Medical Records Retention Laws by State (2026 Guide)
Medical records retention laws determine how long hospitals, doctors, and other healthcare providers must keep your health information on file. These laws vary significantly from state to state, with retention periods ranging from 3 years in Wyoming to 20 years for hospitals in Massachusetts.
This guide covers every state's requirements, federal rules under HIPAA and Medicare, your rights as a patient, and what happens when records are destroyed.
Federal Requirements: What HIPAA Actually Says
One of the most common misconceptions in healthcare law is that HIPAA requires providers to keep medical records for a specific number of years. It does not.
HIPAA Documentation vs. Medical Records
HIPAA requires covered entities to retain HIPAA-related administrative documentation (privacy policies, procedures, training records, business associate agreements, complaint records) for 6 years from the date of creation or last effective date under 45 CFR 164.530(j).
This 6-year requirement applies to HIPAA compliance paperwork, not to patient medical records. How long actual patient records must be kept is determined by state law.
Medicare and Medicaid Requirements
CMS Conditions of Participation set separate federal minimums for providers participating in Medicare or Medicaid:
| Provider Type | Minimum Retention | Authority |
|---|---|---|
| Hospitals | 5 years after discharge | 42 CFR 482.24 |
| Medicare providers (general) | 7 years from date of service | CMS guidelines |
| Medicare Part D sponsors | 10 years from date of service | CMS guidelines |
| OSHA employee health records | Employment + 30 years | 29 CFR 1910.1020 |
Which Law Controls?
The stricter requirement always applies. If state law requires 10 years and federal law requires 7 years, the provider must retain records for 10 years. If federal law requires 7 years and the state only requires 5, the provider must retain for 7 years.
Medical Records Retention by State
The table below shows retention requirements for all 50 states and the District of Columbia. Where states have different rules for hospitals and physician offices, both are listed.
| State | Adult Retention | Minor Retention | Key Statute |
|---|---|---|---|
| Alabama | 5-7 years | 5 yrs after age 19 | Ala. Admin. Code r. 540-X-9-.10 |
| Alaska | 7 years | 2 yrs after age 19 or 7 yrs (longer) | Alaska Stat. 18.20.085 |
| Arizona | 6 years | 3 yrs after age 18 or 6 yrs (later) | Ariz. Rev. Stat. 12-2297 |
| Arkansas | 10 years | 10 yrs or 2 yrs after age 18 (longer) | Ark. Code R. 007.05.17 |
| California | 7 years | 1 yr after age 18 (min 7 yrs) | Cal. HSC 123145 |
| Colorado | 10 years | Until age 28 | 6 CCR 1011-1 |
| Connecticut | 7 yrs (physicians); 10 yrs (hospitals) | Same as adult | Conn. Agencies Regs. 19a-14-42 |
| Delaware | 7 years (physicians) | Not specified | Del. Code tit. 24, 1761 |
| D.C. | 5 years | 5 yrs after majority | D.C. Code 3-1210.11 |
| Florida | 5 years | Same as adult | Fla. Stat. 395.3025 |
| Georgia | 10 years (physicians) | 5 yrs after majority | O.C.G.A. 31-33-2 |
| Hawaii | 7 years | 7 yrs after age 18 | Haw. Rev. Stat. 622-58 |
| Idaho | 5 years (hospitals) | Not specified | Idaho Code 39-1394 |
| Illinois | 10 years | Not specified | 735 ILCS 5/8-2001 |
| Indiana | 7 years | Not specified | 410 IAC 15-1-9 |
| Iowa | 7 years | 1 yr after age 18 | Iowa Admin. Code 653-13.7 |
| Kansas | 10 years | 1 yr after majority | Kan. Admin. Regs. 28-34-9a |
| Kentucky | 5 years (hospitals) | Until age 21 | 902 KAR 20:016 |
| Louisiana | 6 yrs (physicians); 10 yrs (hospitals) | Not specified | La. Rev. Stat. 40:2144 |
| Maine | 7 years | 6 yrs after age 18 | 10-144 CMR ch. 112 |
| Maryland | 5 years | Until age 25 | COMAR 10.01.16.04 |
| Massachusetts | 7 yrs (physicians); 20 yrs (hospitals) | Not specified | Mass. Gen. Laws ch. 111, 70 |
| Michigan | 7 years; 15 yrs (sensitive exams) | Not specified | MCL 333.16213 |
| Minnesota | 7 yrs (portions); permanent (core) | Not specified | Minn. Stat. 145.32 |
| Mississippi | 5 years | Not specified | 30 Miss. Admin. Code 2635 |
| Missouri | 7 yrs (physicians); 10 yrs (public hospitals) | Until age 23 (public hospitals) | Mo. Rev. Stat. 109.255 |
| Montana | 6 yrs (facilities); 10 yrs (physicians) | 10 yrs after majority | Mont. Admin. R. 37.106.314 |
| Nebraska | No mandatory period | Until age 22 | Neb. Rev. Stat. 71-8403 |
| Nevada | 5 years | Until age 23 | NAC 449.379 |
| New Hampshire | 7 years | 1 yr after age 18 (min 7 yrs) | N.H. Admin. Code He-P 802.20 |
| New Jersey | 7 yrs (physicians); 10 yrs (hospitals) | Until age 23 (hospitals) | N.J.A.C. 8:43G-15.2 |
| New Mexico | 10 years | Until age 21 | N.M. Stat. Ann. 14-6-2 |
| New York | 6 years | Until age 19 or 6 yrs (later) | N.Y. Educ. Law 6530 |
| North Carolina | 11 years (hospitals) | Until age 30 | 10A NCAC 13B .3903 |
| North Dakota | 10 years | Until age 21 or 10 yrs (later) | NDAC 33-07-01.1-20 |
| Ohio | 6 years | Not specified | Ohio Admin. Code 3701-83-19 |
| Oklahoma | 5 years | Not specified | OAC 310:667-19-14 |
| Oregon | 10 years | Not specified | Or. Admin. R. 333-505-0050 |
| Pennsylvania | 7 years | Until age 19 (1 yr after majority) | 49 Pa. Code 16.95 |
| Rhode Island | 5 yrs (hospitals); 7 yrs (physicians) | 5 yrs after age 18 | R.I. Gen. Laws 5-37-22 |
| South Carolina | 10 years | 13 years from last treatment | S.C. Code Ann. 44-115-120 |
| South Dakota | 10 years (guidance) | Not specified | S.D. Admin. R. 44:73:09:06 |
| Tennessee | 10 years | Until age 19-21 (longer) | Tenn. R. 1050-02-.18 |
| Texas | 7 years | Until age 21 or 7 yrs (longer) | 22 TAC 163.2 |
| Utah | 7 years | 3 yrs after age 18 (min 5 yrs) | Utah Admin. Code R432-100-33 |
| Vermont | 10 years | Not specified | VT Code R. 946 |
| Virginia | 5 yrs (hospitals); 6 yrs (physicians) | Until age 23 (hospitals) | 12 VAC 5-410-230 |
| Washington | 10 years | Until age 21 or 10 yrs (longer) | WAC 246-320-141 |
| West Virginia | Not specified | Not specified | W.Va. CSR 64-12-7.2 |
| Wisconsin | 5 years | Not specified | Wis. Admin. Code Med. 21.03 |
| Wyoming | 3 years | Not specified | Wyo. Stat. 35-2-606 |
States with the Longest Requirements
Several states require significantly longer retention periods than the national average.
Massachusetts requires hospitals to keep records for 20 years after discharge or final treatment under Mass. Gen. Laws ch. 111, 70. This is the longest single-state requirement in the country. Physician offices must retain records for 7 years.
Minnesota requires hospitals to permanently retain what the commissioner of health defines as the "individual permanent medical record" under Minn. Stat. 145.32. Other portions of the record may be divested after 7 years, but core records must be kept indefinitely.
North Carolina requires hospitals to retain records for 11 years after discharge under 10A NCAC 13B .3903. Records of minors must be kept until the patient's 30th birthday, the longest minor-specific requirement in the nation.
South Carolina requires physicians to retain records for 10 years, with an extended period of 13 years for records of minors under S.C. Code Ann. 44-115-120.
States with the Shortest Requirements
Wyoming has the shortest retention requirement at just 3 years for hospital records under Wyo. Stat. 35-2-606.
Florida, Kentucky, Nevada, Oklahoma, and Wisconsin all require only 5 years of retention for at least some provider types.
Nebraska does not impose a specific mandatory retention period in its statutes. However, providers may not destroy records after receiving a patient request under Neb. Rev. Stat. 71-8403.
West Virginia does not specify a duration but requires records to be preserved in their original form, microfilm, or electronic format.
Hospital vs. Physician Office Differences
Many states set different retention periods for hospitals and private physician offices. In some states, hospitals must keep records longer; in others, physician offices have the longer requirement.
| State | Hospital | Physician Office |
|---|---|---|
| Massachusetts | 20 years | 7 years |
| Louisiana | 10 years | 6 years |
| Connecticut | 10 years | 7 years |
| New Jersey | 10 years | 7 years |
| Virginia | 5 years | 6 years |
| Rhode Island | 5 years | 7 years |
| Montana | 6 years (facilities) | 10 years |
Your Right to Access Medical Records
HIPAA gives patients (and their personal representatives) the legal right to access and obtain copies of their protected health information.
Response Time
Providers must act on a records request within 30 calendar days of receipt. They may extend by an additional 30 days with written notice explaining the delay. HHS encourages providers to respond as quickly as possible, noting that 30 days is the outer limit.
Fees
Providers may charge only "reasonable, cost-based" fees for copies. The fee may include the cost of labor for copying, supplies, and postage. It may not include the cost of searching for records, retrieving records, or maintaining records systems.
For electronic copies of records maintained electronically, providers may charge a flat fee of $6.50 or less (inclusive of all labor, supplies, and postage). This flat fee is an alternative to calculating actual costs.
What Providers Cannot Deny
Providers cannot deny access to your medical records because you have an unpaid bill, because the records are old, or because the request is inconvenient. Limited exceptions exist for psychotherapy notes, information compiled for legal proceedings, and certain lab results.
Information Blocking
The 21st Century Cures Act prohibits providers from engaging in "information blocking," defined as practices likely to interfere with access to, exchange of, or use of electronic health information. Penalties reach up to $1 million per violation for health IT developers. Provider-specific disincentives were finalized by HHS in June 2024.
What Happens When a Practice Closes
When a physician retires, relocates, or closes a practice, the provider must still ensure patient records are preserved for the required retention period. The American Medical Association recommends the following steps:
- Notify patients at least 60 days before closure
- Offer patients the option to transfer records to another provider
- Offer patients the option to receive a personal copy
- Notify the state medical board
- Arrange for a custodian to maintain records for the remaining retention period
- Destroy any records that have exceeded the retention period using HIPAA-compliant methods
Some states have specific closure requirements. North Carolina requires hospitals that discontinue operations to store records with a retrieval-service business for 11 years. Georgia requires providers who retire or sell their practice to give patients notice under O.C.G.A. 31-33-2.
Proper Destruction of Medical Records
HIPAA requires that medical records be rendered "essentially unreadable, indecipherable, and otherwise cannot be reconstructed" when destroyed.
Approved Methods
Paper records: shredding, burning, or pulverizing.
Electronic records: clearing (overwriting with non-sensitive data), purging/degaussing (using a strong magnetic field), or physical destruction of the storage media.
Records may never be placed in dumpsters, recycling bins, or other publicly accessible receptacles. Providers may hire a business associate to handle disposal, but a business associate agreement must be in place.
State Notification Requirements
Most states do not require notification before destroying records that have exceeded the retention period. Notable exceptions include Mississippi, which requires 6 months' notice to patients before destruction, and Massachusetts, which requires hospitals to notify the Department of Public Health.
Penalties for Improper Destruction
HIPAA civil penalties for improper disposal of protected health information range from $141 to $2,134,831 per violation, depending on the level of negligence. Criminal penalties for knowing violations can reach $250,000 and 10 years imprisonment.
As of December 2025, HHS has resolved 54 Right of Access enforcement actions and collected over $144 million in HIPAA settlements and penalties since the program began.
Recent Changes (2024-2026)
Texas EHR Storage Requirement
Texas SB 1188, effective January 1, 2026, requires all electronic health records to be stored within the United States. This applies retroactively to all records regardless of when they were created.
Substance Use Disorder Records
The 42 CFR Part 2 final rule, effective April 16, 2024 with compliance required by February 16, 2026, aligns substance use disorder patient record protections with HIPAA. HHS OCR announced a new civil enforcement program for these records in February 2026.
HIPAA Security Rule Update
In December 2024, HHS published a proposed rule to strengthen cybersecurity requirements for electronic protected health information. The proposal would eliminate the distinction between "required" and "addressable" implementation specifications, making all security measures mandatory.
Sources and References
- HHS - Does HIPAA Require Covered Entities to Keep Medical Records?(hhs.gov).gov
- HHS - Individuals' Right under HIPAA to Access Health Information(hhs.gov).gov
- CMS - Medical Record Retention and Media Format(cms.gov).gov
- 42 CFR 482.24 - Condition of Participation: Medical Record Services(law.cornell.edu)
- 45 CFR 164.530(j) - HIPAA Documentation Requirements(law.cornell.edu)
- HHS - Disposal of Protected Health Information(hhs.gov).gov
- HHS - HIPAA Enforcement Highlights(hhs.gov).gov
- HealthIT.gov - Information Blocking(healthit.gov).gov
- HHS - 42 CFR Part 2 Final Rule (SUD Records)(hhs.gov).gov
- Texas SB 1188 - EHR Storage Requirements(capitol.texas.gov).gov