Mental Health Record Retention: How Long to Keep Therapy Records
Overview
Mental Health Record Retention: How Long to Keep Therapy Records
How long should you keep therapy records? The answer isn't simple - it depends on federal regulations, state laws, insurance requirements, malpractice considerations, and the population you serve.
Key takeaways
- Mental Health Record Retention: How Long to Keep Therapy Records How long should you keep therapy records?
- The answer isn't simple - it depends on federal regulations, state laws, insurance requirements, malpractice considerations, and the population you serve.
- Getting it wrong can leave you vulnerable to liability, licensing board complaints, and regulatory violations.
- Keep records too short and you can't defend against malpractice claims.
- Keep them too long and you face storage costs, security risks, and increased breach exposure.
Details
Getting it wrong can leave you vulnerable to liability, licensing board complaints, and regulatory violations. Keep records too short and you can't defend against malpractice claims. Keep them too long and you face storage costs, security risks, and increased breach exposure.
This comprehensive guide helps you navigate record retention requirements and establish compliant retention policies.
Why Record Retention Matters
Legal Protection
Your records may be needed years after treatment ends:
- Malpractice lawsuits (statutes of limitation can be long)
- Licensing board complaints
- Subpoenas for court proceedings
- Disability determinations
- Insurance audits
If you don't have records, you can't defend your care.
Regulatory Compliance
Multiple regulatory frameworks impose retention requirements:
- State licensing laws
- HIPAA
- Medicare/Medicaid conditions
- State medical records laws
- Professional ethics codes
Continuity of Care
Former clients may:
- Return for treatment
- Need records for new providers
- Request records for legal matters
- Need documentation for disability, custody, or other proceedings
Insurance and Billing
Payers may audit claims years after payment:
- Medicare: 5+ years
- Medicaid: Varies by state
- Commercial: Per contract terms
For billing and audit guidance, see our documentation requirements guide.
Federal Requirements
HIPAA
HIPAA does not directly mandate clinical record retention periods. However, HIPAA does require:
Documentation Retention: HIPAA-related documentation must be retained for 6 years from creation or last effective date:
- Policies and procedures
- Privacy practices notices
- Authorization forms
- Accounting of disclosures
- Business Associate Agreements
- Risk assessments
- Training records
Access Requirement: If a patient requests records you're required to maintain, you must provide access. This implies retention for whatever period state law requires.
The HHS HIPAA FAQ confirms HIPAA defers to state law for clinical record retention.
For comprehensive HIPAA guidance, see our HIPAA compliance checklist.
Medicare
Medicare Conditions of Participation require providers to retain records for at least 5 years from the date of service. Some Medicare Administrative Contractors (MACs) have longer requirements.
For Medicare billing guidance, see our Medicare billing guide.
Medicaid
Medicaid requirements vary by state but typically range from 5-10 years. Many states require retention for the longer of:
- 5-6 years from date of service, OR
- 3 years after final audit resolution
42 CFR Part 2
Substance use disorder records covered by 42 CFR Part 2 should be retained per state law and Part 2 requirements. Part 2 doesn't specify a retention period but requires records to be available for certain audits and patient requests.
For Part 2 guidance, see our 42 CFR Part 2 guide.
State Requirements
Variation Across States
State record retention requirements vary significantly:
Common patterns:
- Adult records: 7-10 years from last service
- Minor records: Until age of majority plus several years
- Some states: 10+ years
- Some states: No specific mental health retention period (general medical records law applies)
State-by-State Overview
Note: Laws change. Always verify current requirements with your state licensing board.
| State | Adult Records | Minor Records | Notes |
|---|---|---|---|
| Alabama | 6 years | Age 19 + 6 years | |
| Alaska | 7 years | Age 18 + 7 years | |
| Arizona | 6 years | Age 18 + 6 years | |
| Arkansas | 10 years | Age 18 + 10 years | |
| California | 7 years | Age 18 + 7 years | Additional requirements for certain records |
| Colorado | 7 years | Age 18 + 7 years | |
| Connecticut | 7 years | Age 18 + 7 years | |
| Delaware | 7 years | Age 18 + 7 years | |
| Florida | 7 years | Age 18 + 7 years | |
| Georgia | 10 years | Age 18 + 10 years | |
| Hawaii | 7 years | Age 18 + 7 years | |
| Idaho | 7 years | Age 18 + 7 years | |
| Illinois | 10 years | Age 18 + 10 years | |
| Indiana | 7 years | Age 18 + 7 years | |
| Iowa | 7 years | Age 18 + 7 years | |
| Kansas | 10 years | Age 18 + 10 years | |
| Kentucky | 5 years | Age 18 + 5 years | |
| Louisiana | 10 years | Age 18 + 10 years | |
| Maine | 7 years | Age 18 + 7 years | |
| Maryland | 5 years | Age 18 + 5 years | |
| Massachusetts | 7 years | Age 18 + 7 years | |
| Michigan | 7 years | Age 18 + 7 years | |
| Minnesota | 7 years | Age 18 + 7 years | |
| Mississippi | 10 years | Age 21 + 10 years | |
| Missouri | 7 years | Age 18 + 7 years | |
| Montana | 10 years | Age 18 + 10 years | |
| Nebraska | 10 years | Age 18 + 10 years | |
| Nevada | 5 years | Age 18 + 5 years | |
| New Hampshire | 7 years | Age 18 + 7 years | |
| New Jersey | 7 years | Age 18 + 7 years | |
| New Mexico | 10 years | Age 18 + 10 years | |
| New York | 6 years | Age 21 + 6 years | Age of majority is 21 for some purposes |
| North Carolina | 11 years | Age 18 + 11 years | |
| North Dakota | 6 years | Age 18 + 6 years | |
| Ohio | 7 years | Age 18 + 7 years | |
| Oklahoma | 7 years | Age 18 + 7 years | |
| Oregon | 7 years | Age 18 + 7 years | |
| Pennsylvania | 7 years | Age 18 + 7 years | |
| Rhode Island | 5 years | Age 18 + 5 years | |
| South Carolina | 10 years | Age 18 + 10 years | |
| South Dakota | 10 years | Age 18 + 10 years | |
| Tennessee | 10 years | Age 18 + 10 years | |
| Texas | 7 years | Age 18 + 7 years | |
| Utah | 7 years | Age 18 + 7 years | |
| Vermont | 7 years | Age 18 + 7 years | |
| Virginia | 6 years | Age 18 + 6 years | |
| Washington | 10 years | Age 18 + 10 years | |
| West Virginia | 10 years | Age 18 + 10 years | |
| Wisconsin | 7 years | Age 18 + 7 years | |
| Wyoming | 10 years | Age 18 + 10 years |
Important: This table is for general guidance only. Requirements may have changed, and specific rules may apply to different license types, settings, or record types. Always verify with your state licensing board.
Finding Your State's Requirements
Resources for current state requirements:
- State licensing board website
- State department of health
- State medical records law
- Professional association guidance
- American Health Information Management Association
Malpractice Considerations
Statutes of Limitation
Malpractice statutes of limitation affect how long you may be sued for past services:
General pattern:
- 2-6 years from injury or discovery of injury
- "Discovery rule" may extend period (limitation starts when injury is discovered)
- Special rules for minors (often extended until after reaching majority)
Recommendations from Malpractice Carriers
Most malpractice insurers recommend retention beyond minimum legal requirements:
- Adults: 10 years or statute of limitations, whichever is longer
- Minors: Until age 21-28 (age of majority plus statute of limitations)
Contact your malpractice carrier for their specific recommendations. Some carriers require certain retention periods for coverage.
Practical Recommendation
Conservative approach (recommended):
- Adult records: 10 years from last service OR until any statute of limitations expires, whichever is longer
- Minor records: Until patient reaches age 21-25 PLUS 7-10 years (varies by state)
This approach protects against most conceivable claims while managing storage burden.
Minor Records: Special Considerations
Extended Retention Required
Records for minors must be retained longer because:
- Statutes of limitation often don't begin until majority
- Discovery rule may extend limitations
- Minor may not know about potential claims until adulthood
Calculating Retention Period
Formula: Age of majority + State retention period + Statute of limitations buffer
Example (California):
- Age of majority: 18
- State retention: 7 years
- Statute buffer: Add 3 years for discovery rule
- Minimum: Until age 28
Example (New York):
- Age of majority: 21 (for some purposes)
- State retention: 6 years
- Statute buffer: Add 2.5 years (infant tolling rules)
- Minimum: Until approximately age 30
Practical Approach
For simplicity and protection, many practices retain minor records until the patient reaches age 25-30.
Parental Access Issues
Remember that minor records involve parental access rights, which complicates retention:
- Parents generally can access minor's records
- Some exceptions exist for certain treatments
- Document any access restrictions
For confidentiality with minors, see our informed consent guide.
Special Record Types
Psychological Testing Materials
Psychological test materials have special considerations:
- Test protocols are proprietary
- Raw test data requires professional interpretation
- Some materials should not be released directly to patients
- APA guidelines recommend retaining test data
Psychotherapy Notes (HIPAA Definition)
HIPAA-defined psychotherapy notes (personal notes kept separate from the medical record) may have different considerations:
- Not subject to same access requirements
- May be destroyed sooner if serving no clinical purpose
- Consult state law for specific requirements
Billing Records
Billing records should be retained for:
- Duration of clinical record retention
- Plus any additional payer audit periods
- 7-10 years is common recommendation
Correspondence and Releases
Retain all correspondence, authorization forms, and releases for at least the clinical record retention period:
- Signed authorizations
- Letters to other providers
- Records received from others
- Communications with third parties
Practice Closure or Retirement
Planning for Practice End
When closing a practice:
- Records must continue to be maintained
- Notify patients and offer records
- Transfer records to another provider (with authorization)
- Arrange for secure storage
- Plan for record access during retention period
Options for Record Storage
Transfer to another provider:
- Notify patients
- Obtain authorization (recommended)
- Ensure receiving provider will maintain
Transfer to custodian:
- Another professional
- Professional association
- Records storage company
- Must ensure security and compliance
Personal retention with access plan:
- Maintain personal control
- Ensure successor has access if you become incapacitated
- Document procedures
State Requirements for Practice Closure
Many states have specific requirements for:
- Patient notification timeframe
- Transfer procedures
- Licensing board notification
- Continued availability of records
Check your state licensing board for specific requirements.
Secure Storage Requirements
Physical Records
Security requirements:
- Locked filing cabinets
- Limited access (authorized personnel only)
- Secure facility
- Fire and water protection
- Environmental controls
Organization:
- Clear filing system
- Easy retrieval capability
- Regular inventory
- Destruction scheduling
Electronic Records
Security requirements:
- Encryption at rest
- Encryption in transit
- Access controls
- Audit logging
- Regular backups
- Off-site backup storage
- Malware protection
- Security updates
Cloud storage considerations:
- Business Associate Agreement required
- Data location/jurisdiction
- Backup procedures
- Provider security certifications (SOC 2, HITRUST)
- Long-term provider viability
For HIPAA security requirements, see our HIPAA compliance guide.
Hybrid Approaches
Many practices have both paper and electronic records:
- Maintain consistent retention periods
- Consider digitization of paper records
- Document what is stored where
- Ensure security for both formats
Record Destruction
When to Destroy
Create a destruction schedule:
- Identify retention period for each record type
- Calculate destruction date based on last service + retention period
- Flag records approaching destruction date
- Review before destruction (ensure no litigation holds)
- Destroy according to secure methods
- Document destruction
Litigation Holds
Never destroy records that might be relevant to pending or anticipated litigation.
When litigation is possible:
- Suspend destruction for relevant records
- Document the hold
- Maintain hold until litigation resolved
- Consult attorney before lifting hold
Secure Destruction Methods
Paper records:
- Cross-cut shredding (confetti cut, not strip cut)
- Professional shredding service (obtain certificate of destruction)
- Incineration
Electronic records:
- Secure deletion software (not just "delete")
- Physical destruction of media
- Degaussing (for magnetic media)
- Certificate of destruction from vendor
Documentation of Destruction
Maintain permanent log of destroyed records:
- Patient identifier (may be coded)
- Date range of services
- Date of destruction
- Method of destruction
- Person responsible
- Certificate from destruction vendor (if applicable)
Do NOT destroy the destruction log. Keep indefinitely.
What to Keep After Destruction
Even after destroying clinical records, consider retaining:
- Destruction log
- Basic identifying information
- Treatment dates
- Discharge summary (in some cases)
This may help respond to future inquiries about whether treatment occurred.
Creating a Retention Policy
Policy Elements
Your written retention policy should include:
1. Retention Periods
- Adult records: X years from last service
- Minor records: Until age X + Y years
- Special record types (testing, billing, etc.)
- Basis for chosen periods (state law, malpractice considerations)
2. Storage Requirements
- Physical storage standards
- Electronic storage standards
- Backup procedures
- Security measures
3. Destruction Procedures
- Trigger for destruction review
- Review process before destruction
- Destruction methods
- Documentation requirements
- Litigation hold procedures
4. Practice Closure Provisions
- Notification procedures
- Transfer procedures
- Continued access arrangements
5. Responsibility Assignment
- Who monitors retention schedule
- Who authorizes destruction
- Who maintains destruction log
Sample Policy Framework
[Practice Name] Record Retention Policy
Retention Periods:
- Adult clinical records: 10 years from date of last service
- Minor clinical records: Until patient reaches age 25, plus 10 years
- Billing records: 10 years from date of service
- HIPAA-related documentation: 6 years from creation or last effective date
Annual Review: On [date] each year, records meeting destruction criteria will be identified and reviewed for litigation holds before destruction.
Destruction Method: Paper records will be cross-cut shredded by [vendor]. Electronic records will be securely deleted using [method/software]. Certificates of destruction will be maintained indefinitely.
Destruction Log: A permanent log will be maintained documenting all record destruction, including patient identifier, date range, destruction date, method, and responsible party.
Litigation Hold: Upon notice of actual or anticipated litigation, relevant records will be preserved regardless of retention schedule. The [Privacy Officer/designated person] will be responsible for implementing and lifting litigation holds.
Frequently Asked Questions
Can I scan paper records and destroy the originals?
Yes, in most states, properly created electronic copies can replace paper originals. Ensure:
- Scan quality preserves all information
- Electronic storage meets security requirements
- BAA in place if using cloud storage
- Original is properly destroyed
What if I've already destroyed records I need?
If records were destroyed according to policy after the retention period:
- Document that records were destroyed per policy
- Provide what information you can from remaining documentation
- Consult attorney if litigation is involved
If records were destroyed improperly:
- Consult attorney immediately
- Document what happened
- Report to malpractice carrier if claim possible
Do I need to keep records for clients who never returned after intake?
Yes. All clinical records require retention regardless of treatment duration. One-session records should be retained for the same period as ongoing treatment records.
What about records from before I had a policy?
Apply your current retention policy to all records. Establish destruction dates based on last service date. Don't destroy records simply because they're old without following proper procedures.
Can patients request destruction of their records?
Generally, no. You have legal obligations to retain records regardless of patient preference. You may explain retention requirements to requesting patients.
How do I handle records after a client's death?
Continue to apply standard retention periods after a patient's death. Records may still be needed for:
- Estate proceedings
- Family members' health needs
- Legal matters
- Research
What about records for clients I never billed insurance for?
Retention requirements apply regardless of payer source. Cash-pay records need the same retention as insured records.
Should I keep records longer than required "just in case"?
Some providers do retain records indefinitely, but this creates:
- Storage costs
- Security burdens
- Increased breach risk exposure
A well-documented retention policy followed consistently provides protection while managing burden.
Ease Health's EHR includes retention tracking, destruction scheduling, and compliant storage to help you manage records throughout their lifecycle. Schedule a demo to see how we simplify compliance.
Next steps
- Review the key takeaways and adapt them to your practice workflow.
- Use the details section as a checklist when you implement or troubleshoot.
- Share this with your billing or admin team to align on process and terminology.
