Maryland Medical Records Retention Laws (2026 Guide)

Maryland has a layered set of rules governing how long hospitals, physicians, and other health care providers must keep patient medical records. State regulations under the Code of Maryland Regulations (COMAR), the Maryland Health-General Article, federal HIPAA requirements, and CMS Conditions of Participation all play a role.

This guide breaks down every requirement so patients, providers, and health care administrators in Maryland understand their rights and obligations.

Maryland State Requirements: COMAR 10.01.16.04

The primary state regulation governing medical records retention is COMAR 10.01.16.04, titled "Maintenance of Medical Records." This regulation applies to all health care providers licensed or certified in Maryland.

General Retention Period

Under COMAR 10.01.16.04, a health care provider must maintain medical records for all patients for a minimum of 5 years after the medical record is made, or until the patient reaches age 21, whichever is longer.

This 5-year minimum applies equally to:

• Hospitals and health systems
• Physicians in private practice
• Clinics and outpatient facilities
• Allied health professionals (nurses, physical therapists, etc.)

The regulation does not distinguish between provider types. Every health care provider subject to Maryland licensing falls under the same baseline requirement.

Records for Minor Patients

For patients who are minors, the retention period extends significantly. Because the rule requires records to be kept for 5 years or until the patient turns 21 (whichever is longer), a record created at birth would need to be retained for at least 21 years.

The Maryland Health-General Article (discussed below) adds a separate and stricter standard for destruction of minor patient records.

Storage Requirements

COMAR 10.01.16.04 specifies that medical records must be stored in one of the following:

• An office with access restricted to authorized staff
• A computer or other device with appropriate security measures such as passwords or data encryption
• A commercial records storage site with appropriate environmental and security controls
• Any other secure location that provides protection, security, and access control

Even when records are kept in off-site storage, the health care provider remains responsible for:

• Providing patient access and authorized copies
• Maintaining confidentiality
• Ensuring security and restricted access
• Protecting records from damage, loss, and deterioration

Electronic Health Records

If medical records are maintained electronically, COMAR 10.01.16.04 requires the provider to:

• Maintain or have access to compatible electronic hardware and software that can generate a legible copy of the record
• Prepare and maintain a current backup copy of all electronic medical record files

This means a provider cannot simply store electronic records on outdated media without ensuring they remain accessible and readable throughout the entire retention period.

Maryland Health-General Article 4-403: Destruction of Records

Maryland Health-General Article 4-403 provides the state statutory framework for when and how medical records may be destroyed. This statute sets a 7-year retention floor before destruction can occur with proper patient notification.

The 7-Year Standard

Under Section 4-403, health care providers must retain medical records for 7 years after the date of creation before the records may be destroyed. Providers who wish to destroy records before the 7-year mark must provide advance notification to the patient.

Minor Patient Records: Retained Until Age 25

Section 4-403 contains a specific and strict provision for minor patients. A medical record for a minor patient may not be destroyed until the patient reaches the age of majority (18) plus 7 years, which means records must be kept until the patient turns 25 years old.

The only exceptions are:

• The parent or guardian of the minor patient is notified before destruction
• If the medical care was provided under confidentiality statutes (Health-General 20-102(c) or 20-103(c)), the minor patient is directly notified instead

These confidentiality-protected situations include treatment for:

• Substance use or alcoholism
• Sexually transmitted infections
• Pregnancy or contraception
• Alleged rape or sexual assault
• Medical screening in a detention center

In those cases, the notification goes directly to the patient (even if still a minor at the time of destruction), not the parent or guardian.

Notification Before Destruction

Before destroying any medical records, the provider must notify the patient through:

• First-class mail to the last known address, OR
• Email to the last known email address (with a fallback to first-class mail if no response is received within 10 days)

The notice must include:

• The specific date the record will be destroyed
• A statement that the record or a synopsis of the record may be retrieved at a designated location within 60 days before the destruction date

Penalties for Violations

Maryland imposes significant penalties for improper destruction of medical records:

Health care facilities (hospitals, clinics):

• Fines up to $10,000 per day for each day of violation

Individual providers (physicians, nurses, therapists):

• First violation: up to $1,000 per day
• Second violation: up to $2,500 per day
• Third and subsequent violations: up to $5,000 per day

All violators are also liable for actual damages suffered by patients whose records were improperly destroyed.

Hospital vs. Physician Requirements

While COMAR 10.01.16.04 applies the same 5-year minimum to both hospitals and individual physicians, there are practical differences in how these requirements play out.

Hospitals

Maryland hospitals face a combination of state and federal retention obligations:

Requirement	Retention Period	Authority
COMAR 10.01.16.04	5 years (or until patient turns 21)	State regulation
Health-General 4-403	7 years before destruction (with notice)	State statute
42 CFR 482.24 (CMS)	5 years minimum	Federal regulation
Medicare billing records	7 years from date of service	Federal (42 CFR 424.516)
Minor patients	Until age 25	State statute

In practice, Maryland hospitals should retain records for at least 7 years from creation to satisfy both state and federal requirements, and longer for minors or when Medicare billing documentation is involved.

Physicians in Private Practice

The Maryland Board of Physicians directs physicians to Health-General 4-403 as the governing authority. Physicians must:

• Maintain records for at least 7 years from the date of creation
• Keep minor patient records until the patient turns 25
• Provide proper notification before destroying any records
• Maintain records in secure storage meeting COMAR standards

Physicians who also bill Medicare must additionally retain records for 7 years from the date of service under federal rules.

Federal Requirements: HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) plays an important but often misunderstood role in medical records retention.

HIPAA Does Not Set a Retention Period

According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule does not include medical record retention requirements. State laws govern how long medical records must be retained.

What HIPAA Does Require

While HIPAA does not dictate how long to keep patient records, it does impose requirements that affect records management:

Privacy safeguards: Covered entities must apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for the entire time the information is maintained, including during the disposal process.

HIPAA documentation retention: Covered entities must maintain their own compliance documentation (privacy policies, notices of privacy practices, complaint dispositions, and related records) for 6 years after the later of the creation date or the last effective date. This is about the organization's own HIPAA compliance paperwork, not patient medical records.

Disposal standards: When records are eventually destroyed, HIPAA requires that covered entities render protected health information unreadable and indecipherable. Acceptable methods include:

• Shredding, burning, pulping, or pulverizing paper records
• Degaussing or destroying electronic media
• Using certified data destruction services

PHI may never be placed in dumpsters, recycling bins, or trash receptacles accessible to unauthorized persons.

Federal Requirements: CMS Conditions of Participation

[Hospitals that participate in Medicare must comply with the Conditions of Participation under 42 CFR 482.24, which establishes requirements for medical record](/how-long-do-hospitals-keep-medical-records) services.

5-Year Minimum for Hospitals

Under 42 CFR 482.24, medical records must be retained in their original or legally reproduced form for at least 5 years. This federal minimum aligns with the COMAR baseline but is shorter than the 7-year destruction standard under Health-General 4-403.

Medicare Billing Documentation

Separately, under 42 CFR 424.516(f), Medicare providers (including both hospitals and physicians) must retain records supporting Medicare billing for 7 years from the date of service. This requirement applies to:

• Physicians and non-physician practitioners
• Hospitals and health systems
• Other Medicare-enrolled providers and suppliers

Practical Impact

For Maryland hospitals, the combination of state and federal rules means the effective retention floor is 7 years from creation for general records, with longer periods for minor patients and Medicare-related documentation.

Patient Access to Medical Records

Maryland law provides strong patient access rights under Health-General Article 4-304.

Right to Copies

A health care provider must comply within a reasonable time after a patient (or their authorized representative) submits a written request for copies. The maximum response time is 21 working days from the date of the request.

Fees for Copies

Maryland law caps the fees providers may charge for record copies:

Format	Maximum Fee
Paper copies	$0.76 per page plus actual postage
Electronic copies	75% of the per-page rate (max $80 total) plus actual postage
Preparation fee (electronic)	$22.88 maximum
Maryland Medical Assistance patients	$20 per 100 pages (adjusted for inflation)

Fee Exemptions

Providers may not charge any fee for copies requested for the purpose of filing or appealing a Social Security disability claim.

A provider also may not refuse to release records because the patient has unpaid medical bills. Under Maryland law, outstanding fees for health care services cannot be used as a reason to withhold medical records.

Psychiatric and Psychological Records

For psychiatric or psychological records, a provider may withhold portions of the record if disclosure could cause harm to the patient. However, the provider must still:

• Provide a summary of the withheld information
• Allow access through an authorized alternative provider designated by the patient

Proper Destruction of Medical Records

COMAR 10.01.16.05 sets out the specific requirements for destroying medical records in Maryland once the retention period has been met.

Approved Destruction Methods

Paper records must be destroyed by incineration, shredding, pulping, or another comparable process that renders the records permanently unreadable.

Electronic and magnetic media must be completely sanitized, not merely erased or deleted. Simple deletion of files does not meet the regulatory standard.

Other formats (film, photographs, CDs, and similar media) must be destroyed with no possibility of recovery.

All destruction methods must also comply with the HIPAA Security Rule provisions at 45 CFR 164.310(d).

Divisibility of Records

Under COMAR 10.01.16.05, providers may treat medical records as divisible units in the provider's professional judgment. This means a provider can destroy older portions of a record that have met the retention requirement while retaining more recent portions that have not.

Practice Closure, Retirement, and Physician Death

When a Maryland physician retires, dies, surrenders their license, or otherwise discontinues practice, specific rules govern what happens to patient records.

Transfer of Records

Under Health-General 4-403 and Maryland Board of Physicians guidance, the medical records must be transferred to one of the following:

• Another health care provider
• The administrator of the physician's estate
• A designee who has agreed to maintain the records

Board Notification

The new custodian of the records must notify the Maryland Board of Physicians in writing that the records will be maintained in compliance with state law. This notification should be sent to:

Maryland Board of Physicians 4201 Patterson Avenue Baltimore, MD 21215 Email: mdh.mbp_intake@maryland.gov Phone: 410-764-4777 or 800-492-6836 (toll-free)

Patient Notification

Patients of the closed practice must also be notified that their records have been transferred and how to access them. The new custodian assumes all the same obligations for record security, access, and retention that applied to the original provider.

Retention Obligations Continue

The transfer of records does not restart or reduce the retention clock. If a record was 3 years old when the practice closed, the new custodian must maintain it for at least the remaining years required under state law.

Sources and References

1. Code of Maryland Regulations (COMAR) 10.01.16.04, Maintenance of Medical Records. Maryland Department of Health.
2. Maryland Health-General Article 4-403, Destruction of Medical Records. Maryland General Assembly.
3. COMAR 10.01.16.05, Disposal of Medical Records. Maryland Department of Health.
4. Maryland Health-General Article 4-304, Copies of Records; Changes in Records. Maryland General Assembly.
5. 42 CFR 482.24, Condition of Participation: Medical Record Services. U.S. Centers for Medicare and Medicaid Services.
6. HIPAA Privacy Rule FAQ: Medical Record Retention. U.S. Department of Health and Human Services.
7. HIPAA Disposal of Protected Health Information FAQ. U.S. Department of Health and Human Services.
8. Maryland Board of Physicians, Medical Record Retention FAQs. Maryland Department of Health.
9. Maryland Board of Physicians, Medical Records for Consumers FAQs. Maryland Department of Health.