HIPAA retention in 2026 comes down to one rule: track two different clocks. I need to keep HIPAA compliance documents for at least 6 years, but medical records follow state law, federal program rules, and contract terms.
Here’s the short version:
- HIPAA’s 6-year rule does not set medical record retention.
- Medical record retention often runs 5 to 10 years for adults, but some states go much longer.
- Minor records often stay longer, such as until age 21, 23, 28, or even 30 depending on the state.
- CMS may require 5 years, while Medicare Advantage and Part D often require 10 years.
- OSHA can require employment plus 30 years for some employee medical records.
- If more than one rule applies, I use the longest one.
- Destruction must be logged, irreversible, and paused for legal holds.
- Storage is not enough - if I can’t retrieve the record, I may still have a problem.
- Penalty exposure is high: HIPAA Tier 4 civil penalties can reach $2,190,294 per violation, and information blocking penalties can reach $1,000,000 per violation.
- Texas SB 1188 took effect on January 1, 2026, adding a U.S.-storage rule for electronic health records in Texas.
That means a 2026 retention policy needs to cover audit documentation, charts, archives, backups, vendors, migrations, legal holds, and destruction logs - not just a file cabinet or one EHR.
A quick way to think about it:
| Area | Main Rule |
|---|---|
| HIPAA compliance documents | Keep for 6 years from creation or last effective date |
| Patient medical records | Follow state law + federal rules + payer contracts |
| If rules conflict | Keep for the longest period |
| During litigation or audit | Stop destruction until the hold is released |
| End-of-life disposal | Use documented, irreversible destruction |
If I’m building or reviewing a policy, the safest path is simple: separate document retention from chart retention, map every system that stores PHI, apply the longest rule, and prove that records can still be found when asked for.
RHIT Exam Prep 060 | Medical Records Retention | 💻🎀📚
Effective record retention is a critical component of cyber risk management in healthcare, as data breaches often target legacy or improperly archived clinical records.
sbb-itb-535baee
HIPAA's Six-Year Documentation Rule
HIPAA's six-year rule sets the federal minimum for compliance documentation. The regulation states:
"A covered entity must retain the documentation... for six years from the date of its creation or the date when it last was in effect, whichever is later." [5]
What HIPAA Requires Organizations to Keep for at Least Six Years
This rule applies to HIPAA compliance documents, not patient charts.
That includes policies, risk analyses, training records, sanctions, complaints, breach notices, incident reports, NPPs, BAAs, and access or amendment records.
Use the categories below as the minimum retention baseline.
How to Calculate the Six-Year Period Correctly
The six-year clock starts on the document's creation date or the date it was last in effect, whichever is later.
Here's what that looks like in practice:
- A one-time document, such as a risk analysis completed in 2020, must be kept through 2026.
- An ongoing policy created in 2018 and replaced in 2022 must have that older version kept through 2028.
Version control matters more than many teams expect. Each superseded version gets its own six-year clock starting on the date it was superseded. In plain English, you need to track both the creation date and the superseded date so you can set the right destruction date.
The same idea applies to workforce records. Keep the record for the full six-year period even after the employee leaves. So if a training log relates to an employee who left in 2021, that log must stay on file until 2027. And if there's an audit, investigation, or litigation, put destruction on hold during that legal hold period.
HIPAA Documentation Categories: Citation and Minimum Retention Period
| Documentation Category | Regulatory Citation | Minimum Retention Period |
|---|---|---|
| Privacy Policies & Procedures | 45 CFR § 164.530(j) | 6 years from creation or last effective date |
| Security Policies & Procedures | 45 CFR § 164.316(b) | 6 years from creation or last effective date |
| Risk Analysis & Management Plans | 45 CFR § 164.316(b) | 6 years from creation or last effective date |
| Business Associate Agreements (BAAs) | 45 CFR § 164.504(e) | 6 years from creation or last effective date |
| Breach Notification Documentation | 45 CFR § 164.414(b) | 6 years from creation or last effective date |
| Workforce Training Records | 45 CFR § 164.530(j) | 6 years from creation or last effective date |
| Sanction Records | 45 CFR § 164.530(e) | 6 years from creation or last effective date |
| Complaint Logs & Dispositions | 45 CFR § 164.530(d) | 6 years from creation or last effective date |
| Notices of Privacy Practices (NPP) | 45 CFR § 164.520 | 6 years from creation or last effective date |
| Security Incident Reports | 45 CFR § 164.308(a)(6) | 6 years from creation or last effective date |
| Access and Amendment Request Records | 45 CFR § 164.524 / § 164.526 | 6 years from date of action |
A common mistake is thinking HIPAA's six-year rule covers medical charts too. It doesn't. As HHS stated:
"The retention requirement of this regulation only applies to the documentation required by the rule, for example, keeping a record of accounting for disclosures or copies of policies and procedures. It does not apply to medical records." [5]
Medical records follow state retention rules, and those rules vary by record type and jurisdiction. The next section moves from HIPAA documentation to medical record retention under state law.
Medical Record Retention: Federal Context and 2026 State Law Patterns
HIPAA Data Retention Rules by Record Type & Jurisdiction (2026)
HIPAA does not set one blanket retention period for clinical records. That trips people up all the time.
Instead, organizations have to follow the longest retention period that applies under state law, federal rules, and payer contracts. At the federal level, CMS requires hospitals to keep medical records for at least 5 years[4]. Medicare Advantage and Part D contracts require 10 years[4][2]. OSHA takes a much longer view for employee medical records tied to hazardous exposure: those records must be kept for the length of employment plus 30 years[2][4].
That means the main issue is not HIPAA paperwork. It’s the patient record itself, and the state laws and other rules that control how long it must stay on file.
How State Law Sets Adult and Minor Record Retention Periods
Once the federal floor is clear, the next step is figuring out when the state-law clock starts and how long it runs.
For adults, retention usually runs 5 to 10 years from the last service date, discharge, or another trigger defined by state law. For minors, the timing often works differently. The clock usually starts when the patient reaches the age of majority, then extends 2 to 10 more years, often tied to the malpractice statute of limitations[4].
If state law, federal regulations, and payer contracts point to different timeframes, use the longest applicable period[6][2].
Legal Health Record vs. Designated Record Set
After you set the time period, you still need to answer a basic question: which records are you keeping under that schedule?
The Designated Record Set is the HIPAA record set used for patient access and clinical decisions[2].
The Legal Health Record is the subset your organization treats as the official legal copy.
Those two definitions shape the retention schedule in different ways. Your schedule has to cover what must stay available for patients and what must stay defensible if a claim or lawsuit shows up later. Missing records can create legal exposure[4].
Common State Retention Ranges in 2026: A Reference Matrix
Use the matrix below to compare common patterns, then turn them into one internal schedule. These ranges are a starting point only. Before locking in policy, check the current law[4][2].
| Jurisdiction | Adult Record Retention Pattern | Minor Record Retention Pattern |
|---|---|---|
| Federal (CMS) | 5 years (hospitals/home health) | 3 years after reaching legal age (long-term care) |
| Medicare Advantage | 10 years | 10 years |
| California | 7 years (hospitals) | 1 year after reaching age of majority |
| Florida | 5 to 7 years (7 recommended for malpractice) | Varies by provider type |
| New York | 6 years | 3 years after 18th birthday |
| Texas | 7 years (physicians); 10 years (hospitals) | Until age 21 (physicians); until age 20 (hospitals) |
| Illinois | 10 years from last treatment | Until age 23 |
| North Carolina | 11 years after discharge (hospitals) | Until patient turns 30 |
| Massachusetts | 20 years (hospitals); 7 years (physicians) | Until age 18 or 7 years (whichever is longer) |
| Georgia | 10 years (physicians); 5 years (hospitals) | Until age 23 |
| Colorado | 7 to 10 years | Until age 28 |
For multi-state organizations, the safest move is to apply the strictest rule by record type across all locations. It cuts down on gray areas when records are requested and helps keep one consistent retention schedule in place.
Building a HIPAA-Aligned Retention, Archiving, and Destruction Program
Turn retention periods into one operating model across every system that stores ePHI.
How to Build One Retention Schedule Across All Systems and Data Types
Start with a full inventory of every system that stores ePHI, and assign each one a clear owner [3]. That means your main EHR, imaging repositories, email, SaaS apps, and backup repositories. Then map each data type to the strictest retention rule that applies and place it in one master schedule. That schedule becomes the control point for archiving, migration, and destruction.
Policy ownership matters. A governing committee made up of compliance, legal, IT, security, and health information management should approve the schedule and deal with exceptions [3]. This same group should also manage legal holds, which pause destruction when records are tied to litigation, government investigations, or audits. Holds need to be documented and released through a formal process [2][7].
For email, use journaling to send messages into a tamper-evident, indexed repository with policy-based retention [3].
How to Archive Records Without Losing Integrity, Access, or Clinical Context
Archives preserve records. Backups recover systems. That difference matters. Once your retention schedule is in place, your preservation controls need to keep records usable, not merely stored.
A defensible archive keeps metadata intact and keeps records readable after migrations. Use checksums, hashes, or digital signatures to spot corruption [3]. Test restorations on a regular basis to confirm the data is still readable and that metadata remains intact after migrations or long-term storage [3].
Archives also help keep access in place during EHR replacements. When Unified Women's Healthcare moved to athenaOne, it used Aesto Health to archive legacy EHR data. Only patients seen in the last 5 years were imported into the new system, so the archive kept the remaining 7-plus years of required historical data, including legacy claims and payment history that were not available in the new EHR [8].
If a third-party vendor manages archived PHI, it should have a signed Business Associate Agreement (BAA) that spells out secure destruction methods and, where it applies, HITRUST or SOC 2 attestation [8][7]. Even if a third-party vendor holds the data, providers still remain responsible for producing records when needed [8].
Retain, Archive, Migrate, or Destroy: A Comparison of Approaches
Every record will hit a decision point at some stage: keep it where it is, move it to an archive, migrate it to a new system, or destroy it. Each option comes with its own costs, risks, and compliance tradeoffs.
| Approach | Best Use Case | Primary Benefit | Key Risk |
|---|---|---|---|
| Retain (Primary EHR) | Active patients; records within 2–3 years of last encounter | Immediate clinical access; no migration needed | High storage costs; system performance degradation |
| Archive | Inactive patients; legacy data; post-migration records | Lower cost; preserves clinical context and metadata | Requires secondary system management; potential access lag |
| Migrate | EHR vendor transitions; practice acquisitions | Single access point for clinicians | Data loss or loss of clinical context if mapping is incomplete [8] |
| Destroy | Records past all retention and legal hold periods | Eliminates storage costs and breach liability | Irreversible; legal risk if destroyed prematurely [7] |
When retention ends, destruction needs to be provable, not improvised. Destroy records only after all federal, state, and payer retention periods have expired, all legal holds have been released, and the malpractice statute of limitations has passed [1]. When destruction happens, it must be irreversible and logged. A Certificate of Destruction should record the date, method, description of the records destroyed, and the names of the people who performed or witnessed it [1][7].
For digital media, NIST SP 800-88 Rev. 2 defines three sanitization levels:
- Clear: overwriting for device reuse
- Purge: cryptographic erasure or degaussing for decommissioned devices
- Destroy: physical shredding or pulverizing for end-of-life media
HIPAA requires records to be unrecoverable. That rule applies to both paper and digital media alike [7].
Governance, Cybersecurity, and Ongoing Policy Review
Using Retention Controls in Risk Analysis, Audits, and Incident Response
Once you set retention periods, the next job is making sure they hold up in day-to-day work. That’s where governance comes in. Retention policy isn’t just paperwork. It’s a security control. Keep data too long, and you add risk. Delete it too soon, and you can create a different kind of security and compliance problem.
Map retention controls to every system that stores ePHI. That includes the obvious places, but also backups, archives, and older platforms that still hold data. Many organizations also tie audit log retention to HIPAA’s six-year documentation rule so they can piece together who accessed which data and when if a breach investigation happens [3].
Internal audits need to go past reading the policy and checking a box. Review destruction certificates, wipe reports, and legal-hold status on a set schedule. Then plug those checks straight into audit and incident-response workflows. Quarterly reviews should confirm that no records marked for destruction are still subject to an active legal hold [2]. If litigation or a government investigation is pending, destruction has to stop at once across every system, including backups and archives. That hold also needs to be formally documented and tracked until it is released [2][7].
Vendor oversight matters just as much. Business Associate Agreements should require third parties to provide chain-of-custody records and destruction logs. HIPAA penalties for improper PHI disposal are still severe, so checking vendor evidence can’t be treated as optional during the audit cycle [1].
How Censinet Supports Retention-Related Cyber Risk Governance
Handling retention risk across a large vendor ecosystem is hard to manage by hand. Healthcare organizations use Censinet RiskOps™ to keep compliance records in one place and run more efficient third-party and enterprise risk assessments. Censinet RiskOps™ brings together retention-related risk assessments, remediation tracking, and third-party evidence tied to PHI handling.
2026 Retention Policy Priorities: Key Takeaways
At this point, the policy should be in use, tested, and reviewed. A few priorities stand out for the rest of 2026:
- HIPAA's six-year rule covers compliance documents only; medical records follow state and federal retention rules. Using the strictest rule that applies is the safer move when records from more than one jurisdiction sit in the same system [2].
- Defensible destruction means more than deleting data from a primary system. You need documented certificates, data sanitization methods, and proof that legal holds have been cleared.
- Policy review should not wait for annual cycles. New state laws such as Texas SB 1188, which takes effect on January 1, 2026, and a proposed HIPAA Security Rule update that would remove the "addressable" specification category show that the regulatory landscape is moving faster than many annual review cycles can handle [1].
FAQs
How do I know which retention rule controls?
Identify all applicable rules - HIPAA administrative rules, state medical record laws, and any federal program mandates - and follow the longest retention period.
HIPAA requires six years for compliance records, such as policies, training logs, and risk assessments. It does not set retention periods for clinical medical records. Those are governed by state law and payer contracts.
What records does HIPAA’s 6-year rule cover?
HIPAA’s 6-year rule does not apply to patient medical records.
Instead, it applies to the admin and day-to-day records that show an organization is following the HIPAA Privacy Rule and Security Rule. Those records must be kept for six years from the date they were created, or from the date they were last in effect, whichever is later.
That includes items like:
- policies and procedures
- risk analyses and management plans
- business associate agreements, training records, audit logs, complaints, and incident documentation
What should I do before destroying old PHI?
Before you destroy PHI, make sure every required retention period has expired. If federal and state rules don't match, follow the longer one. You should also stop destruction right away if there's a legal hold, audit, investigation, or a pending patient access request.
Keep a record of how the disposal was handled. If a third-party vendor is involved, confirm there's a signed BAA in place. And use secure destruction methods so the PHI can't be read.
