What is the minimum record retention period under HIPAA?

HIPAA itself does not mandate a specific retention period for clinical records. What HIPAA does require is that HIPAA-related documentation — such as policies, procedures, authorizations, and the Notice of Privacy Practices — be retained for six years from the date of creation or the date it was last in effect, whichever is later (45 CFR 164.530(j)). Record retention periods for clinical records are governed by state law, which varies from 5 to 10 years for adults and often longer for minors. The APA recommends retaining complete records for a minimum of 7 years after the last date of service, and longer for minors.

How long do I keep records for minor clients?

Most states require that records for minor clients be retained for the standard adult retention period OR until the minor reaches the age of majority plus the adult retention period — whichever is longer. For example, if your state requires 7 years of retention for adults and a client is 10 years old at the time of treatment, you must retain the record until the child turns 18 plus 7 additional years, for a total of 15 years after treatment. Some states specify even longer periods for minors. Check your state's specific statute.

What about records for deceased clients?

Records for deceased clients should be retained for the full retention period as if the client were still living. The death of a client does not shorten the retention period. After the retention period expires, records may be destroyed following your standard destruction procedures. Note that the personal representative of the deceased client (typically the executor of the estate) has the right to access records under HIPAA.

How should I destroy records when the retention period expires?

Paper records must be shredded or incinerated — simply discarding them in the trash is a HIPAA violation. Electronic records must be permanently deleted using methods that prevent reconstruction (disk wiping, degaussing, or physical destruction of the storage medium). Many practices use HIPAA-compliant shredding services that provide a certificate of destruction. Document the destruction of records, including the client identifier (initials or ID number), the date range of records destroyed, the date of destruction, the method, and the person responsible.

What if I retire or close my practice?

Closing your practice does not end your record retention obligations. You must ensure that client records remain accessible for the full retention period. Options include: transferring records to another provider (with client consent), using a HIPAA-compliant records storage service, or maintaining records yourself in secure storage. You must notify clients of the closure and provide instructions for how to access their records. Your state licensing board may have specific requirements for practice closure notifications.

Record Retention Policy Guide for Mental Health Records

Practice Forms|10 min read|Updated 2026-03-20|Clinically reviewed

What Is a Record Retention Policy?

A record retention policy is a written document that establishes how long your practice will maintain clinical records, what types of records are covered, how records will be stored and secured, and how records will be destroyed when the retention period expires. It is both a compliance requirement and a risk management tool.

For mental health professionals, record retention is governed by a patchwork of federal regulations (HIPAA), state laws (which vary significantly), professional ethics codes (APA, NASW, ACA), and malpractice considerations. The applicable retention period depends on which of these requirements imposes the longest obligation — and you must comply with the most stringent standard.

A clear, written record retention policy protects you in several ways. It demonstrates compliance with legal and ethical requirements during audits, licensing board inquiries, and legal proceedings. It provides a consistent framework for managing records as clients terminate, transfer, or become inactive. And it establishes a defensible procedure for record destruction that reduces liability for both premature destruction and indefinite retention.

Without a policy, practices tend to either destroy records too soon (creating legal exposure if records are later needed) or retain records indefinitely (creating storage costs, security risks, and breach exposure for records that no longer serve a clinical or legal purpose).

When You Need It

When establishing a new practice — the policy should be in place before you see your first client
When you are subject to an audit, licensing board review, or malpractice claim and must demonstrate a systematic records management approach
When clients request records years after treatment has ended and you need a framework for responding
When transitioning from paper to electronic records and need to define retention periods for both formats
When preparing for practice closure, retirement, or sale
When your state updates its record retention laws

Key Components / What to Include

1. Applicable Laws and Standards

Identify the specific laws, regulations, and professional standards that govern your record retention obligations. At a minimum, this includes your state's record retention statute, HIPAA documentation requirements (45 CFR 164.530(j)), and your professional ethics code.

2. Types of Records Covered

Define the categories of records your policy covers. These typically include:

Clinical records (intake assessments, treatment plans, progress notes, discharge summaries)
Psychotherapy notes (if maintained separately, per HIPAA)
Psychological testing records and raw data
Billing and financial records
Informed consent documents, authorizations, and HIPAA acknowledgments
Correspondence (letters, emails, faxes related to client care)
Administrative records (appointment schedules, contact logs)

3. Retention Periods

Specify the retention period for each category of record. Address the different requirements for adult clients, minor clients, and HIPAA administrative documentation. When in doubt, apply the longest applicable period.

4. Storage and Security Requirements

Describe how records are stored during the retention period — including physical security for paper records (locked cabinets, restricted access) and technical safeguards for electronic records (encryption, access controls, backup procedures). Records must be maintained in a manner that ensures their integrity, confidentiality, and availability for the full retention period.

5. Destruction Procedures

Detail the procedures for destroying records when the retention period expires, including acceptable destruction methods (shredding, incineration for paper; permanent deletion, disk wiping for electronic), documentation of destruction, and the person responsible for overseeing destruction.

6. Practice Closure or Transition Provisions

Address what happens to records if you retire, close your practice, become incapacitated, die, or sell your practice. Identify a professional executor or custodian of records and describe the procedures they will follow.

7. Exceptions and Holds

Describe circumstances in which records must be retained beyond the standard period, including active litigation holds, ongoing complaints or investigations, and clients who have notified you that they intend to file a claim.

Record Retention Policy — Private Practice

[PRACTICE NAME] RECORD RETENTION AND DESTRUCTION POLICY Effective Date: January 1, 2026 Last Reviewed: March 20, 2026

1. Purpose

This policy establishes the standards for retention, storage, and destruction of client records maintained by [Practice Name] in compliance with federal law (HIPAA), [State] state law ([cite statute, e.g., State Code § XX-XX-XX]), and the [APA/NASW/ACA] Code of Ethics.

2. Scope

This policy applies to all clinical, administrative, and financial records for all clients of [Practice Name], whether maintained in paper or electronic format.

3. Retention Periods

Record Type	Retention Period
Adult clinical records (intake, treatment plans, progress notes, discharge summaries)	7 years after the last date of service or as required by [State] law, whichever is longer
Minor clinical records	Until the client reaches age 18 plus 7 years (or the adult retention period, whichever is longer)
Psychotherapy notes (if maintained separately per HIPAA)	Same as clinical records
Psychological testing records and raw data	7 years after the last date of service; raw test data may be retained longer per APA guidelines
HIPAA administrative records (NPP, authorizations, policies, BAAs, breach notifications)	6 years from date of creation or last effective date, whichever is later
Billing and financial records	7 years after the date of service (consistent with IRS and CMS requirements)
Informed consent documents	Duration of the clinical record retention period
Correspondence related to client care	Duration of the clinical record retention period

4. Storage and Security

Paper records:

Stored in locked, fireproof filing cabinets in [location]
Access limited to [Clinician Name] and authorized administrative staff
Keys/combinations maintained by [Clinician Name] only
Office secured with [deadbolt lock / alarm system / access code]

Electronic records:

Maintained in [EHR system name], a HIPAA-compliant electronic health record system
Encrypted at rest and in transit
Access controlled by unique username and password; multi-factor authentication enabled
Backed up [daily/weekly] to [encrypted cloud backup / secure offsite location]
Audit logs maintained to track access and modifications

5. Destruction Procedures

When the retention period for a record has expired and no litigation hold or exception applies:

Paper records:

Shredded using a cross-cut shredder (minimum P-4 security level) or destroyed by a HIPAA-compliant shredding service
A certificate of destruction obtained from the shredding service (if applicable)

Electronic records:

Permanently deleted from the EHR system and all backups
Electronic storage media that is decommissioned is sanitized using NIST 800-88 guidelines or physically destroyed

Documentation of destruction: For each record destroyed, the following is logged:

Client identifier (initials or ID number — not full name)
Date range of records
Date of destruction
Method of destruction
Person who performed or supervised the destruction

6. Exceptions and Litigation Holds

Records will be retained beyond the standard retention period in the following circumstances:

The clinician is aware of pending or anticipated litigation, complaint, or investigation involving the client
The client or their representative has made a written request for records that has not yet been fulfilled
A government investigation or audit is pending
The clinician has reason to believe the records may be needed for any legal proceeding

The litigation hold remains in effect until the matter is fully resolved.

7. Practice Closure / Incapacity / Death

In the event that [Clinician Name] retires, becomes permanently incapacitated, or dies:

Designated Records Custodian: Name: [Name of designated colleague or attorney] Credentials: [Credentials] Address: [Address] Phone: [Phone]

The Records Custodian is authorized to:

Secure all client records
Notify active clients of the practice closure and provide information about how to access records or transfer to a new provider
Respond to authorized record requests
Maintain records for the duration of the applicable retention periods
Destroy records in accordance with this policy when retention periods expire

A signed Records Custodian Agreement is maintained with this policy.

8. Annual Review

This policy will be reviewed annually and updated as needed to reflect changes in federal or state law, professional guidelines, or practice operations.

Approved by: [Clinician Name], [Credentials] Date: ________________

This is a sample for educational purposes only — not real patient data.

How to Implement It

Step 1: Research your state's specific retention requirements. State laws vary from 5 to 10+ years for adult records, and the rules for minor records vary even more widely. Some states specify different periods for different types of records (e.g., psychological testing data may have a different retention period than progress notes). Your state licensing board's website or your malpractice carrier can provide this information.

Step 2: Apply the most conservative standard. When HIPAA, state law, and your professional ethics code impose different retention periods, comply with the longest one. This approach eliminates the risk of prematurely destroying records and simplifies your policy.

Step 3: Designate a records custodian. Every solo practitioner should identify a colleague, attorney, or professional entity who will manage records in the event of the practitioner's death, incapacity, or unexpected practice closure. Execute a written custodian agreement that specifies the custodian's responsibilities.

Step 4: Implement a tracking system. Use your EHR system or a simple spreadsheet to track the retention period for each client's records. Set calendar reminders to review records that are approaching their destruction date.

Step 5: Conduct annual destruction reviews. Once per year, review your records inventory to identify records that have passed their retention period and are eligible for destruction. Process the destruction, document it in your destruction log, and retain the log permanently.

Step 6: Keep the policy accessible. Store your record retention policy where you can access it quickly — in your compliance manual, your EHR system, or your practice management files. You will need to reference it when responding to records requests, preparing for audits, or planning for practice transitions.

Common Mistakes

Having no written policy. Many solo practitioners handle record retention informally, keeping records until they run out of storage space and then scrambling to determine what can be destroyed. This ad hoc approach creates legal risk and is difficult to defend in a complaint or audit.

Destroying records too early. If a client files a malpractice claim or licensing board complaint after you have destroyed their records, you have lost your primary defense. Always err on the side of retaining records longer than the minimum required period.

Failing to account for minor client records. The retention period for minor clients is almost always longer than for adults because the clock does not start running until the minor reaches the age of majority. A therapist who treats a 5-year-old may need to retain that record for 20 or more years.

Disposing of records improperly. Placing client records in a dumpster or recycling bin — even if torn up — is a HIPAA violation and potentially a reportable breach. All records containing PHI must be rendered unreadable and unrecoverable through shredding, incineration, or electronic sanitization.

Not planning for practice closure. The number one record retention failure in mental health is when a practitioner dies or becomes incapacitated without a designated records custodian. Client records become inaccessible, confidentiality is compromised, and no one is authorized to respond to records requests or maintain the records for the retention period.

Ignoring litigation holds. If you are aware of a potential claim, complaint, or lawsuit — even if not yet formally filed — you must suspend normal destruction procedures for the relevant records. Destroying records after you know or should know that litigation is possible can constitute spoliation of evidence, which carries separate legal penalties.

Writing a clinical document right now?

My Clinical Writer helps you generate clinical documents from your session details in under 60 seconds.

Try My Clinical Writer Free →

myclinicalwriter.ai