retention

Kentucky does not have a state-specific statute that mandates a minimum retention period for medical records maintained by private physician offices or outpatient clinics outside the hospital setting. The ONC/HHS State Medical Record Laws table confirms that Kentucky's physician retention requirement is listed as "N/A" at the state level.

Despite the absence of a state mandate, physicians in Kentucky should follow several overlapping requirements and best practices.

Federal Requirements That Apply

Physician practices that participate in Medicare or Medicaid are subject to federal retention standards. Practices that bill Kentucky Medicaid must comply with 907 KAR 1:632, which requires providers to maintain medical records for the period specified by the U.S. Department of Health and Human Services. For Medicare providers, the CMS Medical Record Maintenance guidance establishes that providers and suppliers must retain medical records for at least seven years from the date of service.

Professional Best Practices

The American Medical Association and most state medical associations recommend that physicians retain adult patient records for at least seven to ten years from the date of the last encounter. For pediatric patients, the recommended practice is to retain records until the patient reaches the age of majority plus the applicable statute of limitations period.

Kentucky physicians who follow these professional guidelines will generally satisfy all overlapping federal requirements as well.

HIPAA Requirements and Medical Records

A common misconception is that the federal Health Insurance Portability and Accountability Act (HIPAA) sets a retention period for medical records. It does not.

According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule does not include medical record retention requirements. State laws govern how long medical records must be retained. HIPAA defers to state law on this issue.

However, HIPAA does impose a six-year retention requirement for compliance documentation. Under 45 CFR 164.530(j), covered entities must retain privacy policies, procedures, patient communications, and other compliance-related documents for six years from the date of creation or the date when the document was last in effect, whichever is later.

This means that while HIPAA does not dictate how long you keep a patient's chart, it does require you to maintain the policies and documentation that govern how you handle that chart.

What HIPAA Does Require for Records

While HIPAA does not set a retention period for medical records, it does require covered entities to:

• Apply administrative, technical, and physical safeguards to protect records that are retained
• Ensure proper disposal of protected health information (PHI) when records are destroyed
• Provide patients with access to their records for as long as those records are maintained
• Maintain a record of certain disclosures of PHI for six years

CMS and Medicare Conditions of Participation

Hospitals that participate in the Medicare program must comply with the Conditions of Participation (CoPs) at 42 CFR 482.24. These federal requirements exist alongside Kentucky's state regulations, and hospitals must satisfy both.

The CMS Conditions of Participation require hospitals to maintain medical records in their original or legally reproduced form for a period of at least five years. This matches Kentucky's state requirement under 902 KAR 20:016.

For other Medicare providers and suppliers (including physician offices), CMS guidance requires that medical records be retained for a minimum of seven years from the date of service.

Kentucky hospitals that comply with the state five-year retention period will also meet the CMS hospital CoP requirement. However, physician practices billing Medicare should plan to retain records for at least seven years to satisfy the CMS provider requirement.

Patient Access to Medical Records in Kentucky

Kentucky law provides patients with a statutory right to obtain copies of their medical records. Under KRS 422.317, all licensed hospitals and healthcare providers must supply a patient with a copy of their medical record upon receiving the patient's written request.

This statute was created in 1994 and most recently codified under Kentucky Acts Chapter 334, Section 6, effective July 15, 1996.

Copying Fees

Kentucky law permits healthcare providers to charge reasonable fees for medical record copies. The fee structure established under Kentucky law allows providers to charge:

• $20 for medical records that are five pages or fewer in length
• $1 per page for each page copied after the first five pages
• The actual cost of mailing

Providers may not charge fees that exceed these amounts. Patients who are denied access to their records or charged excessive fees may file a complaint with the Kentucky Cabinet for Health and Family Services.

Access to Minor Patient Records

Kentucky enacted KRS 422.355 in 2024, which addresses the right to access medical records of patients under age eighteen. This statute defines the circumstances under which parents and guardians may access a minor child's medical records and includes specific exceptions.

Parents and legal guardians generally have the right to access their minor child's health records. However, the statute provides exceptions in situations involving sensitive care categories such as mental health treatment, substance abuse counseling, and reproductive healthcare, consistent with federal HIPAA provisions that protect minor patient privacy in these areas.

HIPAA Right of Access

In addition to state law, the HIPAA Privacy Rule at 45 CFR 164.524 gives patients the right to access and obtain copies of their protected health information maintained in a designated record set. The HHS Office for Civil Rights has actively enforced this right, reaching multiple settlements with providers who failed to provide timely access to records.

Under HIPAA, providers must respond to a patient's access request within 30 days (with one 30-day extension permitted if the provider notifies the patient in writing of the reason for the delay).

Proper Destruction of Medical Records

Once the applicable retention period has expired, Kentucky healthcare providers may destroy medical records. However, destruction must comply with both state standards and HIPAA requirements to protect patient privacy.

The HHS Office for Civil Rights specifies that covered entities must use appropriate methods to render protected health information unreadable, indecipherable, and impossible to reconstruct.

Acceptable Destruction Methods for Paper Records

• Shredding using cross-cut shredders (preferred method)
• Burning in a controlled environment
• Pulping through a professional document destruction service
• Pulverizing to render content unrecoverable

Acceptable Destruction Methods for Electronic Records

• Clearing by overwriting storage media with non-sensitive data
• Purging through degaussing or cryptographic erasure
• Physical destruction by pulverizing, melting, incinerating, or shredding electronic storage media

What Is Not Acceptable

Providers may not dispose of records containing PHI in:

• Public dumpsters or recycling bins
• Regular trash receptacles accessible to unauthorized persons
• Unsecured recycling containers

Kentucky providers should maintain a destruction log that documents the date of destruction, the method used, the records destroyed (by type, not patient name), and the name of the individual or vendor that performed the destruction. This log should be retained as part of the organization's HIPAA compliance documentation for at least six years.

What Happens When a Practice Closes

When a Kentucky physician's practice closes, the provider remains responsible for ensuring that medical records are properly maintained and accessible for the full required retention period. Kentucky does not have a specific statute detailing practice closure procedures, but the Kentucky Board of Medical Licensure expects physicians to follow professional standards.

Recommended Steps for Practice Closure

Physicians closing a practice should take the following steps:

1. Notify patients in advance. Best practice calls for written notification at least 30 to 90 days before the closure date. The notification should include the date of closing, how patients can obtain copies of their records, and the name of any physician taking over the practice.

2. Arrange records transfer or custodianship. The physician should transfer records to another provider who agrees to accept them, or engage a medical records custodian to maintain the records for the remainder of the retention period.

3. Notify the Kentucky Board of Medical Licensure. Physicians who are closing their practice should inform the KBML and update their license status.

4. Notify insurance companies and payers. All relevant insurance carriers and billing entities should be informed of the closure.

5. Maintain access. Even after closure, patients retain their right to access records under KRS 422.317 and HIPAA. The closing physician or the designated custodian must honor record requests for the full retention period.

Hospital Closures

When a Kentucky hospital closes, the facility must comply with 902 KAR 20:016 for the full retention period. The Kentucky Cabinet for Health and Family Services may designate a custodian for the records. Hospital administrators should coordinate with the Department for Public Health to arrange for continued record storage and patient access.

Kentucky Retention Rules at a Glance

Provider Type	Retention Period	Authority
Hospitals (adult patients)	5 years from discharge	902 KAR 20:016
Hospitals (minor patients)	5 years from discharge or until age 21, whichever is longer	902 KAR 20:016
Physician offices (state law)	No state-specific requirement	N/A
Medicaid providers	Period required by HHS Secretary	907 KAR 1:632
Medicare providers/suppliers	7 years from date of service	CMS CoP guidance
HIPAA compliance documentation	6 years from creation or last effective date	45 CFR 164.530(j)

Frequently Asked Questions

Sources and References

• 902 KAR 20:016: Hospitals; Operations and Services - Kentucky Legislative Research Commission
• KRS 422.317: Copy of Patient's Medical Record - Kentucky Revised Statutes
• KRS 422.355: Right to Access Medical Record of Patient Under Age 18 - Kentucky Revised Statutes
• 907 KAR 1:632: Medicaid Provider Records Retention - Kentucky Legislative Research Commission
• 42 CFR 482.24: Conditions of Participation: Medical Record Services - Electronic Code of Federal Regulations
• 45 CFR 164.530: HIPAA Administrative Requirements - Electronic Code of Federal Regulations
• Does HIPAA Require Covered Entities to Keep Medical Records? - U.S. Department of Health and Human Services
• Medical Record Maintenance and Access Requirements - Centers for Medicare and Medicaid Services
• HIPAA Right of Access Guidance - U.S. Department of Health and Human Services
• Disposal of Protected Health Information FAQ - U.S. Department of Health and Human Services
• State Medical Record Laws: Table A-7 - Office of the National Coordinator for Health IT
• Kentucky Board of Medical Licensure - Commonwealth of Kentucky