Posted June 08, 2026

Many patients assume their medical or psychiatric records exist forever.
But legally, that is not correct.

‎‎

Healthcare providers are expected to follow written record-retention and destruction policies. Once the legal retention period expires, records may be destroyed—but only through a documented and secure process.

‎‎

The real question is:

How would a patient ever know if those records were actually destroyed?

‎‎

Step 1: The Agency Should Have a Written Retention Policy

‎‎

Every healthcare provider, hospital, or behavioral health agency should maintain a formal records retention and destruction policy.

‎‎

That policy typically explains:

• How long medical records must be retained
• When records become eligible for destruction
• The secure method used to destroy Protected Health Information (PHI)
• Documentation of the destruction process

‎‎

Also, the clinician and/or agency should keep a record of destruction log documenting the date, method, and records destroyed. This documentation should be maintained permanently to demonstrate compliance if a legal question arises.

‎‎

Step 2: HIPAA Does Not Set a Medical Record Retention Period

‎‎

One of the biggest misconceptions is that HIPAA dictates how long medical records must be kept.
‎‎

It does not.

‎‎

HIPAA only requires that protected health information be securely protected and properly disposed of when it is destroyed.

‎‎

However…

‎‎

HIPAA does require certain compliance documentation—such as policies, risk assessments, and authorizations—to be kept for at least six years.

‎‎

Step 3: CMS / Medicaid Record Retention

‎‎

For providers billing federal programs:

• CMS commonly requires medical records supporting services to be maintained about 7 years from the date of service. 
• Some Medicare or managed-care programs may require 10-year retention periods depending on the program rules.

‎‎

Step 4: State Laws — The “7-Year Rule”

‎‎

Across the United States, retention periods vary, but many states require medical records to be retained approximately 6–10 years, with 7 years being one of the most common standards.

‎‎

For example:

• California: At least 7 years after discharge for many healthcare facilities. 
• Other states with similar 7-year standards include Pennsylvania, Massachusetts, Maryland, Minnesota, Missouri, and Utah.

‎‎

If a client is preparing for litigation, firearm rights restoration, employment background checks, or a medical record correction request, one question is critical:

Do the records still exist—or were they legally destroyed?

‎‎

The answer should never be a mystery.
A compliant healthcare system should be able to show its written retention policy and destruction logs.

‎‎

DLH Enterprises provides consulting on:

• Mental health law and patient rights
• Medical record integrity and amendment requests
• Documentation analysis for legal cases

‎‎

Because sometimes the most important evidence is what’s still in the file—and what isn’t.

‎‎

Note:

HIPAA Retention Requirements: 45 CFR §164.316(b)(2)(i)

HIPPA Disposal Requirements: 45 CFR 164.530(c).