How long should an individual retain Protected Health Information (PHI)?

by | Mar 4, 2023 | HIPAA News and Advice

In the United States, healthcare providers and organizations covered by HIPAA are generally required to retain Protected Health Information (PHI) for a minimum of six years from the date of creation or the date when it was last in effect, whichever is later, although state laws and specific circumstances may impose longer retention periods, and it’s advisable to consult legal counsel or regulatory guidelines for precise requirements. PHI retention is an important aspect of healthcare operations, governed by federal and state regulations, along with industry-specific best practices. Healthcare professionals, administrators, and organizations must observe these regulations carefully to ensure compliance and maintain the integrity and security of patient data.

Retention ConsiderationsDetails and Explanations
Minimum Retention PeriodSix years from the date of creation or the last effective date, as stipulated by HIPAA’s Privacy Rule.
Retention for Minor PatientsPHI must be kept for six years after the patient reaches the age of majority (usually 18 years old).
Retention After Patient’s DeathPHI should be retained for two years from the date of the patient’s death to address potential legal matters.
State-Specific RequirementsSome states may impose longer PHI retention periods than HIPAA, requiring adherence to state regulations.
Legal ProceedingsLegal matters, such as lawsuits or investigations, can pause the retention countdown until resolved.
Research and Accreditation RequirementsResearch institutions and accredited healthcare organizations may have specific retention rules.
Permissible Disclosures Without AuthorizationHIPAA allows disclosure without patient consent for treatment, payment, healthcare operations, and legal mandates.
Other Permissible DisclosuresPHI can be shared for public health, health oversight, judicial proceedings, research, and when de-identified.
Patient AuthorizationOutside specific circumstances, patient-written consent is typically required for PHI disclosure.
Security and ProtectionRobust data security measures, especially for electronic health records, are necessary to prevent breaches.
Table: Key Considerations and Details Regarding the Retention of PHI in Healthcare

PHI retention is primarily regulated in the United States by HIPAA. HIPAA’s Privacy Rule establishes the standards for the protection and proper use of PHI, including guidelines for its retention. State laws may impose their own retention requirements, which healthcare professionals and organizations must also adhere to. When state laws conflict with HIPAA, the more stringent of the two regulations typically takes precedence.

Under HIPAA, covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, are generally required to retain PHI for a minimum of six years from the date of its creation or the date when it was last in effect, whichever is later. This six-year retention period is not absolute, as certain factors may extend the retention requirements. For example, if state law mandates a longer retention period, healthcare professionals must adhere to that timeline. Furthermore, litigation, investigations, or audits can pause the countdown of the retention clock, necessitating the preservation of relevant records until these legal processes conclude.

Understanding PHI retention periods is important to healthcare professionals. While the baseline retention period is six years, there are exceptions and variations. In cases involving minors, PHI must be retained for six years after the patient reaches the age of majority, which is typically 18 years old. This ensures that the minor patient’s rights are protected even after they come of age. When a patient passes away, their PHI must be retained for two years from the date of death. This is for addressing any potential legal matters or claims related to the deceased patient’s medical history.

Some states impose longer retention periods than HIPAA. Healthcare professionals operating in these states must adhere to the more stringent state regulations. For example, New York requires healthcare providers to retain medical records for at least six years. PHI may need to be retained beyond the standard period if it is involved in legal proceedings, such as malpractice lawsuits or government investigations. In such cases, the retention clock may be paused until the legal matter is resolved. Research institutions and healthcare organizations seeking accreditation may be subject to specific retention requirements related to research data and accreditation documentation. These requirements can vary and should be carefully reviewed.

While retaining PHI is required for HIPAA compliance and legal purposes, healthcare professionals should also be aware of when and how PHI can be disclosed. The HIPAA Privacy Rule outlines specific circumstances in which PHI can be shared without patient authorization. PHI can be disclosed for patient treatment, payment for healthcare services, and healthcare operations without obtaining patient consent. This includes sharing information with other healthcare providers involved in the patient’s care, health insurance companies, and internal administrative functions.

If a federal, state, or local law mandates the disclosure of PHI, healthcare professionals must comply with that legal obligation. This includes reporting certain diseases to public health authorities or fulfilling court-issued subpoenas. PHI can be disclosed in response to court orders, subpoenas, or other legal processes, provided that reasonable efforts are made to notify the patient and secure a protective order if possible. PHI may be disclosed for public health activities, such as disease surveillance, public health investigations, and reporting of vital statistics. Regulatory agencies responsible for healthcare oversight, such as the Department of Health and Human Services (HHS) or state licensing boards, may require access to PHI for auditing and monitoring purposes.

PHI may be shared for research and statistical purposes under certain conditions, such as when patient consent is obtained or when a waiver of authorization is granted by an Institutional Review Board (IRB). Healthcare professionals can disclose de-identified information that does not contain any patient-identifying elements, as such information is no longer considered PHI. Outside of the aforementioned circumstances, patient authorization is generally required for PHI disclosure. Patients must provide written consent specifying the purpose, recipients, and limitations of the disclosure.

The retention of PHI is linked to its protection and security. Safeguarding patient information is not only a legal obligation but also an ethical imperative. A breach of PHI can lead to consequences, including legal penalties, damage to an organization’s reputation, and, most importantly, compromised patient trust. To ensure the security of PHI, healthcare professionals and organizations must implement robust data security measures. This includes encryption of electronic PHI, strict access controls, regular security audits, employee training on data privacy, and the use of secure communication channels. PHI should only be accessed by authorized personnel for legitimate healthcare purposes.

The use of electronic health records (EHRs) has introduced new challenges and opportunities for PHI retention and security. EHR systems can enhance accessibility and data management but also require protection against cyber threats. Implementing a strong EHR security framework is necessary in the modern healthcare landscape.


The retention of PHI is a complex and highly regulated aspect of healthcare administration. Healthcare professionals must be well-versed in both federal and state regulations, along with industry-specific best practices, to ensure compliance. By understanding retention periods, permissible disclosures, and the importance of safeguarding patient information, healthcare organizations can maintain the trust and confidence of their patients while meeting their legal obligations.


What is HIPAA Protected Health Information and why is it significant?
What are examples of protected health information?
How does HIPAA PHI differ from other types of patient data?
What is protected health information under HIPAA?
How long should an individual retain protected health information (PHI)?
What are the primary risks associated with mishandling Protected Health Information?
How can healthcare organizations safeguard HIPAA Protected Health Information effectively?
Are there specific software solutions designed to protect HIPAA PHI?
How does the digital storage of records impact the security of Protected Health Information?
Which personnel within a healthcare facility have access to HIPAA Protected Health Information?
What are the legal consequences of leaking HIPAA PHI unintentionally?
How does encryption technology help in protecting HIPAA Protected Health Information?
Can patients themselves request access to their own HIPAA PHI?
How frequently should healthcare providers audit their storage of Protected Health Information?
What role do third-party vendors play in ensuring the safety of HIPAA PHI?
How do healthcare mergers impact the management of HIPAA Protected Health Information?
Are there guidelines on how to physically store documents containing HIPAA PHI securely?
How has the cloud computing revolution affected the storage of HIPAA Protected Health Information?
How are breaches of HIPAA PHI typically discovered and reported?
What educational initiatives exist for healthcare professionals about Protected Health Information?
How do mobile devices and apps ensure they don’t breach HIPAA Protected Health Information standards?
What are the ethical implications of mishandling HIPAA PHI?
How do international healthcare facilities handle HIPAA Protected Health Information?
What challenges do small private practices face in safeguarding HIPAA PHI?
How do medical research entities handle and protect HIPAA Protected Health Information?
Can unauthorized sharing of HIPAA PHI on social media lead to legal actions?
How does biometric data collection align with HIPAA Protected Health Information standards?
What steps should be taken when a breach of Protected Health Information is suspected?
How do patients get notified if their HIPAA PHI has been compromised?
Are there any certifications for software platforms handling HIPAA Protected Health Information?
What is the role of the Office for Civil Rights concerning HIPAA PHI breaches?
How do state-specific laws impact the handling of HIPAA Protected Health Information?
How do telehealth services ensure the confidentiality of HIPAA PHI during sessions?
Can wearable health devices compromise the security of HIPAA Protected Health Information?
How can patients ensure that their HIPAA PHI is being stored and managed correctly?
What are the implications for insurance providers regarding breaches of HIPAA Protected Health Information?
Can healthcare organizations use HIPAA PHI for marketing purposes?
How can whistleblowers report potential misuse of HIPAA Protected Health Information?
What considerations do pharmaceutical companies have to make regarding HIPAA PHI?
How do HIPAA PHI regulations impact health tech startups?
Are there specific protocols for destroying outdated HIPAA Protected Health Information?
Can data analytics on patient data be performed without breaching HIPAA PHI guidelines?
How do patients’ genetic data get protected under HIPAA Protected Health Information guidelines?
How do hospitals integrate new technologies without risking HIPAA PHI security?
Are there challenges in cross-border transfer of HIPAA Protected Health Information?
How do patients provide consent for the use of their Protected Health Information in research?
What role do firewalls and VPNs play in safeguarding HIPAA PHI in hospitals?
Can mental health records have different regulations under HIPAA Protected Health Information standards?
What initiatives can increase transparency in the handling of HIPAA PHI by healthcare institutions?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy