LawShelf courses have been evaluated and recommended for college credit by the National College Credit Recommendation Service (NCCRS), and may be transferred to over 1,500 colleges and universities.

We also have established a growing list of partner colleges that guarantee LawShelf credit transfers, including Excelsior College, Thomas Edison State University, University of Maryland Global Campus, Purdue University Global, and Touro University Worldwide.

For a limited time: Purchase a course multi-pack for yourself or a friend!

Records Retention and Destruction Policies - Module 5 of 5

Module 5: Records Retention and Destruction Policies

The 1996 Health Insurance Portability and Accountability Act has made healthcare administration more efficient. From the Privacy Rule to authorized disclosures to consumer and patient protections, it’s undeniable that HIPAA has transformed healthcare law.

Some of HIPAA’s most overlooked aspects are its requirements and standards for records retention and destruction. In early 2018, Filefax, an Illinois company that moved and stored medical records for covered entities before going out of business in 2016, agreed to pay the Department of Health and Human Services Office of Civil Rights $100,000 to settle potential violations of the HIPAA for disclosing the records of more than 2,000 patients when it allowed paper medical records to be left unsecured in an unlocked truck outside its facility.[1] In reference to the case, the Office of Civil Rights Director Roger Severino stated, “the careless handling of protected health information is never acceptable…[2]

In our final module on Health Records and Privacy, we’ll address records retention and records destruction policies and requirements, state laws that guide such policies, and will explore how HIPAA influences these laws. We’ll also discuss the consequences for not implementing a satisfactory records retention policy and the illegal destruction of records.

Developing a Records Retention Policy 

Do we keep or destroy these medical documents?” is one of the leading questions healthcare providers and facilities address daily. In 2016, the American Hospital Association reported that more than thirty-five million Americans were admitted to thousands of hospitals across the United States.[3] Hospitals produce millions of documents that contain patients’ protected and sensitive health information. 

A hospital or healthcare facility faces high costs when dealing with records retention. Cataloging and storing paper files, electronic documents, correspondence, and data used in medical applications and databases take time, effort, and money. A records retention policy is extremely expensive because of the need to preserve documents in both print and electronic format. Moreover, the litigation costs and financial penalties imposed by the federal government for HIPAA violations can also be exorbitant, as the Filefax example demonstrates. 

Every healthcare organization must adopt and follow a document retention and destruction policy. A company must carefully weigh the risks of keeping data versus those of deleting the documents. Such decisions are becoming increasingly complex because laws affecting spoliation of evidence and data preservation practices are changing as courts and lawmakers try to keep pace with the growing challenges of managing electronic records.[4]

A policy should designate a records custodian responsible for overseeing preservation of records. A paper record may be scanned and kept in electronic format and originals should be stored with reputable document storage companies that have in place protections against destruction from fire or flood, loss due to theft, or other unauthorized access. A document retention policy must be routinely followed and diligently maintained. All employees must know what to do with their documents and how to eliminate unnecessary documents. All supervisors must clearly state and remind their employees how the policy works. These procedures help ensure that a properly-designed policy is consistently applied.[5]

Laws Addressing Records Retention

HIPAA does not require the retention of documents; it merely prevents their disclosure.[6] It is state law, rather than federal law, that dictates how long medical records should be kept. As a result, each covered entity and business associate is bound by the laws of the state regarding how long medical records must be retained. 

New Jersey, for example, requires a doctor to keep a patient’s medical records for seven years.[7] In Florida, a physician must maintain medical records for at least five years after her last patient contact and a Florida hospital must maintain patient medical records, emergency room records, and outpatient records for seven years.[8] 

In California, where there are no statutory requirements, the California Medical Association recommends that medical records be retained indefinitely or for at least twenty-five years after the patient’s last visit. The state’s medical association also makes the following recommendations to doctors:[9]

    ·         Keep records on adult patients, 10 years from the date the patient was last seen;

    ·         Keep records on minor patients, 28 years from the date of birth;

    ·         Keep records on deceased patients, five years from the date of death. 

When a healthcare provider ceases operation for whatever reason, medical records must again be retained in accordance with state laws. Certain states have laws requiring a hospital or physician to attempt to contact the patient before destroying records. For instance, in Florida, a physician's estate must keep that physician’s patients’ medical records for two years from the date of the physician’s death. In Maryland, after the death of a physician, the estate must forward a notice to each of her patients before records are destroyed or transferred. If the patient cannot be located, a notice must be published in a local newspaper, notifying the public of the date and location of disposal.[10]

While federal law does not include medical record retention requirements,[11] there is a requirement about how long other HIPAA-related documents that contain protected health information should be retained. HIPAA’s Section 164.316(b)(2)(i) mandates that a provider provide access to certain specified HIPAA-related documents that may contain protected health information for at least six years from the date of the document’s creation.

These include:

    ·         notices of privacy practices;

    ·         security risk analyses;

    ·         regulatory compliance correspondence and assessment reports;

    ·         physical security maintenance records;

    ·         log records pertaining to protected health information views and updates; and

    ·         incident and breach notification documentation. [12] 

In the case of a policy, the six years start from when it was last in effect. If, for example, a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation. If a policy is implemented for four years before being revised, a record of the original policy must be retained for a minimum of ten years after its creation. Federal regulation also gives people the right to request accountings of disclosures of protested health information.[13] 

Litigation and Records Retention

A strong and thorough records retention policy becomes important during a lawsuit. Courts impose a duty to preserve relevant evidence on covered entities who are subject to government investigation or lawsuit. Though the scope of the duty varies according to the facts of the investigation or lawsuit, the duty applies to all employees and agents, but particularly to senior management and to the lawyers representing the covered entities. 

The obligation to preserve evidence kicks in as soon as a party reasonably anticipates litigation or government investigation. A provider is required to ensure that relevant documents are preserved and managed in good faith and must preserve what it knows, or reasonably should know, is relevant in the action, is reasonably calculated to lead to the discovery of admissible evidence, is reasonably likely to be requested during discovery or is the subject of a pending discovery request.[14] 

Once a healthcare provider anticipates litigation, or perceives a threat of a lawsuit, it must suspend any destruction policy that was in effect. The organization must put in place a “litigation hold” to preserve the relevant documents. The best practice is to send a formal notice, called a litigation hold notice or a litigation hold letter, to employees and affiliates who may have relevant information to preserve any relevant documents either in print or electronic format. 

The litigation hold, or preservation, letter, should do the following:

    ·         explain the dispute in simple terms;

    ·         clearly identify the reasons for the hold;

    ·         provide a prohibition on the destruction of relevant documents;

    ·         explain what sort of information is considered relevant; and

    ·         should specify the dates covered by the litigation hold.[15]

Consequences for Destroying Medical Records

The duty to preserve relevant evidence is meant to prevent spoliation, which is the destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation. The spoliation rule prevents a party from subverting the discovery process and impeding the fair administration of justice by destroying evidence. 

A party claiming spoliation must prove three elements:

    ·         a party had control over the evidence and a duty to preserve it;

    ·         a party acted to destroy or to conceal with a culpable state of mind; and

    ·         the missing evidence is relevant to the other party’s claim or defense.[16]

Courts have found that the intentional spoliation or destruction of evidence raises a presumption that this evidence would have been unfavorable to the other party. 

In medical malpractice cases, spoliation of evidence occurs frequently. Spoliation can involve altering medical records, adding to records, substituting fabricated records and destroying laboratory reports or other physical evidence. One study estimated that as many fifty percent of medical malpractice cases involve altered records, and that ten percent of all malpractice cases involve fraudulently altered records.[17] 

In some states, spoliation may also be brought as its own cause of action rather than as grounds for sanctions for discovery abuse. Generally, those states that have recognized or created the tort of spoliation limit the action to third-party spoliation of evidence related to pending litigation, which means that these actions are limited to claims against non-parties. Moreover, these states generally hold that, to be liable, the non-party spoliator must have had a duty to preserve the evidence. For example, Alabama allows a spoliation cause of action where a third-party has negligently destroyed material evidence.[18]

A court has wide discretion to impose penalties for spoliation of evidence. Under Rule 37 of the Federal Rules of Civil Procedure, it may even dismiss an action or render a judgment of default.[19] It can also preclude a party from introducing certain evidence or award attorney’s fees and costs. A court will only dismiss a case for this reason in extreme cases where there is a showing of bad faith. Rule 37 provides for other possible penalties, including a direction that certain facts be taken as true for purposes of the action, prohibiting the disobedient party from supporting or opposing claims or defenses, striking pleadings, staying the proceedings or treating the disobedience as contempt of court. Absent exceptional circumstances, a court may not impose sanctions on a party for failing to provide information lost because of natural disasters, or the routine, good-faith operation of an electronic information system. 

In addition to Rule 37 and comparable state rules, a physician who alters or destroys medical records may face other consequences, including a disciplinary action resulting in the loss of a professional license or the cancellation of professional liability insurance. In addition, punitive damages in a medical malpractice case may be awarded on a showing of “actual malice” for the intentional alteration, falsification, or destruction of medical records by a physician to avoid liability for negligence, regardless of whether the act directly caused harm.[20]

Obstruction of Justice

Healthcare industry professionals can also face criminal prosecution for obstruction of justice when they destroy or alter documents. Obstruction of justice is the interference with the orderly administration of law and justice, as by giving false information to, or withholding evidence from, a police officer or prosecutor, or by harming or intimidating a witness or juror. It can be both a federal crime and a state crime.[21] State laws defining and punishing obstruction of justice vary significantly. 

Federal law explicitly forbids the destruction, alteration or falsification of materials with the intent to impede or influence an existing or contemplated investigation for corporations. The Sarbanes-Oxley Act of 2002, which protects investors from the possibility of fraudulent accounting activities by corporations, created the federal obstruction of justice statute prohibiting evidence destruction. Congress enacted the Sarbanes-Oxley Act in response to corporate scandals in the early-2000s, involving corporations such as Enron, Tyco, and WorldCom. The Sarbanes-Oxley Act is applicable to public corporations in the healthcare industry, including many health insurers, pharmaceutical companies, and medical device manufacturers. 

In a healthcare investigation, “obstruction” usually means interfering with a government agency’s work by providing false statements and actions to the government or deleting, altering, or failing to produce medical documents.[22] For example, the government may view a misstatement, adding or removing helpful information in documents or inadvertently failing to produce a responsive document with protected health information as obstruction. 

The 2009 prosecution of a Maryland psychiatrist for obstruction of justice reveals how these prosecutions unfold.[23] In early 2005, Dr. Joel Ganz was told he was under investigation for possible fraudulent conduct in billing Medicaid for psychiatric consultation services regarding developmentally disabled group home residents. Sometime within the course of the government's investigation, Dr. Ganz created medical records “documenting” services provided on behalf of Medicaid residents. These records implied that Dr. Ganz provided services to various residents of the group home, but he created these records after the fact in a manner more favorable to him and that would exonerate his conduct. Dr. Ganz provided these records to the FBI and the U.S. Attorney's Office for the District of Columbia in an attempt to have an investigation of him resolved in his favor. Ganz was found guilty of obstruction of justice of a healthcare investigation for falsifying medical records and impeding the federal government’s investigation. 


A poorly developed or mismanaged document retention policy may lead to spoliation or obstruction of justice under both federal law and state law. Therefore, all healthcare providers, healthcare facilities, and other entities in the healthcare industry must not only adopt, but strictly follow sound document retention and destruction policies. Federal and state laws complement one another in that state laws dictate when and for how long medical records must be kept and federal law prevents them from being disclosed. In all, federal and state rules, including rules of evidence, healthcare law and HIPAA provide a comprehensive network of rules that protect sensitive healthcare information of patients and consumers.



[1] Elliott Golding & Anne Harrington, Alleged HIPAA Violations Follow Company Post-Close, Lexology, (Feb. 26, 2018),https://www.lexology.com/library/detail.aspx?g=101637c5-526d-43d0-94a6-5b084668f131.

[2] Consequences for HIPAA Violations Don’t Stop When a Business Closes, U.S. Dep’t of Health & Human Servs., HHS Press Office (Feb. 13, 2018), https://www.hhs.gov/about/news/2018/02/13/consequences-hipaa-violations-dont-stop-when-business-closes.html?language=es.

[3] Fast Facts on U.S. Hospitals, 2018, American Hospital Association, https://www.aha.org/statistics/fast-facts-us-hospitals 

[4] Michael Curran, Avoiding Spoliation-the Impact of New Business Processes on Record Retention and Litigation Hold Processes, 33 Corp. Couns. Rev. 173 (2014).

[5] Christopher R. Chase, “To Shred or Not to Shred: Document Retention Policies and Federal Obstruction of Justice Statutes,” 8 Fordham J. Corp. & Fin. L. 721, 722-23 (2003).

[6] Travis Good, How long to keep medical records under HIPAA?, Datica, (Apr. 17, 2014), https://datica.com/blog/how-long-to-keep-medical-records-under-hipaa/.

[7] Consumer Brief, State Board of Medical Examiners, N.J. Div. of Consumer Affairs, (Oct. 20, 2016), http://www.njconsumeraffairs.gov/News/Consumer%20Briefs/state-board-of-medical-examiners.pdf.

[9] Richard Cahill, Medical Record Retention, TheDoctorsCompany, (Mar. 2017), https://www.thedoctors.com/articles/medical-record-retention/.

[11] Does The HIPAA Privacy Rule Require Covered Entities To Keep Patients’ Medical Records For Any Period of Time?, U.S. Dep’t of Health & Human Servs., (Feb. 18, 2009), https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html.

[14] Wm. T. Thompson Co. v. Gen. Nutrition Corp., 593 F. Supp. 1443, 1455 (C.D. Cal. 1984).

[15] The Honorable David C. Norton, “Fifty Shades of Sanctions: What Hath the Goldsmith's Apprentice Wrought?,64 S.C. L. Rev. 459, 466 (2013) (citing Zubulake v. UBS Warburg, LLC, 220 F.R.D. 212, 217-18 (S.D.N.Y. 2003)).

[18] Smith v. Atkinson, 771 So.2d 429, 438 (Ala. 2000).

[22] Martin Merritt, Avoiding Obstruction of Justice in Healthcare Cases, Physicians Practice, (Feb. 3, 2013), http://www.physicianspractice.com/blog/avoiding-obstruction-justice-healthcare-cases.

[23] Press Release, Doctor Sentenced on Obstruction of Justice Charge, U.S. Attorney’s Office, Federal Bureau of Investigation, (Jan. 07 2009), https://archives.fbi.gov/archives/washingtondc/press-releases/2009/wfo010709a.htm