How long do doctors keep medical records?

The single most-quoted retention rule on the internet is 'HIPAA requires medical records to be kept for six years.' It's repeated everywhere. It's also not quite right, and the wrong version causes families to assume their records are safe when they may not be.

What HIPAA actually says, in §164.530(j) of the privacy rule, is that covered entities must retain documentation of their HIPAA compliance — written policies, procedures, complaint logs, authorizations, breach notifications, training records — for six years from the date the documentation was created or last in effect, whichever is later. That six-year clock applies to the paperwork a hospital uses to prove it's HIPAA-compliant. Your individual chart isn't HIPAA documentation in this sense; it's a medical record.

The federal rule that actually sets a floor for medical records themselves is buried in Medicare's conditions of participation. Hospitals that bill Medicare must keep medical records for at least five years after the last episode of care. Critical-access hospitals and certain other facilities are held to similar timelines, and provider records under Medicare Advantage rules run longer still. This is the federal floor that touches the chart itself, and it's the one most hospital records-management policies anchor to.

What this means practically: if a provider tells you they're keeping records 'per HIPAA,' the honest interpretation is that they're following the federal six-year compliance-documentation rule and probably also the five-year Medicare rule, and almost certainly the state law on top of those. Asking 'how long are records kept under your state's retention policy?' tends to get you a sharper answer than asking about HIPAA.

State law is where most of the real retention requirement lives. Almost every state has a medical records retention statute, and they're usually published in plain language on the state board of medicine's website or the state health department's website. Search for the state name plus 'medical records retention,' and the first result is usually the right one.

There's no single number that holds across states. A few patterns are common. Many states require seven years for adult records after the last visit. Several require ten. A handful tie the retention period to the age of majority for any record involving a minor. Some impose longer rules on specific record types — operating-room notes, controlled-substance prescriptions, mental-health records — than on general office charts.

Hospitals usually keep records longer than the state minimum, because the cost of disk storage is trivial compared with the cost of being unable to produce a record during a malpractice claim or audit. Private physician practices tend to track closer to the minimum, because they have less infrastructure and more incentive to clear out paper. Imaging centers and laboratories sit somewhere in between, and most of them keep imaging studies considerably longer than the bare floor — being able to compare a new scan to a five-year-old prior is clinically important.

If the state law is hard to read (some are), the local hospital's medical records department is a useful shortcut. They keep the policy in writing for their own staff, and the medical-records clerk is usually happy to tell you 'we keep adult inpatient records for X years and pediatric records until Y' over the phone in two minutes. Asking before you need to is much easier than asking after a clock has run out.

If the patient is a child, almost every state extends the retention period substantially — usually until the patient reaches the age of majority (typically eighteen) plus a few additional years on top. The math varies state by state. A common pattern is 'until age of majority plus seven years,' which means a record created when a child is two years old will be retained for roughly twenty-three years before any retention clock starts running out.

The reason is partly statute of limitations and partly developmental: a child can't sue, and a child can't reasonably evaluate their own medical care, so the law extends the window during which a record can be requested by the now-adult patient. This is the rule that matters most for families researching their own childhood histories — there's usually still something on file for records created in the last two or three decades, even when the providers themselves are long gone.

Immunization records are often kept even longer than the standard pediatric retention, sometimes indefinitely, because schools, employers, and travel-medicine clinics all reference them throughout life. Some states maintain a statewide immunization registry that pulls records from providers and keeps them on file independently of the practice that administered the shot. If you can't find an immunization record through the original pediatrician, the state immunization registry is usually the next stop.

One quiet gotcha: parental access to a child's record often changes at age twelve or fourteen, not at age eighteen. Many patient portals shut parents out of certain record categories — mental-health visits, reproductive health — once the child reaches the state's adolescent-confidentiality threshold. The record itself still exists and is still subject to the pediatric retention clock; the parent just can't pull it through the portal anymore. The teen has to request it themselves, or the parent has to file a formal records request with appropriate consent.

A medical practice doesn't get to vanish without dealing with its records. State law almost universally requires the closing practice to notify patients, publish notice in a local newspaper or on the practice website, and arrange for the records to be transferred to a custodian — usually a successor practice, a hospital system, or in some cases a commercial records-storage company. The clock keeps running on those records under the same retention rules as before; only the custodian changes.

When a physician retires and no one takes over the practice, the records often move to a third-party custodian who holds them for the remainder of the legal retention period. The state board of medicine usually maintains a list of where retired physicians' records went, and contacting the state board is often the fastest way to track down a record from a practice that no longer exists. When a practice is acquired by a larger group, the acquiring group typically takes possession of the records and merges them into its own system, though it may take months for the transition to settle.

Hospital closures are messier. When a hospital closes, the records are usually transferred either to a successor institution or, if there isn't one, to the state health department's closed-facility custodian program. Many states keep a public-facing page listing the current custodian for records of every closed hospital, but the page isn't always easy to find — try the state health department's website first, then the state department of vital records, then the state archives. Some records will have been microfilmed and stored at the state level; others may be at a commercial warehouse contracted to the state.

If a practice closed years ago and you're trying to find records after the fact, expect the search to take weeks rather than days. Start with the state board of medicine for a private practice or the state health department for a hospital. If the practice was bought, search for news of the acquisition — the acquiring entity is the custodian. None of this is fast, but the records are usually findable if the retention clock hasn't yet run out.

The practical move, once you know the rules, is to stop relying on the provider to keep your records and start keeping a copy yourself. HIPAA's right of access (§164.524) requires covered entities to give you a copy of your own record within thirty days of a written request, and most providers will respond faster than that. There's usually a small fee for paper copies and rarely a fee for an electronic export to a portal you already have access to.

Asking for the right thing matters. The provider's default response is often a summary (an after-visit summary, a discharge summary, or a generated 'health summary' PDF), which is not the full chart. The full chart is what you want, and it's what HIPAA requires them to give you on request. Use the phrase 'a complete copy of my designated record set' on the written request, which is the HIPAA term of art and usually gets you the actual chart rather than a summary.

Once you have the records, the next step is putting them somewhere that doesn't have its own retention clock. A folder of PDFs on a personal laptop is better than nothing, but it has its own failure modes — the laptop dies, the cloud-sync account lapses, the family member who set it up doesn't remember the password. A digital medical binder inside a service that's specifically built to hold medical records for the long haul, with the family able to read the same records, is the more durable answer. A medical record organizer inside KeptWell auto-sorts new records by date and document type as they come in, so you can spend the five-minute version of this on each new appointment instead of saving it up for a quarterly cleanup project that never happens.

The most important thing about doing this is doing it before you need to, not after. Records that have been destroyed under the retention clock cannot be retrieved. Records that have been moved to a custodian after a practice closed can usually be retrieved but the search is slow and uncertain. Records that are sitting in your own archive can be opened in under a minute, by anyone in the family circle, on whatever device is in their hand.

Once you have the records, the long-term storage problem is harder than it looks. A paper binder in a closet works for a year. By year three, the binder has stopped being maintained, half the new records never made it in, and the part that's there can't be searched. By year ten, the binder has either been lost in a move or is in a basement nobody opens. This is the natural failure mode of paper.

A folder of files on a laptop is a little better but has its own failure modes. Hard drives fail. Sync services lose accounts. The person who set up the folder isn't the only person who needs to read it during a hard week. And searching for the right document in a folder of three hundred PDFs is its own slow job, especially when the file names are 'scan_2026_05_13_001.pdf' rather than something descriptive.

The model that actually holds up across years is a structured archive: every record indexed by date, document type, and provider; every record readable by the family members who need to see it; new records joining the archive automatically as they arrive. The archive is sortable, searchable, and shareable. The names of the files matter less because the underlying data is structured. The retention clock on the provider's copy can run out, and the family's copy is unaffected.

A few practical tests for whether an archive is going to last: can two family members open the same record at the same time on different devices, without anyone forwarding anything? Does the archive survive one person losing their phone? Can a new family member be invited next month and immediately see the full history, or do they need someone to manually catch them up? If the answer to any of those is no, the archive is too fragile for a multi-year diagnosis.

Not every type of medical record falls under the standard retention rule. A few categories have their own clocks, and the families most affected by these are usually the families who don't realize the records aren't covered.

Psychotherapy notes — the private notes a therapist takes during a session, separate from the patient's official chart — get special treatment under HIPAA. They're kept under tighter access rules than the rest of the chart, and a request for 'my medical record' usually doesn't include them. Retention rules also vary; some practices destroy psychotherapy notes after a few years, others keep them indefinitely under state mental-health law. If the notes matter to you, ask specifically for them by name, in writing, and ask about retention practice during the same conversation.

Research records — anything generated as part of a clinical trial or research study — are typically kept by the research institution under research regulations, not the clinical retention rule. The data may live with the sponsor (often a pharmaceutical company) rather than with the doctor who enrolled the patient. Accessing research records is a separate process from accessing clinical records, and the rules vary by study.

Billing-only records — the records held by a billing service, a clearinghouse, or an old insurance company — are kept under different rules than the clinical chart. If a provider's office has closed and you're trying to recover history through the billing service, expect a much shorter retention window. Insurance claim records sometimes outlast the clinical records of the same visit, which is a real possibility worth checking when an old chart can't be found.

Audio recordings of visits — if you recorded an appointment on your phone with the doctor's consent or under your state's one-party-consent law — are not part of the provider's chart at all. They're your records, in your possession, and they don't have a retention clock except whatever your phone does to them. This is one of the underused options for capturing what was actually said in a visit, especially during fast-moving treatment, and it's worth including in the family's archive alongside the official chart.