🗄️ HIPAA Records Retention Policy Tracker

Retention Policy
Destruction Schedule
Destruction Log
HIPAA Reference
6 yr
HIPAA min (PHI policies)
10 yr
Clinical records (MN)
7 yr
Billing / financial
3 yr
HR records (post-separation)
📋 HIPAA requires covered entities to retain records of HIPAA policies and procedures for 6 years from creation or last effective date (45 CFR §164.530(j)). Patient medical record retention is set by state law. Minnesota (MDH) requires 10 years for adult clinical records (Minn. Stat. §144.293).
Record Type Retention Schedule
Record TypeRetention PeriodAuthorityStorageDestruction Method
Records Due for Review / Destruction
Record / PatientTypeDate of ServiceRetention EndsStatusAction
Destruction Log
DateTypeDescriptionMethodAuthorized ByWitness
HIPAA Privacy & Security Rule — Retention Requirements
45 CFR §164.530(j) — Privacy Rule Documentation

A covered entity must retain HIPAA-required documentation for 6 years from date of creation or last effective date, whichever is later. This covers written policies, Privacy Notices, authorizations, BAAs, workforce training records, and complaint logs.

45 CFR §164.316(b)(2) — Security Rule Documentation

Security policies, risk analyses, risk management plans, and security incident documentation must be retained for 6 years.

Patient Medical Records — State Law Governs

HIPAA does not set retention periods for patient medical records themselves. Follow state law:
Minnesota: Minn. Stat. §144.293 — 10 years (adult); until age 19 or 10 years from last visit (minor)
Federal Medicare/Medicaid: CMS requires 5 years from cost report filing (42 CFR §405.1803)

Destruction Requirements

Records must be destroyed in a manner that renders PHI unreadable and unrecoverable. Paper: cross-cut shredding or incineration. Electronic: crypto-erasure, degaussing, or physical destruction. Maintain a destruction certificate/log for all PHI destruction.