September 3, 2014


Thank you for last week's email on discarding records.  As a follow up - how long do I have to maintain records for?
Your response is appreciated.

Dr. K


Good question, and one I can cheat a little on by copying one of our past newsletters, so thanks for that!

In NY and many other jurisdictions the rule is a record must be maintained the greater of 6 years or until one year after the minor patient reaches the age of 21 years.

Sources -


8 NYCRR § 29.2 (2011)

(3) Failing to maintain a record for each patient which accurately reflects the evaluation and treatment of the patient. Unless otherwise provided by law, all patient records must be retained for at least six years. Obstetrical records and records of minor patients must be retained for at least six years, and until one year after the minor patient reaches the age of 21 years.

What about HIPAA???

Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?

No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).

See -


If you do not practice in NY and would like us to check your jurisdiction, send Jennifer an email.  

And, before you start throwing out records - My advice - if you still have an active patient you have seen in the last 3 years, and records within the 6 year time frame, I recommend you scan and maintain the ENTIRE RECORD.  You never know what will be or what claims may potentially be made against you and having the record may be your best defense.  I had a client with a patient with Hepatitis claim and illnesses spreading 20 years and a complaint was made to the Office of Professional Medical Conduct by the family upon the patients demise.  Without the records, the client would have been significantly disadvantaged.  Since we had the records, we were able to defend proper standard of care and easily walk away unscathed by licensure.

Also of note and addressed in a prior newsletter - oftentimes in a medical malpractice action, insurance carriers will require original records. This issue has not been revisited recently and should be updated with the availability of scanning records. So, there is no clear cut ruling on this, and my answer is its a business decision on when you decide to scan and trash. Also, I would recommend following up with your malpractice carrier to see whether it has additional maintenance suggestions/requirements.

I-STOP Implementation - Common Q&As

Looking for HIPAA and compliance forms?  
Click here to visit 
our website.

Have a question or comment for Jennifer?
Contact Jennifer at or  at (516) 747-6700 x. 302.