PHI Retention Periods: Legal Requirements 2026
Post Summary
Managing PHI retention in 2026 is a challenge due to overlapping federal, state, and agency-specific rules. The key takeaway? Different types of records have different retention timelines, and failing to meet these requirements can lead to severe penalties, including fines exceeding $2 million per violation.
Here's what you need to know:
- HIPAA's 6-Year Rule: Applies to compliance documentation like policies, risk assessments, and training records - not patient medical records.
- State Laws on Medical Records: Vary widely, with retention periods ranging from 3 to 20+ years depending on the state and type of record.
- Federal Agency Rules: CMS requires 5–10 years for Medicare-related records, while OSHA mandates keeping employee health records for employment + 30 years.
- New 2026 Updates: Texas SB 1188 requires storing electronic health records in the U.S., and 42 CFR Part 2 aligns substance use disorder record rules with HIPAA.
To stay compliant, healthcare organizations must track all applicable retention periods, prioritize longer timelines when rules overlap, and ensure proper PHI disposal. Using centralized tools for compliance management can simplify this process and reduce risks.
PHI Retention Requirements by Federal Agency and State 2026
Understanding medical record retention requirements by state
sbb-itb-535baee
HIPAA's 6-Year Retention Requirement
The HIPAA Security Rule mandates a minimum six-year retention period for compliance documentation, as outlined in 45 CFR § 164.316(b)(2)(i). This means organizations must keep records for six years from either the date they were created or the last effective date - whichever comes later [2].
"A covered entity must retain the documentation... for six years from the date of its creation or the date when it last was in effect, whichever is later." - 45 CFR 164.530(j) [2]
Failing to produce documentation during an OCR audit is considered noncompliance. To meet the "last in effect" standard, organizations must use version control systems to archive outdated policies for six years.
Documents Covered by the 6-Year Rule
The six-year rule applies to a variety of documents that demonstrate HIPAA compliance. These include:
- Policies and procedures: Security and privacy manuals, operational protocols.
- Risk management records: Risk analyses, security incident reports, breach assessments.
- Administrative documents: Business Associate Agreements, Notices of Privacy Practices.
- Workforce records: Training completion certificates, signed acknowledgments, sanction records.
- Accountability records: System activity logs, access review evidence, privacy complaint documentation, and resolutions.
"Retention practices should include access control, audit capability where applicable, backup and restoration practices consistent with the organization's contingency planning, and controls that prevent unauthorized alteration or destruction." - James Keogh, Editor, HIPAAnswers [2]
To ensure compliance, organizations should assign clear ownership of these records. For example, compliance officers can oversee policies, IT teams can handle log collection, and legal teams can verify retention periods against state laws. Using automated compliance platforms can simplify this process by categorizing documents and applying retention rules, reducing the risk of accidental deletions.
Compliance Documentation vs. Medical Records
It’s important to note that the six-year HIPAA rule applies specifically to compliance documentation - not patient medical records. This distinction often leads to confusion, including the "7-year myth", which incorrectly assumes HIPAA requires a seven-year retention period for medical records. This misunderstanding likely arises from Medicare’s seven-year rule and similar state standards [1].
Medical record retention is largely governed by state laws, which vary widely. For instance, Wyoming requires retention for as little as three years, while Massachusetts mandates up to 20 years for hospital records [1]. Additionally, federal guidelines from CMS impose longer periods for Medicare providers - typically seven years from the date of service. Medicare Part D sponsors face even stricter requirements, with a 10-year retention rule [1].
Healthcare organizations must follow the longest applicable retention period, taking into account state laws, Medicare/Medicaid rules, and licensing requirements. At the same time, HIPAA compliance documentation must adhere to its separate six-year retention rule. Later sections will explore the specifics of state-level medical record retention laws.
Federal Agency Retention Requirements
Federal agencies enforce retention periods that often exceed HIPAA's minimum six-year requirement. These rules depend on the type of provider, the nature of the records, and the federal programs an organization is involved in.
Retention Periods by Agency
CMS (Centers for Medicare & Medicaid Services) sets baseline retention standards under its Conditions of Participation. For hospitals participating in Medicare and Medicaid, medical records must be kept for at least 5 years following patient discharge (42 CFR 482.24) [1]. This applies specifically to clinical documentation and does not include the administrative compliance records covered by HIPAA's six-year rule.
Medicare providers are required to retain general medical records for 7 years from the date of service [1]. This "7-year rule" is commonly misunderstood as a HIPAA mandate but actually stems from Medicare guidelines. For Medicare Part D sponsors, the retention period is even stricter - 10 years from the date of service [1]. These longer timeframes aim to support fraud prevention and allow adequate time for audits and investigations.
OSHA (Occupational Safety and Health Administration) enforces the most extended federal retention requirement for employee health records. According to 29 CFR 1910.1020, these records must be kept for the duration of employment plus 30 years [1]. This extended period accounts for the delayed onset of occupational health issues, such as those caused by hazardous substance exposure. Facilities with employee health programs must manage these records separately from patient medical records, often utilizing automated vendor solutions to streamline compliance across different record types.
When multiple federal requirements overlap, the longest retention period takes precedence. For example, hospitals must comply with OSHA, CMS, and HIPAA rules depending on the type of record in question.
Agency Retention Period Comparison Table
| Agency / Authority | Record Type | Minimum Retention Period | Legal Citation |
|---|---|---|---|
| CMS (Hospitals) | Medical Records | 5 years after discharge | 42 CFR 482.24 |
| Medicare (General) | Provider Records | 7 years from date of service | CMS Guidelines |
| Medicare Part D | Sponsor Records | 10 years from date of service | CMS Guidelines |
| OSHA | Employee Health Records | Employment + 30 years | 29 CFR 1910.1020 |
| HIPAA (OCR) | Administrative/Compliance | 6 years from creation/last effect | 45 CFR 164.530(j) |
Starting February 16, 2026, updates under 42 CFR Part 2 will align Substance Use Disorder (SUD) record protections more closely with HIPAA standards [1]. Organizations treating patients for substance use disorders must ensure their retention practices align with these updated Part 2 requirements, in addition to the federal agency standards outlined above.
These federal rules highlight the complexity of managing overlapping retention requirements, setting the stage for a discussion on state-level laws.
State Medical Record Retention Laws
How Retention Periods Vary by State
Medical record retention periods are governed by state laws rather than HIPAA, resulting in a patchwork of regulations. For instance, Massachusetts requires hospitals to retain records for an impressive 20 years, the longest duration in the U.S. [1]. On the other hand, Wyoming sets a much shorter standard, requiring hospitals to keep records for just 3 years [1].
Most states land somewhere between these extremes, typically mandating retention periods of 5 to 10 years for adult patient records. However, the specific requirements can vary based on the type of healthcare provider and the patient's age at the time of treatment. For example, in Massachusetts, hospitals must retain records for 20 years, but physicians are only required to keep them for 7 years [1]. In Montana, the rules are reversed - physicians must retain records for 10 years, while healthcare facilities need only maintain them for 6 years [1]. This variation underscores the importance of understanding the specific rules for each state.
"The fundamental principle is simple: when a state law imposes stricter requirements than HIPAA, the state law governs." - Anna Paris, ChartRequest [3]
Minor patient records often have extended retention requirements to account for paused malpractice statutes. For example, North Carolina mandates keeping records until the patient reaches age 30, Texas requires retention until age 21 or 7 years after the last treatment, and New York specifies retention until age 19 or 6 years, whichever is longer [1].
When state laws impose longer retention periods than federal guidelines, the stricter rule takes precedence. This can be particularly challenging for healthcare organizations operating across multiple states, as they must track and comply with varying retention schedules. As a general rule, applying the longest retention period ensures compliance with all applicable laws.
State Retention Requirements Table
The table below provides a quick overview of key state-specific retention requirements:
| State | Adult Retention (Physician) | Hospital Retention | Minor Retention Requirement | Key Statute |
|---|---|---|---|---|
| California | 7 years | 7 years | 1 year after age 18 (min. 7 years) | Cal. HSC 123145 |
| Florida | 5 years | 5 years | Same as adult | Fla. Stat. 395.3025 |
| Massachusetts | 7 years | 20 years | 7 years or age 18 (whichever is longer) | Mass. Gen. Laws ch. 111, 70 |
| New York | 6 years | 6 years | Until age 19 or 6 years (whichever is later) | N.Y. Educ. Law 6530 |
| North Carolina | 6–7 years | 11 years | Until age 30 (hospitals) | State Regulations |
| Texas | 7 years | 10 years | Until age 21 or 7 years (whichever is longer) | 22 TAC 163.2 |
| Washington | 10 years | 10 years | Until age 21 or 10 years (whichever is longer) | WAC 246-320-141 |
| Wyoming | 3 years | 3 years | Not specified | State Regulations |
PHI Disposal Requirements for Business Associates
Properly disposing of PHI (Protected Health Information) is just as important as following retention timelines, particularly for business associates under HIPAA regulations.
PHI Return and Destruction Requirements
According to 45 CFR 164.504(e), every Business Associate Agreement (BAA) must require business associates - and any third-party vendors handling PHI - to either return or destroy all PHI when their contract ends [5][4]. For physical records, acceptable destruction methods include shredding, burning, pulping, or pulverizing to ensure the information is completely irretrievable. For electronic media, business associates must either securely erase the data or physically destroy the device to make the PHI permanently inaccessible [4].
There are serious consequences for failing to meet these requirements. In 2016, Raleigh Orthopaedic Clinic faced a $750,000 settlement with the HHS Office for Civil Rights after improperly sharing X-ray films and PHI of 17,300 patients with a vendor for silver harvesting and digital conversion - without having a BAA in place [5]. Similarly, North Memorial Health Care paid $1.55 million for not executing a BAA with a contractor who accessed the ePHI of 289,904 individuals [5].
To maintain compliance, business associates must also ensure that subcontractors handling PHI agree in writing to the same return or destruction requirements. This creates a "chain of accountability" across all parties involved in PHI management [5], reinforcing the strict safeguards required at every stage of data handling.
When Extended Retention Is Required
Sometimes, returning or destroying PHI isn't feasible - for example, during litigation holds or regulatory investigations. In such cases, the BAA must extend HIPAA protections to the retained PHI and limit its use or disclosure strictly to the purposes that justify its retention [5]. Covered entities need to ensure their BAAs address these exceptions. If destruction is deemed infeasible, the BAA must clearly define what qualifies as "feasible" and specify restrictions on the retained data.
Failure to comply with these standards can result in hefty penalties. Starting in 2026, willful neglect that goes uncorrected could lead to fines of up to $2,190,294 per violation [5]. This makes it essential to document and justify any extended retention periods with clear, enforceable terms.
PHI Retention Compliance Best Practices for 2026
Keeping up with PHI retention requirements calls for a well-organized strategy that includes clear policies, effective technology solutions, and readiness for audits. By aligning with regulatory standards, healthcare organizations can ensure their PHI retention processes meet all necessary legal obligations.
Creating and Maintaining Retention Policies
Start by drafting a retention policy that complies with HIPAA's mandate to keep documentation for six years, alongside your state's specific medical record retention laws. Pay special attention to records for minors, which often need to be retained until the patient turns 18–21, plus any additional years as required by state law. Be sure to document retention schedules, train staff on these procedures, and implement security measures to protect PHI throughout its lifecycle.
Make it a priority to review and update these policies every year to stay aligned with any changes in federal or state regulations.
Using Censinet RiskOps™ for Compliance Management
Managing multiple retention deadlines can get complicated, but tools like Censinet RiskOps™ simplify the process. This platform centralizes risk management and compliance tracking, making it easier to handle retention schedules. By automatically tracking when compliance documents were created or last updated, it ensures adherence to HIPAA's six-year requirement.
Censinet RiskOps™ also provides a centralized repository for important documentation, such as policies, risk assessments, BAAs, and audit logs. This setup makes responding to regulatory audits faster and more efficient. Automated workflows assign retention tasks to the right team members, while the system’s command center offers real-time insights into compliance status. By reducing the manual work involved in tracking retention timelines, this tool helps close critical compliance gaps before they become issues.
Audit and Litigation Hold Preparation
During an audit by the Office for Civil Rights (OCR), being able to quickly and accurately produce documentation is crucial. Maintain well-organized records that clearly show creation dates and disposal timelines for policies, risk assessments, and training materials, following a SOC 2 audit documentation checklist to ensure all security measures are met. Consistent file naming and metadata tagging can make retrieval much quicker and easier.
It's also vital to have a litigation hold process in place. When faced with a lawsuit, investigation, or regulatory inquiry, immediately suspend retention schedules and ensure your legal and compliance teams are trained to recognize and act on hold triggers. Document the specifics of each litigation hold, including its scope, implementation date, and the affected PHI. While the hold is active, continue applying HIPAA protections and limit data use strictly to the purposes related to the hold. Failing to do so could lead to hefty fines or penalties.
Conclusion
Managing PHI retention in 2026 requires navigating a complex mix of regulations. These include HIPAA's six-year rule for compliance documentation, federal agency guidelines for program-specific records, and state laws that govern medical record retention. It's important to note that HIPAA’s six-year requirement applies to items like policies, risk assessments, training records, BAAs, and audit logs - not patient charts, which fall under state law jurisdiction.
This multi-layered system has a direct impact on audit preparation. Regulators prioritize compliance documentation over medical records, but state laws complicate matters with retention periods that can range from 5 to over 30 years. For records involving minors, those timelines may extend even further. When state laws impose stricter requirements than HIPAA, those state rules take precedence.
Relying on manual methods to track overlapping deadlines increases the risk of non-compliance. Tools like Censinet RiskOps™ offer a streamlined approach, centralizing retention tracking and automating critical tasks. The platform monitors document creation dates, flags upcoming expiration deadlines, and assigns tasks to the right team members. Its command center provides a real-time overview of compliance status, helping organizations avoid missed deadlines.
Retention strategies must also account for legal holds and government investigations. As James Keogh, Editor at HIPAAnswers, explains:
"Retention schedules should also account for litigation holds and government investigation preservation duties when a dispute, audit, or enforcement action is reasonably anticipated." [2]
When legal action arises, organizations must suspend routine disposal procedures and ensure all relevant PHI and compliance documents are preserved. By integrating robust retention plans into their broader risk management strategies, organizations can stay prepared for audits while meeting all legal obligations.
FAQs
What retention rule applies when HIPAA, CMS, OSHA, and state law conflict?
When HIPAA, CMS, OSHA, and state laws set conflicting rules for record retention, the strictest requirement usually takes precedence. In practice, this means you’ll need to follow the regulation with the longest retention period to stay compliant. Be sure to verify the exact requirements based on your location and the needs of your organization.
How do retention periods change for minors’ medical records?
Retention periods for medical records related to minors are generally longer compared to those for adults. These records are often kept well past the age of majority to meet healthcare regulatory requirements. Disposing of them too early can lead to legal consequences. However, certain situations, such as cases involving sensitive details or specific court orders, may warrant exceptions to these rules.
What should a Business Associate Agreement require for PHI destruction after a contract ends?
A Business Associate Agreement (BAA) must include provisions for the secure destruction or proper handling of Protected Health Information (PHI) once the contract concludes. Additionally, it should clearly state that the agreement remains in effect not only during the partnership but also for a specified period afterward. This ensures ongoing compliance and safeguards the management of PHI even after the formal relationship ends.
