How long should an individual retain Protected Health Information (PHI)?

by | Mar 4, 2023 | HIPAA News and Advice

In the United States, healthcare providers and organizations covered by HIPAA are generally required to retain Protected Health Information (PHI) for a minimum of six years from the date of creation or the date when it was last in effect, whichever is later, although state laws and specific circumstances may impose longer retention periods, and it’s advisable to consult legal counsel or regulatory guidelines for precise requirements. PHI retention is an important aspect of healthcare operations, governed by federal and state regulations, along with industry-specific best practices. Healthcare professionals, administrators, and organizations must observe these regulations carefully to ensure compliance and maintain the integrity and security of patient data.

Retention ConsiderationsDetails and Explanations
Minimum Retention PeriodSix years from the date of creation or the last effective date, as stipulated by HIPAA’s Privacy Rule.
Retention for Minor PatientsPHI must be kept for six years after the patient reaches the age of majority (usually 18 years old).
Retention After Patient’s DeathPHI should be retained for two years from the date of the patient’s death to address potential legal matters.
State-Specific RequirementsSome states may impose longer PHI retention periods than HIPAA, requiring adherence to state regulations.
Legal ProceedingsLegal matters, such as lawsuits or investigations, can pause the retention countdown until resolved.
Research and Accreditation RequirementsResearch institutions and accredited healthcare organizations may have specific retention rules.
Permissible Disclosures Without AuthorizationHIPAA allows disclosure without patient consent for treatment, payment, healthcare operations, and legal mandates.
Other Permissible DisclosuresPHI can be shared for public health, health oversight, judicial proceedings, research, and when de-identified.
Patient AuthorizationOutside specific circumstances, patient-written consent is typically required for PHI disclosure.
Security and ProtectionRobust data security measures, especially for electronic health records, are necessary to prevent breaches.
Table: Key Considerations and Details Regarding the Retention of PHI in Healthcare

PHI retention is primarily regulated in the United States by HIPAA. HIPAA’s Privacy Rule establishes the standards for the protection and proper use of PHI, including guidelines for its retention. State laws may impose their own retention requirements, which healthcare professionals and organizations must also adhere to. When state laws conflict with HIPAA, the more stringent of the two regulations typically takes precedence.

Under HIPAA, covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, are generally required to retain PHI for a minimum of six years from the date of its creation or the date when it was last in effect, whichever is later. This six-year retention period is not absolute, as certain factors may extend the retention requirements. For example, if state law mandates a longer retention period, healthcare professionals must adhere to that timeline. Furthermore, litigation, investigations, or audits can pause the countdown of the retention clock, necessitating the preservation of relevant records until these legal processes conclude.

Understanding PHI retention periods is important to healthcare professionals. While the baseline retention period is six years, there are exceptions and variations. In cases involving minors, PHI must be retained for six years after the patient reaches the age of majority, which is typically 18 years old. This ensures that the minor patient’s rights are protected even after they come of age. When a patient passes away, their PHI must be retained for two years from the date of death. This is for addressing any potential legal matters or claims related to the deceased patient’s medical history.

Some states impose longer retention periods than HIPAA. Healthcare professionals operating in these states must adhere to the more stringent state regulations. For example, New York requires healthcare providers to retain medical records for at least six years. PHI may need to be retained beyond the standard period if it is involved in legal proceedings, such as malpractice lawsuits or government investigations. In such cases, the retention clock may be paused until the legal matter is resolved. Research institutions and healthcare organizations seeking accreditation may be subject to specific retention requirements related to research data and accreditation documentation. These requirements can vary and should be carefully reviewed.

While retaining PHI is required for HIPAA compliance and legal purposes, healthcare professionals should also be aware of when and how PHI can be disclosed. The HIPAA Privacy Rule outlines specific circumstances in which PHI can be shared without patient authorization. PHI can be disclosed for patient treatment, payment for healthcare services, and healthcare operations without obtaining patient consent. This includes sharing information with other healthcare providers involved in the patient’s care, health insurance companies, and internal administrative functions.

If a federal, state, or local law mandates the disclosure of PHI, healthcare professionals must comply with that legal obligation. This includes reporting certain diseases to public health authorities or fulfilling court-issued subpoenas. PHI can be disclosed in response to court orders, subpoenas, or other legal processes, provided that reasonable efforts are made to notify the patient and secure a protective order if possible. PHI may be disclosed for public health activities, such as disease surveillance, public health investigations, and reporting of vital statistics. Regulatory agencies responsible for healthcare oversight, such as the Department of Health and Human Services (HHS) or state licensing boards, may require access to PHI for auditing and monitoring purposes.

PHI may be shared for research and statistical purposes under certain conditions, such as when patient consent is obtained or when a waiver of authorization is granted by an Institutional Review Board (IRB). Healthcare professionals can disclose de-identified information that does not contain any patient-identifying elements, as such information is no longer considered PHI. Outside of the aforementioned circumstances, patient authorization is generally required for PHI disclosure. Patients must provide written consent specifying the purpose, recipients, and limitations of the disclosure.

The retention of PHI is linked to its protection and security. Safeguarding patient information is not only a legal obligation but also an ethical imperative. A breach of PHI can lead to consequences, including legal penalties, damage to an organization’s reputation, and, most importantly, compromised patient trust. To ensure the security of PHI, healthcare professionals and organizations must implement robust data security measures. This includes encryption of electronic PHI, strict access controls, regular security audits, employee training on data privacy, and the use of secure communication channels. PHI should only be accessed by authorized personnel for legitimate healthcare purposes.

The use of electronic health records (EHRs) has introduced new challenges and opportunities for PHI retention and security. EHR systems can enhance accessibility and data management but also require protection against cyber threats. Implementing a strong EHR security framework is necessary in the modern healthcare landscape.


The retention of PHI is a complex and highly regulated aspect of healthcare administration. Healthcare professionals must be well-versed in both federal and state regulations, along with industry-specific best practices, to ensure compliance. By understanding retention periods, permissible disclosures, and the importance of safeguarding patient information, healthcare organizations can maintain the trust and confidence of their patients while meeting their legal obligations.

3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy