Skip to content

It is generally recommended that your practice have a written policy regarding the retention of your patients’ medical records. The policy should specify what records will be kept about your patients, the time period for which each category of record will be kept, and the storage medium (paper, microfilm, optical disk, magnetic tape, or other). It should also specify how the documents will be destroyed at the end of the record retention period.

The purpose of this retention policy is twofold: it should ensure that patient health information is available to meet the needs of continued patient care, legal requirements, research, education, and other legitimate uses, but it should also recognize storage and logistical limitations by permitting the purging of records that are no longer needed for such uses.

State Law

The length of time medical records need to be retained is generally determined by state law. Check the website of your state audiology association for more information.

For patients who are minors, be aware that roughly half the states have laws that address the medical records of minors. In the absence of such a law, you should retain health information at least until the patient reaches the age of majority (as defined by state law) plus the period of the statute of limitations.

Federal Law

In addition to state laws, there may be federal laws, regulations or policies that impact your record retention policy. For example, consistent with requirements of the Centers for Medicare and Medicaid Services (CMS), Medicare carriers, such as Blue Cross and Blue Shield, may require providers to retain original source documentation and medical records pertaining to Medicare claims for some specified period of time; if you have signed such a contract you will be contractually bound to retain records for that period of time.

Specifically, CMS requires that providers submitting cost reports retain all patient records for at least five (5) years after the closure of the cost report. And if you’re a Medicare managed care program provider, CMS requires that you retain the patient records for at least ten (10) years. Further, with respect to any medical records that are in your possession, the HIPAA Privacy Rule and its companion Security Rule contain detailed requirements with respect to steps you must take to safeguard the privacy and integrity of those records.

Specifically, HIPAA rules require a Medicare Fee-For-Service provider to retain required documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later. Additional guidance on both the Privacy Rule and the Security Rule can be found on the Department of Health and Human Services Office for Civil Rights website.

Once you have developed your record retention policy, you should make sure that your patients are aware of that policy. For each patient, it is a good idea to document the steps you took to make that patient aware of your policy in the patient.


AHIMA’s Practice Brief on Retention and Destruction of Health Information

Scroll To Top