Medical records are the subject of both federal and state regulations, which may vary greatly.

Federal Statutes

Billing Records

We start with the federal statute that determines the statute of limitations for Medicare (Title XVIII), Medicaid (Title XIX), and Maternal and Child Health (Title V). (42 CFR Part 1003)

The Inspector General must notice his or her intent to impose a penalty, assessment or exclusion from health programs via certified mail, return receipt requested, to the respondent. This notice must be made within 6 years from the date on which the claim was presented, the request for payment was made, or the incident occurred.

This means that billing records must be retained for 6 years from the time of billing.


Hospitals are subject to the Medicare Conditions of Participation §482.24(b) Standard:  Form and Retention of Record) reads as follows:

“Medical records must be retained in their original or legally reproduced form for a period of at least 5 years.”

However, since the statute of limitations for civil penalties is one year longer, hospitals generally retain patient medical records for at least 6 years.


The entities that are regulated by the HIPAA Privacy Rule are referred to as “Covered Entities”. Covered entities are most health plans, healthcare providers and clearinghouses.

The Privacy Rule defines the term “health plan” very broadly and among other things covers  most private health plans (group and individual), ERISA employer health plans (except those with less than 50 members and that do not utilize a third party administrator), Medicaid , Medicare and other federal and state healthcare programs. Also included are health maintenance organizations (HMO’s) and insurance companies that issue health care policies.

The HIPAA privacy regulations require that all medical records, signed consent forms, authorization forms, and other HIPAA-related documentation be retained for the statute of limitations period for civil penalties, which is 6 years. Records must also be kept for 2 years after a patient’s death.


Medicare specifies a retention requirement of 4 years; the recently revised Medicaid Provider Participation Agreements specify a minimum retention period of 6 years for all Medicaid finance and accounting records


As usual taxes trump everything. Since Medicare and Medicaid records may be required in a tax audit, these records should be retained seven years after the taxes were due or paid, whichever is later.


The North Carolina Identity Theft Protection Act of 2005 does not apply to entities subject to HIPAA.

North Carolina does not have a medical office record retention statute for “free-standing” facilities, which are those facilities that are not hospitals, nursing homes or hospices.

The North Carolina Department of Health and Human Resources is charged with creating policy regarding “health care facilities”, including hospitals.



ü  The manager of medical records service shall maintain medical records, whether original, computer media, or microfilm, for a minimum of 11 years following the discharge of an adult patient.

ü  The manager of medical records shall maintain medical records of a patient who is a minor until the patient’s 30th birthday.

ü  If a hospital discontinues operation, its management shall make known to the Division where its records are stored. Records shall be stored in a business offering retrieval services for at least 11 years after the closure date.



ü  The agency shall assure that originals of patient records are kept confidential and secure on the licensed premises unless in accordance with Rule .0209 of this Subchapter, or subpoenaed by a court of legal jurisdiction, or to conduct an evaluation as required in Rule .1001 of this Subchapter.

ü  Patient records shall be retained for a period of not less than three years from the date of discharge of the patient, unless the patient is a minor in which case the record must be retained until five years after the patient’s eighteenth birthday.  If a minor patient dies, as opposed to being discharged for other reasons, the minor’s records must be retained at least five years after the minor’s death.  When an agency ceases operation, the Department shall be notified in writing where the records will be stored for the required retention period.



ü  The manager of medical records shall ensure that medical records, whether original, computer media or microfilm, be kept on file for a minimum of five years following the discharge of an adult patient.

ü  The manager of medical records shall ensure that if the patient is a minor when discharged from the nursing facility, records shall be kept on file until his or her 19th birthday and, then, for five years.

ü  If a facility discontinues operation, the licensee shall make known to the Division of Health Service Regulation where its records are stored.  Records are to be stored in a business offering retrieval services for at least 11 years after the closure date.

Bankruptcy of a Medical Facility

Preservation of patient medical records held by a bankrupt health care business is specifically addressed in the Bankruptcy Reform Act of 2005. The costs of closing a health care business, including transferring and disposing of patient records, is now given priority ahead of the creditors of the bankrupt entity.

Remember, the trustee has certain claw back rights to recapture fraudulent payments or preferential payments to creditors made by the debtor. Trustees usually find money for their fees and basic services.

In the event a bankruptcy estate does not have sufficient funds to pay for statutorily mandated storage of medical records, the trustee may petition the court for permission to notify patients to take possession of their records. If they fail to take possession of their records within one year and if no government agency will store the records, the medical records can be destroyed.


The American Medical Association’s Code of Medical Ethics includes an opinion with respect to retention of medical records.

Opinion 7.05 – Retention of Medical Records

Physicians have an obligation to retain patient records which may reasonably be of value to a patient. The following guidelines are offered to assist physicians in meeting their ethical and legal obligations:

1)     Medical considerations are the primary basis for deciding how long to retain medical records. For example, operative notes and chemotherapy records should always be part of the patient’s chart. In deciding whether to keep certain parts of the record, an appropriate criterion is whether a physician would want the information if he or she were seeing the patient for the first time.

2)     If a particular record no longer needs to be kept for medical reasons, the physician should check state laws to see if there is a requirement that records be kept for a minimum length of time. Most states will not have such a provision. If they do, it will be part of the statutory code or state licensing board.

3)     In all cases, medical records should be kept for at least as long as the length of time of the statute of limitations for medical malpractice claims. The statute of limitations may be three or more years, depending on the state law. State medical associations and insurance carriers are the best resources for this information.

4)     Whatever the statute of limitations, a physician should measure time from the last professional contact with the patient.

5)     If a patient is a minor, the statute of limitations for medical malpractice claims may not apply until the patient reaches the age of majority.

6)     Immunization records always must be kept.

7)     The records of any patient covered by Medicare or Medicaid must be kept at least five years.

8)     In order to preserve confidentiality when discarding old records, all documents should be destroyed.

9)     Before discarding old records, patients should be given an opportunity to claim the records or have them sent to another physician, if it is feasible to give them the opportunity. (IV, V)


IP Blocking Protection is enabled by IP Address Blocker from