Medical records must be maintained for a minimum period defined by state and federal law, as well as other guidelines. It is important to have a records retention policy that accommodates all applicable requirements.

  • It may be prudent to keep records longer than required by law.
  • The retention period may be affected by the patient’s age.
  • Retention policies should consider the ways a patient’s record is used.

Records retention is a critical issue for risk managers, as the loss of important patient records and other documents could compromise litigation defense and threaten ongoing care. Healthcare organizations must create clear records retention policies and follow them closely, experts say.

Many healthcare organizations follow a policy of keeping medical records for seven years, says Andrew Selesnick, JD, shareholder with Buchalter in Los Angeles.

“However, we usually recommend 10 years because if there is a dispute and the medical records are unavailable, defending on such a claim could be more problematic,” he says.

Without a medical record, defending a medical malpractice claim would be that much more difficult. This is why some insurance companies recommend keeping medical records for 10 years when the patient is an adult, 28 years for infants, and in the case of death, an additional five years, he explains.

The proper policy will differ according to the type of healthcare organization, notes William P. Dillon, JD, shareholder with Gunster in Tallahassee, FL. A hospital must comply with state and federal legal requirements pertaining to records retention but also might have to follow guidelines set forth by accrediting bodies like The Joint Commission, he says. HIPAA also requires retaining records for six years.

A physician practice or group will follow federal and state laws, but those requirements should not always be considered ideal. In many cases, they should be seen as only the minimum time physicians should retain records, Dillon says. For example, Florida law requires physicians to keep records for five years.

“We’re always telling them not to adhere to that because five years is just too short a time to retain medical records. That doesn’t comply with HIPAA, and it doesn’t protect you through the statute of limitations for medical malpractice in Florida,” Dillon says. “It also doesn’t protect you from a billing perspective if you’re billing Medicare or Medicaid patients because of the way the False Claims Act is interpreted.”

Follow Internal Policy

Healthcare organizations should assess the requirements and create an appropriate records retention schedule. This may mean keeping some records longer than required by one law or guideline to comply with another, he explains. The next step is important: actually following the retention schedule.

“A lot of people have the right retention policy that they’ve researched and put a lot of time into formulating, but then they don’t seem to follow it,” Dillon says.

The move to digital data in healthcare has changed how healthcare organizations look at records retention, Dillon notes. In previous years, retention policies were driven in part by the high cost of storage for paper records, with hospitals, health systems, and physician groups eager to clear out old records as soon as it was practical. That meant policies often called for the destruction of records as soon as they passed thresholds set by law, he says.

But now, with so many records stored digitally, and with digital storage much more cost-effective than physical storage, many healthcare organizations are comfortable with extending their retention policies to go beyond what is required, keeping records longer if they might potentially benefit the organization or the patient, Dillon explains.

“The question of storage space and cost is not as pressing as it used to be, which raises the question of why we don’t just keep electronic records forever,” Dillon says. “There are competing schools of thought on that, with some saying it’s not going to hurt you to maintain the record for longer than required. But others argue that the longer you keep the record, the more you run the risk of it being exposed in a data breach, which would create potential liability over a record you had no obligation to maintain.”

Dillon advises healthcare organizations to err on the side of keeping records longer than required by any law or guideline. When in doubt, it is always better to retain records a little longer than necessary than to get rid of them too soon, he says.

“Humans are involved, and mistakes get made. I’d rather have a hospital hang on to the records a year or two longer than the statute says than run the chance of purging it too soon and then have to answer for that,” he says. “There’s no need to be aggressive and risk destroying documents too soon.”

But is there a risk that a record could be used against an organization if it is kept too long? “I don’t think you would find that’s much of a risk from a practical perspective,” he says. “It’s certainly possible in theory for a record to be used against you long after its retention period ended, but I don’t think I’ve seen the data to suggest that happens often at all.”

However, Dillon is doubtful of arguments that records should be kept indefinitely because they might be beneficial for patient care. Details from a patient encounter 10 years earlier are not likely to be helpful because relevant information would already have been carried forward to current records, he says.

Consider All Departments

Retention policies should be consistent among all similar facilities within a health system, Dillon says. For example, all hospitals in the system should have the same policy, and all physician groups should, too. It also is reasonable for a health system to use one universal policy that covers all types of entities and requirements for all states in which it practices, adhering to the longest applicable retention period, he says.

It is important to employ someone to oversee records retention policies who has a firm understanding of all applicable laws, guidelines, and the needs of various departments, notes Clara Erman, RHIA, director of the Health Information Technology Program at Plaza College in Forest Hills, NY. Retention policies may be influenced by the needs of clinicians, financial services, human resources, quality improvement, and risk management, she says.

“You want an individual who is savvy about all these areas, and how any single medical record has components that will be of concern to all these different people and departments,” Erman says. “Otherwise, you can have issues in which you are destroying records that are still of interest to someone because you were looking only at the clinical data.”

A records retention policy also should be clear on how documents are to be purged, Erman says. A policy may be clear on what is expected and when records are to be destroyed, but it is not uncommon for the policy to stop there without specifying how to get rid of the documents, she says. That means individuals are left to determine how to destroy documents. This opens the possibility of many errors that can leave data still in your possession or in the hands of the wrong people, she says.

“It needs to make sense all the way through, so that when you write a policy calling for the destruction of data at a certain point you also describe exactly how to go about doing that,” Erman says. “We have to remember that we write a policy, we’re not writing it for ourselves and assuming all the knowledge that we have of a particular subject. We’re writing that policy to be read by someone else who may not know the proper steps to be taken unless you include them in the policy.”

Erman does have concerns about keeping records longer than required by applicable laws or guidelines. As long as records are retained, hospitals will be obligated to produce them when they are subpoenaed or requested by a patient, Erman says.

There is no gray area in which hospitals can have possess records but not turn them over because the required retention period has passed, she explains.

“If you are going to keep the records longer, either because you did not follow your own policy or you have some other reason, you have to know that there is that risk of the records being subpoenaed and you having to turn over records you wish you had destroyed,” Erman says. “It can come back to hurt you. That is why you want to make sure you have individuals who understand all the different aspects of a record and how it can be used, not just the clinical side, and it could impact the organization if you retain it.”


  • William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Phone: (850) 521-1708. Email: wdillon@gunster.com.
  • Clara Erman, RHIA, Director, Health Information Technology Program, Plaza College, Forest Hills, NY. Phone: (718) 779-1430.
  • Andrew Selesnick, JD, Shareholder, Buchalter, Los Angeles. Phone: (213) 891-5223. Email: aselesnick@buchalter.com.