HIPAA Records Retention: What Healthcare Organizations Must Know in 2026
HIPAA records retention is one of the most misunderstood areas of healthcare compliance. Many organizations assume HIPAA sets a universal retention period for patient records. It does not. What HIPAA mandates is a 6-year minimum for compliance documentation — while medical record retention is governed by state laws that vary significantly by jurisdiction, provider type, and patient age.
This guide breaks down exactly what HIPAA requires, what it does not require, how state laws create additional obligations, the PHI vs. non-PHI distinction, and how healthcare organizations should approach compliant retention and secure destruction of records.
HIPAA requires covered entities and business associates to retain compliance documentation — policies, risk assessments, audit logs, and breach notifications — for a minimum of 6 years from creation or last effective date, whichever is later. HIPAA does not set a universal retention period for patient medical records; those are governed by state law, which varies widely and may require longer retention periods.
What HIPAA Actually Requires: The 6-Year Compliance Documentation Rule
HIPAA’s retention requirement applies to compliance documentation, not patient medical records. Covered entities must retain policies, risk assessments, audit logs, BAAs, and breach notifications for a minimum of 6 years from creation or from the date last in effect, whichever is later.
Documents subject to HIPAA’s 6-year retention requirement:
- Privacy Rule policies and procedures — 6 years from creation or last in effect
- Security Rule policies and procedures — 6 years from creation or last in effect
- Risk assessments and risk analysis documentation — 6 years from completion
- Business Associate Agreements (BAAs) — 6 years from creation or last in effect
- Breach notification documentation and incident reports — 6 years from date
- Audit logs recording PHI access — 6 years from creation
- Employee HIPAA training records — 6 years from completion
- Patient authorizations for disclosure of PHI — 6 years from date signed
→ GRM Healthcare Document Management
Medical Records Retention: State Law Governs, Not HIPAA
HIPAA does not set a retention period for patient medical records. Each state has its own law. Requirements vary by state, provider type, and patient age. Healthcare organizations must comply with the stricter of HIPAA’s 6-year compliance documentation rule and their applicable state medical record law.
A common misconception is that HIPAA requires 7-year medical record retention. The 7-year figure comes from CMS guidelines for Medicare providers (7 years from date of service) — not from HIPAA. State-by-state requirements vary substantially:
| State | Physicians | Hospitals | Minors |
|---|---|---|---|
| California | 7 years | 7 years | 7 yrs after age 18 |
| Texas | 7 years from last contact | 10 years | Until age 21 |
| New York | 6 years | 6 years | Until age 21 or 6 yrs post-tx |
| Florida | 5 years from last contact | 7 years | Until age 18 + adult period |
| Massachusetts | 7 years | 7 years | Until age 19 or 7 yrs |
| Medicare (CMS) | 7 yrs from date of service | 5 years (42 CFR 482.24) | Same as adult |
An important 2026 update: Texas Senate Bill 1188, effective January 1, 2026, now requires all electronic health records to be stored within the United States — applying retroactively to all records regardless of when they were created. Organizations operating in Texas must verify their EHR storage infrastructure complies.
Practical rule: when HIPAA, state law, and federal program participation requirements overlap, always retain records for the longest applicable period.
→ GRM Secure Document Storage Solutions
PHI vs. Non-PHI: The Retention Distinction
Protected Health Information (PHI) is individually identifiable health information created, received, or maintained by a covered entity. Non-PHI includes de-identified data and administrative records that do not identify specific patients. HIPAA’s access controls, retention obligations, and destruction requirements apply to PHI — not to properly de-identified data.
PHI includes:
- Names, addresses, dates of birth, phone numbers, Social Security numbers
- Medical record numbers, health plan beneficiary numbers, account numbers
- Diagnoses, treatment records, lab results, imaging data, prescription records
- Billing records and insurance claims containing patient-identifiable information
Non-PHI (de-identified data):
- Data from which all 18 HIPAA identifiers have been removed (Safe Harbor method)
- Data certified as non-identifiable via Expert Determination method
- Aggregate research data that cannot be linked to specific individuals
HIPAA provides that deceased patients’ PHI is protected for 50 years following death (45 CFR 164.502(f)); after that period, the restrictions no longer apply.
HIPAA-Compliant Record Storage Requirements
HIPAA requires covered entities to implement physical and technical safeguards protecting PHI throughout its retention period. For physical records: secured, access-controlled storage with chain-of-custody documentation. For ePHI: encryption, role-based access controls, audit logging, and documented disaster recovery.
Physical Records:
- Store in locked, access-controlled facilities with documented access logs
- Protect against fire, flood, and environmental damage
- Maintain chain-of-custody documentation for all record movements
- For pathology materials: temperature-controlled environments per CAP/CLIA standards
Electronic PHI (ePHI):
- Encrypt ePHI at rest and in transit using NIST-approved methods
- Implement role-based access controls limiting PHI access to authorized personnel
- Maintain audit logs recording all PHI access, modification, and disclosure
- Ensure cloud-stored ePHI is covered by a signed Business Associate Agreement
GRM Information Management provides HIPAA-compliant physical records storage with barcode tracking, PrecisionPlus chain-of-custody documentation, and secured access controls across our facilities in 16 U.S. metropolitan markets.
→ GRM Secure Document Storage Solutions
HIPAA-Compliant Record Destruction
When retention periods expire, HIPAA requires PHI to be destroyed in a manner that renders it unreadable, indecipherable, and unable to be reconstructed. Paper: shredding, burning, or pulping. Electronic media: clearing, purging (degaussing), or physical destruction. All destruction must be documented, and third-party vendors must be covered by a Business Associate Agreement.
Common destruction failures that trigger HIPAA enforcement:
- Placing paper PHI records in regular trash or recycling
- Disposing of hard drives, laptops, or servers without verified data wiping
- Selling or donating electronic equipment without removing PHI
- Using third-party shredding or destruction vendors without a signed BAA
- Failing to document and retain certificates of destruction
HHS recommends obtaining a Certificate of Destruction as documented proof of compliant PHI destruction. Guidance on disposal methods is available at HHS.gov — HIPAA Enforcement.
→ GRM Certified Document Shredding Services
Frequently Asked Questions About HIPAA Records Retention
Does HIPAA require 6 or 7 years for patient records?
HIPAA requires 6 years for compliance documentation. It does not set a retention period for patient medical records — those are governed by state law. The 7-year figure comes from CMS guidelines for Medicare providers, not from HIPAA. Many states require 7–10 years. Always apply the longest applicable period.
Do HIPAA retention requirements apply to electronic health records?
Yes. HIPAA applies to PHI regardless of format. EHRs are subject to the same 6-year compliance documentation requirement plus the Security Rule’s technical safeguards. Texas additionally requires (effective January 1, 2026, per SB 1188) that all EHRs be stored within the United States.
When can healthcare organizations destroy patient records?
Records can be destroyed after the applicable retention period — the longest period from HIPAA, state law, and any federal program requirements. Destruction must be deferred during any active legal hold. PHI destruction must use HIPAA-compliant methods and be documented with a Certificate of Destruction. Third-party destruction vendors must have a signed BAA.
What are the consequences of inadequate HIPAA records retention?
Failure to retain required HIPAA documentation is itself a violation, subject to civil monetary penalties from $137 to $68,928 per violation. Inadequate documentation leaves organizations unable to demonstrate compliance during OCR investigations, creating significant legal exposure. Documentation gaps are among OCR’s most common enforcement findings.
Are de-identified records subject to HIPAA retention requirements?
No. Once properly de-identified under HIPAA’s Safe Harbor or Expert Determination method, data is no longer PHI and is not subject to HIPAA’s retention, access, or disposal requirements. The de-identification process itself should be documented and retained as compliance evidence for 6 years.
Conclusion
HIPAA records retention is more nuanced than it appears. The 6-year federal minimum applies to compliance documentation, not medical records. Medical record retention is governed by state law, creating overlapping obligations that vary by state, provider type, and patient age.
Key takeaways:
- HIPAA requires 6-year minimum retention for compliance documentation — not medical records
- Medical record retention is state law — ranging from 5 to 10+ years depending on jurisdiction
- Always apply the longest applicable period across HIPAA, state, and federal program requirements
- PHI requires HIPAA-compliant storage and HIPAA-compliant destruction with documented chain of custody
- Texas now requires EHR storage within the U.S. (effective January 1, 2026 — Texas SB 1188)
GRM Information Management helps healthcare organizations implement HIPAA-compliant records management programs — from secure physical storage with chain-of-custody documentation to certified document destruction.
Get a HIPAA-compliant document management consultation from GRM today.