Aesto Health | April 10, 2026
The Essential Guide to Patient Record Retention
Federal law mandates strict timelines for how long medical records must be kept, and the rules are more complex than most care centers realize. This information breaks down the key requirements, obligations, and record retention rules for CMS, HIPAA, and financial records.
#1
DID YOU KNOW?
Financial records and claims history must be retained, not just clinical records.
Many care centers focus on clinical record retention but overlook financial records. CMS requires billing records, cost reports, payment information, and Medicare/Medicaid reimbursement records to be retained as well. Medicare cost reports must be kept for at least 5 years after the cost report closes; reimbursement records must be retained for 6 years from the date of payment or final determination.
Financial records and claims history
Regulation: 42 CFR 413.20 and 42 CFR 413.24 (cost report retention); 42 CFR 424.516(f) (reimbursement records)
Direct Link: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-413/subpart-B/section-413.24
#2
DID YOU KNOW?
You remain personally responsible for providing records, even if a third party holds them.
CMS is explicit: if a provider relies on an employer or third-party entity to store medical records, the provider remains personally on the hook to produce them when requested by CMS or a Medicare contractor. That’s why the relationship with your archive partner isn’t just administrative, it’s a compliance safeguard.
Personal responsibility for producing records
Regulation: 42 CFR 424.516(f)(2)
Direct Link: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-P/section-424.516
#3
DID YOU KNOW?
Medicare Advantage and Managed Care providers face a longer 10-year retention requirement.
Providers participating in Medicare managed care programs (e.g., Medicare Advantage plans) must retain records for 10 years, nearly double the standard CMS floor. ACO participants also have a 10-year retention requirement, which may extend even further in cases involving fraud allegations, disputes, or termination.
Medicare Advantage and Managed Care 10-year requirement
Regulation: 42 CFR 422.504(d) (Medicare Advantage); 42 CFR 425.314(a) (ACO participants)
Direct Link: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-422/subpart-K/section-422.504
Direct Link: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-425/subpart-D/section-425.314
#4
DID YOU KNOW?
HIPAA doesn’t set a clinical record retention period; your state does.
This surprises many practice administrators. HIPAA itself does not specify how long patient health information (PHI) must be retained. Instead, each state sets its own medical record retention period. When that state-mandated period expires, PHI must be destroyed or disposed of in full compliance with HIPAA’s Privacy and Security Rules.
HIPAA does not set clinical retention; states do
Regulation: 45 CFR 164.530(j) (HIPAA administrative requirements — does not address clinical record retention length)
#5
DID YOU KNOW?
HIPAA administrative documents carry their own 6-year retention requirement.
While clinical record retention is state-driven, HIPAA-related administrative documents, including policies, procedures, risk assessments, and patient authorizations, must be retained for a minimum of 6 years from the date they were last in effect. This is a federal floor that applies regardless of state law.
HIPAA administrative documents, 6-year retention
Regulation: 45 CFR 164.530(j)(2)
Direct Link: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
#6
DID YOU KNOW?
CMS requires providers to retain patient records for at least 7 years from the date of service.
Under 42 CFR 424.516(f), all Medicare physicians, non-physician practitioners, hospitals, and other providers who order, certify, refer, or prescribe Medicare Part A or B services must retain supporting documentation for 7 full years — even if a third party (like an archive vendor) physically holds those records.
CMS 7-year retention requirement
Regulation: 42 CFR 424.516(f)(1)
Direct Link: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-P/section-424.516
#7
DID YOU KNOW?
Non-compliance can result in the revocation of your Medicare enrollment.
Failure to maintain or provide access to required records isn’t just a paperwork issue; CMS may revoke a provider’s Medicare enrollment as a consequence. Critically, each individual missing record may be counted as a separate instance of non-compliance when calculating the length of the re-enrollment bar.
Non-compliance and Medicare enrollment revocation
Regulation: 42 CFR 424.535(a)(10)
Direct Link: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-P/section-424.535
This information is provided for educational purposes only and does not constitute legal advice. Always consult your compliance officer or legal counsel for guidance specific to your practice.
Quick Reference: Federal Retention Requirements
| Record Type | Minimum Period | Key Notes |
|---|---|---|
| Clinical records (Medicare Part A/B) | 7 years | From date of service; provider remains responsible even if third party holds records |
| Medicare Advantage / Managed Care | 10 years | Federal mandate for managed care program participants |
| ACO participant records | 10 years | May extend further if fraud, dispute, or termination involved |
| HIPAA admin documents | 6 years | Policies, procedures, risk assessments, authorizations — from last effective date |
| Medicare cost reports | 5 years | After closure of the cost report |
| Medicare/Medicaid reimbursement records | 6 years | From date of payment or final cost determination |
| Explanation of Benefits (EOBs) | 5–10 years | 5 yrs under cost reporting rules; 10 yrs for managed care; IRS recommends 7 yrs |
| State-mandated clinical records | Varies | Check your state — often exceeds federal floors; consult AHIMA state guides |
From date of service; provider remains responsible even if third party holds records
Federal mandate for managed care program participants
May extend further if fraud, dispute, or termination involved
Policies, procedures, risk assessments, authorizations — from last effective date
After closure of the cost report
From date of payment or final cost determination
5 yrs under cost reporting rules; 10 yrs for managed care; IRS recommends 7 yrs
Check your state — often exceeds federal floors; consult AHIMA state guides
Where to Find Authoritative, Up-to-Date Guidance:
CMS MLN Fact Sheet (MLN4840534)
The definitive federal reference for 42 CFR 424.516(f), updated August 2025. Covers the 10-year retention requirement for Medicare providers, what records must be kept, and what constitutes compliance for enrollment and audit purposes.
Direct link: https://www.cms.gov/outreach-and-education/medicare-learning-network-mln/mlnproducts/mln-publications/mln4840534
CMS Regulations & Guidance Hub
Full regulatory text and program guidance, including transmittals, change requests, and CMS memos. Useful for looking up specific CFR citations and verifying how policy updates affect your retention obligations.
Direct Link: https://www.cms.gov/marketplace/resources/regulations-guidance
AHIMA
Gold-standard state-by-state retention guides for health information management professionals. Covers both paper and electronic records, minor patient rules, and legally compliant destruction standards.
Direct Link: ahima.org
Tavrn.ai State Retention Table
All 50 states with statutory references, updated January 2026. Includes retention periods by record type, minor patient rules, and state-specific variations that go beyond the federal baseline.
Direct Link: tavrn.ai/blog/medical-record-retention-laws-by-state
State Health Dept / Licensing Boards
State-specific rules for your providers’ practice types and specialties. Particularly important for behavioral health, substance use treatment, and other specialties that carry stricter requirements than general medical records laws.
Use these directories to find the rules for your state:
State Health Departments (all 50)
USA.gov maintains a current, linked directory of every state health department.
Direct Link: usa.gov/state-health
State Medical Licensing Boards (all 50) The Federation of State Medical Boards (FSMB) maintains a national directory of state medical boards, including direct links and contact information for each board.
Direct Link: fsmb.org/contact-a-state-medical-board
Questions About Your Archive?
Your Aesto archive is designed to support your compliance obligations throughout the full retention lifecycle, clinical records, financial records, and everything in between. Reach out to your Aesto representative for more information.