Provided by:  Jennifer Kirschenbaum, Esq.

April 21, 2022


Hi Jennifer,

Please tell me how long I have to retain patient medical records. I am confused.  

Dr. P


Under HIPAA, there are no time requirements that impact across all states, but, the Office for Civil Rights does direct to state law, that dictates timelines.  For practitioners in New York that time line is the longer of a period of at least six years from the date of last service patient's age of majority (18 years), whichever is longer, or at least six years after death.


Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?

No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).