Utah Medical Records Retention Laws (2026 Guide)
Overview of Utah Medical Records Retention Laws
Utah regulates medical records retention primarily through its Administrative Code, which sets minimum holding periods for hospitals and licensed healthcare facilities. Private physicians in the state are not subject to a specific state-mandated retention period. Instead, they must follow federal rules under HIPAA and CMS, along with professional best practices.
Understanding these retention requirements is essential for healthcare providers, patients, and legal professionals. Failing to retain records for the required period can result in regulatory penalties, malpractice liability, and loss of Medicare or Medicaid participation.
This guide breaks down the rules for every type of provider in Utah, explains federal overlay requirements, and covers patient rights, destruction procedures, and what happens when a practice closes.
Hospital Medical Records Retention in Utah
Utah Administrative Code R432-100-35 establishes the primary retention requirements for hospitals licensed in the state. Under this rule, hospitals must retain medical records for a minimum of seven years from the date of the patient's last encounter.
Retention for Minor Patients
Hospital records for minors carry a longer retention obligation. Under R432-100-35, medical records of minor patients must be retained until the patient reaches age 18 plus an additional four years. However, the total retention period can never be less than seven years.
For example, if a child receives treatment at age 10, the hospital must keep those records until the child turns 22 (age 18 plus 4 years). If a child receives treatment at age 16, the hospital must still keep records until age 22, since that exceeds the seven-year minimum.
Master Patient Index
Hospitals in Utah are required to permanently maintain a master patient index. This index must include each patient's name, medical record number, date of birth, admission and discharge dates, and attending physician name. The master index has no expiration date and must be kept indefinitely.
Storage Requirements
The regulation requires hospitals to provide for the filing, safe storage, and easy accessibility of medical records. Records may be stored in multiple locations as long as each record can be retrieved or accessed within a reasonable time period. Access is limited to medical staff, authorized personnel, patients who have provided consent, and Utah Department of Health compliance investigators.
Small Healthcare Facilities (4 to 16 Beds)
Utah Administrative Code R432-200-29 governs small healthcare facilities with 4 to 16 beds. These facilities must retain medical records for at least seven years after the last date of resident care.
For minors, small healthcare facilities must retain records until the minor reaches age 18 plus an additional two years. However, the total retention period may not be less than seven years.
Small healthcare facilities must also safeguard records from loss, defacement, tampering, fires, and floods. Records must be protected against access by unauthorized individuals at all times.
Ambulatory Surgical Centers
Freestanding ambulatory surgical centers in Utah follow the rules in R432-500-21. These facilities must retain medical records for at least seven years after the last date of patient care.
For minors treated at ambulatory surgical centers, records must be kept until the patient reaches age 18 plus three years. As with other facility types, the minimum seven-year floor still applies.
Private Physicians and Office-Based Practices
Utah does not have a specific statute that mandates a retention period for medical records held by private physicians or office-based practices. Unlike hospitals and licensed facilities, individual practitioners operate under a different regulatory framework.
However, private physicians in Utah should consider the following requirements when setting their retention policies:
- HIPAA documentation retention: 6 years for compliance policies and procedures
- CMS/Medicare requirements: At least 5 to 7 years for billing and audit purposes
- Malpractice statute of limitations: Utah Code 78B-2-307.5 generally allows malpractice claims within 2 years of discovery, but no more than 4 years from the act
- Professional association recommendations: The American Medical Association recommends retaining records for at least 10 years from the last encounter
Most Utah attorneys and compliance professionals recommend that private physicians retain adult patient records for at least seven years and minor patient records until the patient turns 18 plus an additional four years, matching the hospital standard.
Summary of Utah Retention Periods by Provider Type
| Provider Type | Adult Records | Minor Records | Authority |
|---|---|---|---|
| Hospitals | 7 years minimum | Age 18 + 4 years (min. 7 years) | R432-100-35 |
| Small Healthcare Facilities (4-16 beds) | 7 years after last care | Age 18 + 2 years (min. 7 years) | R432-200-29 |
| Ambulatory Surgical Centers | 7 years after last care | Age 18 + 3 years (min. 7 years) | R432-500-21 |
| Private Physicians | No state mandate | No state mandate | Follow federal/professional guidelines |
Federal Requirements That Apply in Utah
HIPAA Requirements
The HIPAA Privacy Rule does not require covered entities to retain medical records for any specific period. According to the U.S. Department of Health and Human Services, HIPAA defers to state laws for medical record retention.
However, HIPAA does require covered entities to retain certain compliance documentation for six years. Under 45 CFR 164.530(j), the following must be kept for six years from creation or the date last in effect, whichever is later:
- Privacy policies and procedures
- Privacy practices notices
- Disposition of complaints
- Training records
- Business associate agreements
- Any other actions, activities, or designations required to be documented under the HIPAA Privacy Rule
CMS and Medicare/Medicaid Requirements
Healthcare providers that participate in Medicare or Medicaid must comply with the Conditions of Participation under 42 CFR 482.24. Hospitals must maintain medical records that are accurately written, promptly completed, properly filed and retained, and accessible.
CMS generally requires that Medicare providers retain records for at least five years from the date of service. For billing and audit purposes, many compliance professionals recommend a seven-year retention period to align with the False Claims Act statute of limitations under 31 U.S.C. 3731(b).
Providers participating in Medicare Advantage or Part D programs may face longer retention requirements of up to 10 years.
Patient Access to Medical Records in Utah
Utah Code 78B-5-618 establishes the right of patients and their authorized representatives to inspect and obtain copies of their medical records.
Patient Rights
Under this statute, a patient or the patient's personal representative may inspect or receive a copy of the patient's records from any healthcare provider. For providers subject to HIPAA, the access standards in 45 CFR 164.524 also apply, which require providers to respond within 30 calendar days of a request.
If the provider cannot respond within 30 days, HIPAA allows one 30-day extension, provided the provider notifies the patient in writing with the reason for the delay and the expected completion date.
Copying Fees in Utah
Utah Code 78B-5-618 sets specific limits on what providers may charge when a third party requests medical records:
- Search/retrieval fee: Up to $30 per request for locating records
- First 40 pages: Up to $0.53 per page
- Additional pages: Up to $0.32 per page
- Certification fee: $20 if requested
- Postage: Actual cost when applicable
These fees are adjusted annually based on the Consumer Price Index. When patients request their own records, HIPAA limits charges to a reasonable, cost-based fee that covers only copying and postage.
Proper Destruction of Medical Records in Utah
Once the applicable retention period expires, Utah healthcare providers must follow specific procedures before destroying medical records.
Hospital Destruction Requirements
Under R432-100-35, hospitals must provide public notice before destroying medical records. The hospital must publish a notice in a newspaper of statewide distribution at least once per week for three consecutive weeks before destruction. This notice gives former patients the opportunity to request copies of their records before they are destroyed.
HIPAA-Compliant Destruction Methods
All healthcare providers, regardless of type, must destroy records in a manner that protects against unauthorized disclosure of protected health information. According to HHS guidance on PHI disposal, acceptable destruction methods include:
Paper records:
- Shredding using cross-cut or micro-cut shredders
- Incineration or burning
- Pulverizing
Electronic records:
- Clearing (overwriting data)
- Purging (degaussing or cryptographic erasure)
- Physical destruction of the storage media
Providers must never dispose of records containing PHI in dumpsters, recycling bins, or any receptacle accessible to the public. If using a third-party destruction service, the provider must execute a HIPAA business associate agreement with that vendor.
Documenting Destruction
Best practice requires maintaining a log of all destroyed records, including the patient name or record number, dates of the records, the date of destruction, the method used, and the name of the person or company that performed the destruction. This destruction log should be retained permanently.
When a Utah Medical Practice Closes
When a hospital ceases operations in Utah, R432-100-35 requires the facility to arrange for secure, safe storage and prompt retrieval of all medical records, patient indexes, and discharge records for the remainder of the required retention period.
Options for Records Storage After Closure
The regulation permits three options for handling records when a hospital closes:
- Transfer to another hospital: Records may be stored by another licensed hospital in the area
- Approved storage facility: Records may be placed with a medical records storage company
- Return to attending physician: Records may be returned to the patient's attending physician, provided the physician is still practicing in the community
Physician Practice Closure
For physicians closing a private practice, Utah follows general professional guidelines. The Utah Division of Professional Licensing (DOPL) oversees physician licensing and expects that departing physicians will:
- Notify patients in writing at least 30 days before closing
- Offer patients the option to transfer records to another provider
- Offer patients the ability to obtain copies of their own records
- Designate a records custodian for any records not transferred
- Report the records custodian information to DOPL as required by HB 312 (2023)
Since 2023, all Utah healthcare providers who use third-party medical records services must report the custodian's contact information to DOPL.
More Utah Laws
Sources and References
- Utah Administrative Code R432-100 - General Hospital Standards(rules.utah.gov).gov
- Utah Code 78B-5-618 - Patient Access to Medical Records(le.utah.gov).gov
- HHS FAQ - HIPAA Medical Records Retention(hhs.gov).gov
- 45 CFR 164.530 - HIPAA Administrative Requirements(law.cornell.edu)
- HHS - Individuals Right under HIPAA to Access Health Information(hhs.gov).gov
- 42 CFR 482.24 - CMS Conditions of Participation: Medical Record Services(ecfr.gov).gov
- Utah Admin Code R432-200-29 - Small Healthcare Facility Medical Records(law.cornell.edu)
- Utah Admin Code R432-500-21 - Ambulatory Surgical Center Medical Records(law.cornell.edu)
- HHS - Disposal of Protected Health Information(hhs.gov).gov
- Utah DOPL - Physician and Surgeon Licensing(dopl.utah.gov).gov
- Utah DOPL - Third-Party Medical Record Services Index(dopl.utah.gov).gov
- 31 U.S.C. 3731 - False Claims Act Statute of Limitations(law.cornell.edu)