How long must medical records be kept? In the United States there is no single federal answer, because record retention is largely governed by state law, with HIPAA adding a separate documentation-retention requirement. This article explains how the question plays out in Washington State.
Washington's general framework
Washington regulates medical record retention through its administrative code and professional licensing rules. The applicable period can depend on the type of provider and facility (for example, hospitals versus individual practitioners) and on the patient's age at the time of treatment. Records for minors are commonly required to be kept longer, often until some period after the patient reaches the age of majority, because the time to bring certain claims may be extended for minors.
Why retention periods vary
Several factors influence how long a particular record should be kept:
- Provider or facility type - different licensing rules apply to hospitals, clinics, and individual practitioners.
- Patient age - records for minors typically have longer retention.
- Legal considerations - statutes of limitations for malpractice and other claims can make longer retention prudent.
- Payer and program rules - participation in programs like Medicare may carry their own retention expectations.
Practical guidance
| Action | Why |
|---|---|
| Confirm the current rule for your provider type | Requirements differ across facility and license types |
| Apply the longest applicable period | Multiple rules may overlap; the longest usually controls in practice |
| Keep minors' records longer | Extended limitation periods for minors |
| Document a written retention and destruction policy | Consistency and defensibility |
| Destroy records securely | Protects PHI and supports HIPAA's breach safe harbor |
Don't forget secure destruction
Retention has a back end: when records reach the end of their required period and you choose to destroy them, do so securely. HIPAA's device and media controls and disposal guidance call for rendering PHI unreadable, whether on paper or electronic media. Improper disposal, such as discarding readable records in the trash, has itself led to enforcement actions.
Verify before you act
Because the specific number of years depends on provider type and can change, do not rely on a general figure from memory. Confirm current requirements in the Washington Administrative Code and the relevant professional licensing rules, and consult counsel or your compliance officer. State agencies and the Washington Legislature publish the authoritative text.
The safest posture is a written retention schedule, mapped to your provider type and to applicable legal and payer requirements, reviewed periodically and applied consistently across paper and electronic records.
Retention is not just a clinical question
Although retention is often framed around clinical records, several overlapping obligations can apply to the same information. HIPAA separately requires retaining certain compliance documentation, such as policies, risk analyses, and notices, for six years, which is distinct from how long the clinical record is kept. Payer and program participation, employment and billing records, and litigation holds can each extend how long particular documents must be preserved. When a legal hold is in place because of anticipated or active litigation, normal destruction must pause for the affected records regardless of the ordinary schedule. A complete retention program therefore accounts for clinical, regulatory, and legal drivers together rather than treating retention as a single number.
Managing electronic records over time
Long retention periods raise practical challenges for electronic records that paper does not. Systems are replaced, file formats become obsolete, and vendors change, yet the obligation to produce a readable record persists. Organizations should plan for data migration when switching electronic health record systems, confirm that archived data remains accessible and intact, and address retention in business associate agreements so a departing vendor returns or properly destroys records. Backups and disaster-recovery copies also fall within the scope of records you control. Building these considerations into procurement and system-change decisions prevents the common situation where required records technically exist but can no longer be opened or located.