Record Retention Simplified – The Ultimate Guideline


Record retention can be a significant problem for healthcare groups. Different federal and state regulations require different retention schedules for medical records and other medical-service related documents. Many managers and physicians are confused on how long they should maintain records and how best to store all this paper. Here’s an updated record retention schedule that is in sync with medical malpractice insurers (check with your malpractice carrier) and accounting firms.

There are all kinds of numbers floating around for retaining records, but unless you are focusing ONLY on record retention, you”d have to be very organized to separate what can be shredded in 1 year, 3 years, 6 years, 7 years, etc. I prefer to categorize everything into three basic categories: Save it Forever, Save it for 7 years, and Save it according to state requirements. Here is (almost) everything broken into my three categories.

Corporate Paperwork & Financials: Save all permanently

  • Letters of Incorporation
  • Bylaws
  • Capital Stock
  • Shareholder’s Agreements
  • Copyright and Trademark Information
  • Legal Correspondence
  • Minutes
  • Auditors Report
  • Annual Financial Statements
  • General Ledgers
  • Depreciation Schedules
  • Important Correspondence
  • Licenses
  • Loan documents
  • Property documents
  • Tax records
  • Retirement Plan documents
  • OSHA Medical Records for employee accidents/exposure – 30 years so you may as well keep them forever
  • Worker’s Compensation Records – 11 years so you may as well keep them forever

Accounting Records & Miscellaneous Records: 7 years

  • Human Resource Records – 7 years after termination (keep applications and resumes for non-hirees for 1 year)
  • Accounts Payable records
  • Bank Statements
  • Canceled Checks
  • Contracts and Leases (after expiration)
  • Electronic Fund Transfers
  • Accounts Payable original invoices
  • Payroll Records
  • Other benefit records
  • Sales records (for goods such as vitamins, supplements, or books)
  • Reimbursement records for employee expenses
  • EOBs from payers
  • Encounter Forms or other Billing Records (HIPAA requires Covered Entities retain billing records for 6 years)

Patient Medical Records – guided by state regulation or physician preference, whichever is longer

Adults Recommended: permanently – or a minimum of 10 years after the last encounter

Minors Recommended: permanently – or a minimum of statute of limitation past the age of majority (check your state)

Providers of Medicare Advantage programs must keep patient records for 10 years


Keeping it All Together the Manage My Practice Way

So, how do you keep from drowning in all that paper? Savvy practices scan their paperwork into offsite data centers that give them security, redundancy and easy accessibility, as well as potentially turning dead space into revenue-producing space.

There are many generic solutions for data storage, but Manage My Practice has partnered with Box to serve the special needs of healthcare practices and related service-providers.  The  package provides practices with the training, organizational set-up, and support to store everything (and I do mean everything) securely for as little as $120/month with upload and download encryption and no space limitations. Box is the leader in data storage and security and Manage My Practice is the name you know and trustBox for a test drive, contact Abraham Whaley at or Mary Pat at




Posted in: Compliance, Day-to-Day Operations, Innovation

Leave a Comment (3) ↓


  1. Kevin February 28, 2013


    Can you cite to the portion of the CFR where Covered Entities are required to retain billing records for 6 years? I can’t find that requirement anywhere.

    • Mary Pat Whaley March 3, 2013

      Hi Kevin,

      SE1022 (Special Edition (SE) 1022 provides guidance for physicians, suppliers, and providers on medical record retention timeframes. It states:

      State laws generally govern how long medical records are to be retained. However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (HIPAA) administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period. The HIPAA requirements are available at 45 CFR 164.316(b)(2) ( on the Internet.

      While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. The Privacy Rule is available at 45 CFR 164.530(c) ( on the Internet.

      Best wishes,

      Mary Pat