Record Retention and Destruction Policies for Health Care Providers

Hospitals, physician practices and other health care entities that create and/or process protected personal information maintain mountains of medical and business records. Many of these records must be retained pursuant to federal and state-specific laws and regulations, contractual requirements, and any litigation holds. It is therefore important that a health care entity adopt and implement a comprehensive record retention and destruction policy.

Rules Affecting Record Retention Policies

There is no single, uniform record retention and destruction regulation with which a health care entity must comply. Rather, organizations must look to federal record retention requirements, state-specific record retention requirements, and other government agency standards and contractual obligations. Not all of these retention period requirements are the same.

For example, HIPAA requires a covered entity to retain required documentation for six (6) years, while a Medicare-managed care program provider must retain certain records for ten (10) years. A health care entity that operates in different states must also consider each state’s retention requirements, which may differ. For example, hospitals in New York are required to retain records of adult patients for six (6) years, while hospitals in Pennsylvania are required to retain the same records for seven (7) years. Differing record retention requirements create a complicated and confusing regulatory landscape. A common response to this confusing regulatory landscape may be to simply retain all records for the longest stated retention period. This practice, however, can have significant negative implications for a health care entity, including the expense of maintaining records beyond the legally required retention period and potential legal exposure for these records if they are compromised by a cyber attack.

In 2016, the health care industry was hit significantly harder by ransomware attacks than any other industry. With the proliferation of ransomware attacks on health care entities and recent amendments to HIPAA identifying ransomware attacks as a reportable event, the timely and proper disposal of records that are past their retention periods is crucial. An effective record retention and destruction policy should outline a legally defensible process by which the entity can dispose of records and reduce the cost of over-preservation of records and the risk of cyber attacks.

Key Provisions in a Record Retention and Destruction Policy

A. Record Retention Requirements
Provide, at a minimum, the following:

  • Specified procedures related to maintenance of each category of records created or obtained;
  • Record retention instructions, retention time periods and storage procedures; and
  • Identification of the personnel and departments that the record retention and destruction policy applies to and their individual responsibilities.

B. Litigation Holds
In addition to complying with regulatory record retention requirements, a health care entity may receive a litigation hold in anticipation of litigation. The policy should outline a system by which a litigation hold can override certain record retention requirements if the litigation hold requires a longer retention period.

C. Record Destruction
The record retention and destruction policy should contain clear record disposal and destruction guidelines, such as requirements for the disposal of any media containing sensitive, protected information or records and requirements for ensuring that all external media be wiped clean prior to disposal.

Considerations and Next Steps

Health care entities should confirm that their record retention and destruction policies comply with federal and state-specific record retention requirements, and that their personnel are adhering to and implementing those requirements. The record retention and destruction policy should also provide for legally-defensible procedures and not create a higher retention burden than legally required. Finally, the health care entity should map its record retention and litigation hold requirements to its records stored either onsite or offsite.

Phillips Lytle’s Experience

Phillips Lytle has assisted health care providers with creating and updating their record retention and destruction policies, as well as mapping/implementing the required retention periods. For example, we have:

  • Vetted and amended a record retention policy to ensure the retention periods met the legal minimum retention periods so that documents could be removed from systems;
  • Created a system by which existing litigation holds are mapped to records in connection with developing a defensible plan to remediate records that were past their retention periods and were not subject to a litigation hold; and
  • Determined how certain medical records were classified under various federal laws in order to implement data record retention and destruction policies.

The above-referenced client engagements required a team comprised of attorneys and in-house health care and information technology professionals.

Additional Assistance

For more information on record retention and destruction regulation and policies, please contact Jennifer A. Beckage, (716) 847-7093,; F. Kenneth Graham, (716) 847-7049,; William P. Keefer, (716) 847-5488,; or any member of the firm’s Data Security & Privacy Practice Team.