Ohio Medical Records Retention Laws (2026 Guide)
Ohio medical records retention laws establish how long hospitals, physicians, and other healthcare providers must preserve patient health information. The primary state regulation, OAC 3701-83-11, requires licensed health care facilities to maintain medical records for at least six years from the date of patient discharge.
Understanding these rules is important for both providers and patients. Providers who destroy records too early face potential disciplinary action, criminal liability, and malpractice exposure. Patients who need old medical records should know how long their provider is required to keep them and what rights they have to access their files.
This guide covers all Ohio-specific retention requirements for hospitals and physicians, rules for minor and deceased patient records, federal requirements under HIPAA and CMS, patient access rights, proper destruction procedures, and what happens when a medical practice closes.
Ohio Hospital Medical Records Retention Requirements
Ohio law sets clear retention requirements for hospitals and other licensed health care facilities. The Ohio Department of Health administers these rules under the Ohio Administrative Code (OAC) Chapter 3701-83.
The Six-Year Hospital Retention Rule
OAC 3701-83-11 establishes the general medical records requirements for all licensed health care facilities (HCFs) in Ohio. Under this rule, each HCF must maintain medical records as necessary to verify the information and reports required by statute or regulation for at least six years from the date of discharge.
This six-year minimum applies to all facility types licensed under OAC Chapter 3701-83, including hospitals, ambulatory surgical facilities, freestanding dialysis centers, freestanding birthing centers, freestanding radiation therapy centers, and freestanding or mobile diagnostic imaging centers.
The six-year clock begins on the date of patient discharge, not the date of the last entry in the record. This distinction matters for patients with extended hospital stays or those who receive ongoing care at the same facility.
What Hospital Records Must Include
Under OAC 3701-83-11, each health care facility must maintain a medical record for each patient that documents the patient's needs, assessments, and services rendered. Records must be legible and accessible to staff involved in patient care.
At a minimum, hospital medical records should contain:
- Patient identification and demographic information
- Admission and discharge dates
- History and physical examination findings
- Physician orders and progress notes
- Operative reports and pathology findings
- Nursing notes and medication administration records
- Diagnostic test results and laboratory reports
- Discharge summary with follow-up instructions
Facilities must also maintain an adequate medical record keeping system and take appropriate measures to protect medical records against theft, loss, destruction, and unauthorized use. Policies and procedures must be in place to ensure the confidentiality of patient medical records.
Additional Facility-Specific Requirements
Some facility types in Ohio have additional or overlapping medical records rules:
| Facility Type | Retention Period | Legal Authority |
|---|---|---|
| Hospitals and licensed HCFs | 6 years after discharge | OAC 3701-83-11 |
| Nursing homes | 7 years | OAC 3701-17-19 |
| Freestanding diagnostic imaging centers | 6 years from date of service | OAC 3701-83-54 |
| Ambulatory surgical facilities | 6 years after discharge | OAC 3701-83-11 (general rule applies) |
Ohio nursing homes must retain all records and reports required by OAC rules 3701-17-01 through 3701-17-26 for seven years. Upon closure of a nursing home, the operator must provide for the retention of records in a secured manner for not less than seven years and notify the director of the Ohio Department of Health of the location where records will be stored.
Nursing home residents and former residents, or their legal representatives, have the right to access their medical and financial records within 24 hours of request (excluding holidays and weekends). Photocopies must be provided within two working days of advance notice at a cost not exceeding the community standard for photocopying, unless otherwise specified by law.
Physician and Private Practice Retention Requirements
Ohio does not have a single statute that mandates how long private physicians must retain patient medical records. This distinguishes Ohio from some states that set explicit retention periods for all provider types.
The Six-Year Best Practice Standard
Although no Ohio statute directly mandates a specific retention period for private physician offices, the Ohio State Medical Board recommends that physicians retain their records for at least six years. This recommendation is grounded in several overlapping requirements.
ORC 2913.40(D) mandates that any person who has submitted a claim for or provided goods or services under the Medicaid program must retain all records dealing with the treatment of a Medicaid patient for a period of at least six years after reimbursement is received. This includes medical, professional, financial, and business records relating to treatment, care, or goods and services provided to Medicaid recipients.
As a condition of participation in the federal Medicare program, healthcare providers agree to retain all records dealing with the treatment of a Medicare patient for a period of at least five years. Most practices serve both Medicaid and Medicare patients, making the six-year standard the practical minimum.
AMA Ethical Standards and Medical Board Enforcement
Under ORC 4731.22(B)(18), physicians licensed in Ohio can be disciplined by the Ohio State Medical Board for violating any of the American Medical Association's ethical rules. AMA Opinion 7.05 specifically addresses medical record retention and states that medical considerations are the primary basis for deciding how long to retain medical records.
The AMA recommends that physicians retain medical records for at least 10 years from the date of last treatment when possible. The AMA also states that immunization records should be kept indefinitely and that records of minor patients should be retained for longer periods.
Because the Medical Board can discipline physicians for violating AMA ethical guidelines, Ohio physicians who destroy records prematurely face potential regulatory consequences beyond the six-year Medicaid retention floor.
Why Physicians Should Consider Longer Retention
Even without a single mandatory retention statute, Ohio physicians who destroy records before the six-year mark face several risks:
- Criminal liability under ORC 2913.40 for destroying Medicaid patient records
- Inability to defend against a malpractice claim filed within the statute of limitations
- Medical Board discipline for violating AMA ethical standards
- Loss of documentation needed for Medicare or Medicaid billing audits
- Potential liability if a patient suffers harm due to a provider not having access to prior treatment history
The Ohio Health Information Management Association (OHIMA) and the Ohio State Medical Association both recommend that physicians retain medical records indefinitely when feasible.
Records of Minor Patients
Ohio applies special retention considerations for the medical records of children. These extended retention periods reflect the tolling of the statute of limitations during a patient's minority.
Statute of Limitations Tolling for Minors
Under ORC 2305.16, if a person entitled to bring any action is within the age of minority at the time the cause of action accrues, the person may bring the action within the respective time limits after the disability is removed. In practical terms, the statute of limitations clock does not begin running until the minor reaches 18 years of age.
Under ORC 2305.113, an action for medical malpractice must be commenced within one year after the cause of action accrues, with an absolute outer limit of four years from the occurrence of the act or omission constituting the alleged basis of the claim. Because the tolling provision suspends the clock during minority, a child treated at age 5 could potentially file a malpractice claim until age 22 (four years after turning 18).
Recommended Retention Period for Minor Records
Based on the tolling provisions, Ohio healthcare providers should retain medical records of minor patients for at least six years beyond the child's 18th birthday (until age 24). This accounts for the six-year hospital retention floor applied after the longest possible statute of limitations period.
For hospitals, the standard six-year post-discharge rule in OAC 3701-83-11 still applies. If a child is treated at age 5 and discharged, the hospital must keep the record for at least six years (until the child is 11). However, best practice dictates retaining the record until the child turns 24 to cover the tolled malpractice period.
Providers should always apply the longer retention period when state rules and best practice recommendations conflict.
Practical Example
Consider a child born in 2020 who receives treatment at an Ohio hospital in 2023 (age 3) and is discharged:
- The hospital's six-year retention rule requires keeping the record until 2029
- The statute of limitations tolling means the child cannot file a malpractice claim until after turning 18 in 2038
- The four-year statute of repose from the date the minor turns 18 extends the deadline to 2042
- Best practice: retain the record until at least 2044 (age 24, covering the six-year retention floor beyond the tolled period)
This extended timeline shows why pediatric providers and children's hospitals often retain records far beyond the standard six-year period.
Federal Requirements: HIPAA and CMS
Ohio providers must comply with both state and federal medical records requirements. When state and federal rules conflict, the stricter standard applies.
HIPAA Documentation Requirements
One of the most common misconceptions is that HIPAA requires providers to keep patient medical records for a specific number of years. It does not.
HIPAA requires covered entities to retain HIPAA-related administrative documentation for six years from the date of creation or the date when the document was last in effect, whichever is later, under 45 CFR 164.530(j). This six-year requirement covers:
- Privacy and security policies and procedures
- Business associate agreements
- Patient authorization forms
- Training records
- Complaint and resolution documentation
- Risk assessments and audit logs
The six-year rule applies to compliance paperwork only, not to patient treatment records. How long actual patient medical records must be kept is determined by state law.
HIPAA Privacy and Security Protections
While HIPAA does not dictate retention periods for medical records, it does require that all protected health information (PHI) be safeguarded for as long as it exists. This means that even after a record has passed the minimum retention period, if it has not been destroyed, it must continue to be protected under HIPAA privacy and security standards.
Any disclosure of patient medical records must be permitted under HIPAA and applicable Ohio law. Ohio providers may not disclose individual medical records except as provided by state and federal laws and regulations, per OAC 3701-83-11.
CMS and Medicare Requirements
CMS Conditions of Participation establish separate federal minimums for providers participating in Medicare or Medicaid:
| Provider Type | Minimum Retention | Federal Authority |
|---|---|---|
| Hospitals (Medicare) | 5 years after discharge | 42 CFR 482.24 |
| General Medicare providers | 7 years from date of service | CMS guidelines |
| Medicare Part D sponsors | 10 years from date of service | CMS guidelines |
| Hospice programs | 6 years after discharge or death | 42 CFR 418.104 |
For Ohio hospitals that participate in Medicare, the state's six-year requirement exceeds the federal five-year minimum. Ohio's stricter standard controls, meaning these hospitals must retain records for six years.
For Ohio physician offices that accept Medicare, the federal seven-year requirement exceeds Ohio's six-year recommendation for private practices. This means Medicare-participating Ohio physicians must retain records for at least seven years from the date of service.
Ohio providers participating in Medicaid must retain records for at least six years after reimbursement is received, per ORC 2913.40(D). When combined with the CMS Medicare requirement, physicians treating both Medicare and Medicaid patients should retain records for at least seven years.
Patient Access to Medical Records in Ohio
Ohio law and federal law both guarantee patients the right to access their medical records.
State Law: ORC 3701.74
Under ORC 3701.74, a health care provider that has a patient's medical records must permit the patient to examine the record during regular business hours without charge or provide a copy of the record upon request. To exercise this right, the patient or authorized representative must submit a written request that is:
- Signed and dated not more than one year before submission
- Specifying whether the copy should be sent to the requestor, sent to a physician or other provider, or held at the health care provider's office
If a treating physician determines for clearly stated treatment reasons that disclosure would likely have an adverse effect on the patient, the provider may furnish the record to a physician or other qualified professional instead of directly to the patient.
If a health care provider fails to furnish a medical record as required by ORC 3701.74, the patient, personal representative, or authorized person may bring a civil action to enforce the patient's right of access.
Fee Limits Under ORC 3701.741
Under ORC 3701.741, Ohio law limits the fees that providers can charge for copies of medical records. The Ohio Department of Health adjusts these amounts annually based on the Consumer Price Index under ORC 3701.742.
2025 patient-requested copy fees (data on paper or electronic format):
| Fee Category | Amount |
|---|---|
| Pages 1 through 10 | $3.88 per page |
| Pages 11 through 50 | $0.81 per page |
| Pages 51 and above | $0.32 per page |
| X-ray, MRI, or CT scan data (paper/film) | $2.66 per page |
| Postage | Actual cost |
2025 third-party-requested copy fees:
| Fee Category | Amount |
|---|---|
| Records search fee | $23.94 |
| Pages 1 through 10 | $1.58 per page |
| Pages 11 through 50 | $0.81 per page |
| Pages 51 and above | $0.32 per page |
| X-ray, MRI, or CT scan data (paper/film) | $2.55 per page |
| Postage | Actual cost |
The 2025 amounts reflect a 2.95% increase from 2024, based on the Consumer Price Index adjustment. Providers should verify the current adjusted amounts each year through the Ohio Department of Health.
On request, a health care provider or medical records company must provide one copy of the patient's medical record and one copy of any records regarding treatment performed after the original request, without charge to the patient.
Federal Law: HIPAA Right of Access
Under the HIPAA Privacy Rule, patients have the right to inspect and obtain copies of their protected health information. Key provisions include:
- Providers must respond to a records request within 30 calendar days
- An additional 30-day extension is permitted with written notice explaining the delay
- For electronic copies of electronically maintained records, providers may charge a flat fee of $6.50 or less
- Providers cannot deny access because of unpaid bills, old records, or inconvenience
- Limited exceptions exist for psychotherapy notes, information compiled for legal proceedings, and certain lab results
The 21st Century Cures Act further strengthened patient access by prohibiting information blocking. Penalties for information blocking can reach up to $1 million per violation for health IT developers.
Proper Destruction of Medical Records
Once medical records have been retained for the required period, Ohio healthcare providers may destroy them. However, destruction must follow specific procedures to protect patient privacy.
HIPAA Destruction Standards
HIPAA requires that destroyed records be rendered "essentially unreadable, indecipherable, and otherwise cannot be reconstructed." Approved methods include:
Paper records: Shredding, burning, pulping, or pulverizing. Cross-cut shredding is preferred over strip-cut shredding because strip-cut documents can potentially be reassembled.
Electronic records: Clearing (overwriting with non-sensitive data), purging or degaussing (using a strong magnetic field to erase data), or physical destruction of the storage media such as hard drives, disks, or tapes.
Records may never be placed in dumpsters, recycling bins, or other publicly accessible containers. Providers who use a third-party destruction service must have a HIPAA business associate agreement in place with that vendor.
Ohio-Specific Destruction Considerations
Ohio does not have a specific state statute requiring patient notification before destroying medical records that have exceeded the retention period. However, the Ohio State Medical Association and AMA ethical guidelines recommend that physicians:
- Make an attempt to contact the patient and give the patient a reasonable opportunity to claim the records or have them sent to another physician
- Document the date and method of destruction
- Maintain a log of destroyed records (patient name, record dates, destruction date, destruction method)
- Keep the destruction log indefinitely for compliance verification
- Verify that all copies of the record, including backup tapes and off-site storage, are destroyed
All documentation containing protected health information must be destroyed in a manner that prevents reconstruction. If destruction services are contracted, the contract must meet the requirements of the HIPAA privacy and security rules, and a business associate agreement must be executed with the contractor.
Penalties for Improper Destruction
HIPAA civil penalties for improper disposal of protected health information range from $141 to $2,134,831 per violation, depending on the level of negligence. Criminal penalties for knowing violations can reach $250,000 and 10 years of imprisonment.
Under ORC 2913.40, knowingly altering, falsifying, destroying, concealing, or removing Medicaid records within the six-year retention period is a criminal offense. Violations constitute Medicaid fraud and carry penalties based on the amount of the resulting overpayment.
What Happens When an Ohio Practice Closes
When an Ohio physician retires, relocates, or closes a practice, the provider must still ensure patient records are preserved for the remaining retention period. Ohio has specific rules governing the notification process.
OAC 4731-27-03: Patient Notification Requirements
Under OAC 4731-27-03, when a physician leaves a practice, sells a practice, or retires from the practice of medicine, the physician must notify all patients who received services within the two years immediately preceding the physician's last date for seeing patients.
The notice must be sent no later than 30 days prior to the last date the physician will see patients, or upon actual knowledge that the physician will be leaving. If acute illness or unforeseen emergency prevents advance notice, the physician must provide notice no later than 30 days after it is determined that the physician will not return.
Methods and Content of Notice
Notice may be provided using one of two methods:
- A letter sent via regular mail to the last address for the patient on record, with the date of mailing documented in the patient file
- An electronic message sent through a HIPAA-compliant electronic medical record or electronic health record system
The notice must include a statement that the physician will no longer practice at the location, the date services will cease, new contact information if practicing elsewhere, contact information for alternative physicians who can provide care, and information about how the patient can obtain their medical records.
ORC 4731.228: Employed Physician Notification
Under ORC 4731.228, when a physician's employment with a health care entity is terminated, the health care entity must send notice to each patient who received physician services from the departing physician within the two-year period before the termination date.
The notice must be provided no later than the date of termination or 30 days after the health care entity has actual knowledge of the termination or resignation, whichever is later. The notice must include the physician's name, new contact information (when available), the date the physician ceased or will cease practicing at the entity, and contact information for alternative providers.
Consequences for Failure to Notify
A physician's failure to provide notice in accordance with OAC 4731-27-03 constitutes "a departure from, or failure to conform to, minimal standards of care of similar practitioners under the same or similar circumstances." This can form the basis for Medical Board discipline under ORC 4731.22.
Recommended Steps for Practice Closure
When closing an Ohio medical practice, providers should:
-
Notify patients in writing. Send a letter to all patients seen within the past two years informing them of the closure date and explaining how they can obtain their records or have them transferred to another provider.
-
Provide adequate notice. Give patients at least 30 days of notice before the practice closes or the physician's last day.
-
Offer records transfer. Include a consent form authorizing the transfer of records to a new provider of the patient's choice.
-
Arrange for a records custodian. If records must be retained beyond the closure date, arrange for a custodian (another provider, a medical records storage company, or a local hospital) to maintain the records for the remaining retention period.
-
Notify the Ohio State Medical Board. The Ohio State Medical Board should be informed of the closure and the arrangements made for record storage.
-
Continue HIPAA protections. All records, whether retained by a custodian or transferred to patients, must continue to be protected under HIPAA privacy and security standards.
Records of Patients Who Cannot Be Reached
For patients who do not respond to the closure notification, the provider must still arrange for proper storage of their records for the full retention period. Records cannot be destroyed simply because the patient did not respond.
Ohio Medical Records Retention Summary Table
The following table summarizes the key retention requirements for Ohio healthcare providers:
| Record Type | Retention Period | Legal Authority |
|---|---|---|
| Hospital patient records | 6 years after discharge | OAC 3701-83-11 |
| Nursing home records | 7 years | OAC 3701-17-19 |
| Diagnostic imaging center records | 6 years from date of service | OAC 3701-83-54 |
| Physician office records | 6 years (recommended) | Ohio State Medical Board guidance; ORC 2913.40 |
| Medicaid patient records | 6 years after reimbursement | ORC 2913.40(D) |
| Medicare hospital records | 5 years after discharge (federal floor) | 42 CFR 482.24 |
| Medicare provider records | 7 years from date of service | CMS guidelines |
| Minor patient records | Until age 24 (recommended) | ORC 2305.16; ORC 2305.113 |
| HIPAA compliance documentation | 6 years | 45 CFR 164.530(j) |
Sources and References
- Ohio Administrative Code 3701-83-11: General Medical Records Requirements
- Ohio Administrative Code 3701-17-19: Nursing Home Records and Reports
- Ohio Administrative Code 3701-83-54: Medical Records for Diagnostic Imaging Centers
- Ohio Administrative Code 4731-27-03: Physician Practice Closure Notification
- Ohio Revised Code 3701.74: Patient Access to Medical Records
- Ohio Revised Code 3701.741: Fees for Medical Record Copies
- Ohio Revised Code 4731.228: Termination of Physician Employment Notice
- Ohio Revised Code 2913.40: Medicaid Fraud and Records Retention
- Ohio Revised Code 2305.113: Medical Malpractice Statute of Limitations
- Ohio Revised Code 2305.16: Tolling for Minors
- Ohio Revised Code 4731.22: Medical Board Disciplinary Authority
- HHS HIPAA FAQ: Medical Records Retention
- 45 CFR 164.530: HIPAA Administrative Requirements
- 42 CFR 482.24: CMS Conditions of Participation for Hospitals
- CMS Medical Record Maintenance and Access Requirements
- HHS HIPAA Disposal of Protected Health Information
Sources and References
- Ohio Administrative Code 3701-83-11: General Medical Records Requirements(codes.ohio.gov).gov
- Ohio Administrative Code 3701-17-19: Nursing Home Records and Reports(codes.ohio.gov).gov
- Ohio Administrative Code 3701-83-54: Diagnostic Imaging Center Records(codes.ohio.gov).gov
- Ohio Administrative Code 4731-27-03: Physician Practice Closure Notification(codes.ohio.gov).gov
- Ohio Revised Code 3701.74: Patient Access to Medical Records(codes.ohio.gov).gov
- Ohio Revised Code 3701.741: Fees for Medical Record Copies(codes.ohio.gov).gov
- Ohio Revised Code 4731.228: Termination of Physician Employment Notice(codes.ohio.gov).gov
- Ohio Revised Code 2913.40: Medicaid Fraud and Records Retention(codes.ohio.gov).gov
- Ohio Revised Code 2305.113: Medical Malpractice Statute of Limitations(codes.ohio.gov).gov
- Ohio Revised Code 2305.16: Tolling for Minors(codes.ohio.gov).gov
- Ohio Revised Code 4731.22: Medical Board Disciplinary Authority(codes.ohio.gov).gov
- HHS HIPAA FAQ: Medical Records Retention(hhs.gov).gov
- 45 CFR 164.530: HIPAA Administrative Requirements(ecfr.gov).gov
- 42 CFR 482.24: CMS Conditions of Participation for Hospitals(ecfr.gov).gov
- CMS Medical Record Maintenance and Access Requirements(cms.gov).gov
- HHS: Disposal of Protected Health Information(hhs.gov).gov