Pennsylvania Medical Records Retention Laws (2026 Guide)

Pennsylvania has clear rules governing how long doctors, hospitals, and other healthcare providers must retain your medical records. Whether you are a patient trying to access old records, a physician managing your practice files, or a healthcare administrator ensuring regulatory compliance, this guide covers the specific retention periods, federal overlaps, patient rights, destruction rules, and special circumstances that apply under Pennsylvania law.

Last verified: March 2026. This page reflects current Pennsylvania Code Titles 28 and 49, federal HIPAA guidance, and CMS requirements.

Pennsylvania Physician Medical Records Retention (49 Pa. Code 16.95)

The Pennsylvania State Board of Medicine sets the baseline retention requirement for physician-maintained medical records under 49 Pa. Code Section 16.95.

The 7-Year Rule for Physicians

Under 49 Pa. Code 16.95, a physician must retain a patient's medical record for a minimum of 7 years from the date of the last medical service for which a record entry is required. This applies to all physicians licensed by the Pennsylvania State Board of Medicine, including doctors of medicine (MDs) and doctors of osteopathic medicine (DOs).

The regulation also requires that records "accurately, legibly and completely reflect the evaluation and treatment of the patient." Each record entry must identify the patient, the person making the entry (if not the physician, such as a physician assistant or certified registered nurse practitioner), the date of the entry, and the patient's complaints and symptoms.

Records for Minor Patients

For patients who are minors, Pennsylvania law extends the retention requirement. A physician must keep a minor's medical record until 1 year after the minor reaches the age of majority (age 18 in Pennsylvania). In practice, this means records for a minor patient must be kept until the patient turns 19. If the standard 7-year period from the last service would result in a longer retention period, the physician must keep the record for that longer period instead.

For example, if a 16-year-old patient has their last visit in 2026, the physician must keep that record until at least 2027 (when the patient turns 19, one year after reaching majority). However, if a 10-year-old patient's last visit is in 2026, the physician still must retain the record until 2027 (age 19), even though 7 years from the last visit would only reach 2033. In that second scenario, the 7-year rule (extending to 2033) actually exceeds the minor rule, so the physician retains until 2033.

The key principle: whichever period is longer controls.

What Must Be in the Record

Under 49 Pa. Code 16.95, a physician's medical record must contain:

• Patient identification information
• Chief complaints and symptoms
• Diagnoses and impressions
• Examination findings
• All laboratory and imaging reports
• Details of treatments, procedures, and medications prescribed
• The identity and signature of the person making each entry
• The date of each entry

Records do not need to be stored in a single location. If a physician maintains records at multiple offices or through a health system, the records collectively satisfy the requirement as long as they are accessible.

Hospital Medical Records Retention (28 Pa. Code 115.23)

[Hospitals in Pennsylvania follow a separate but related set of regulations under 28 Pa. Code Chapter 115, which governs medical record](/how-long-do-hospitals-keep-medical-records) services for licensed hospitals.

The 7-Year Rule for Hospitals

Under 28 Pa. Code Section 115.23, hospitals must keep medical records (whether original documents, reproductions, or microfilm) for a minimum of 7 years following the discharge of a patient.

This mirrors the physician retention period, but the clock starts differently. For physicians, the 7 years runs from the date of the last service. For hospitals, it runs from the date of discharge.

Hospital Records for Minors

The hospital rule for minors is more protective than the physician rule. Under 28 Pa. Code 115.23, if the patient is a minor, the hospital must retain the record until the patient reaches the age of majority (18), and then for 7 more years, or for as long as adult patient records are maintained, whichever is longer.

This means a hospital must keep a minor's record until the patient turns 25 (age 18 plus 7 years). Compare this to the physician rule, which only requires retention until age 19 (one year past majority). The hospital standard provides significantly more protection for pediatric patients.

Provider Type	Adult Retention Period	Minor Retention Period	Authority
Physicians (MDs/DOs)	7 years from last service	Until age 19 (1 year past majority)	49 Pa. Code 16.95
Hospitals	7 years from discharge	Until age 25 (majority + 7 years)	28 Pa. Code 115.23
Ambulatory surgical facilities	7 years from discharge	Until age 25 (majority + 7 years)	28 Pa. Code 563.6
Long-term care facilities	7 years from discharge	Until age 25 (majority + 7 years)	28 Pa. Code 211.5

Ambulatory Surgical Facilities and Other Providers

Ambulatory surgical facilities (ASFs) in Pennsylvania follow retention rules under 28 Pa. Code Section 563.6. The requirements match the hospital standard: 7 years after discharge for adults, and until age 25 for minors.

ASFs must also maintain a written policy regarding the retention of records. This written policy requirement applies to the facility itself, meaning administrators should have a documented retention schedule that staff can reference.

Long-term care nursing facilities fall under 28 Pa. Code Section 211.5, which requires records of discharged residents to be completed within 30 days of discharge. The same 7-year retention minimum applies, with extended periods for minors.

Federal Requirements: HIPAA and CMS

HIPAA Does Not Set a Retention Period

One of the most common misconceptions is that HIPAA requires providers to keep medical records for a specific number of years. It does not.

According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule does not include medical record retention requirements. State laws govern how long medical records must be retained.

What HIPAA does require is that covered entities retain HIPAA-related administrative documentation for 6 years. This includes privacy policies, procedures, notices of privacy practices, training records, business associate agreements, and complaint records, under 45 CFR 164.530(j). This 6-year requirement applies to compliance paperwork, not to patient charts.

HIPAA also requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records for whatever period those records are maintained. So while HIPAA does not dictate how long to keep records, it does dictate how to protect them for as long as they exist.

CMS and Medicare Requirements

The Centers for Medicare and Medicaid Services (CMS) sets additional federal requirements for providers who participate in Medicare or Medicaid programs.

Under 42 CFR 424.516(f), Medicare providers must maintain medical records and documentation for 7 years from the date of service. Hospitals participating in Medicare must retain records for at least 5 years after discharge under 42 CFR 482.24.

Failure to maintain records as required can result in revocation of Medicare enrollment under 42 CFR 424.535(a)(10).

Which Law Controls?

The stricter requirement always applies. For a Pennsylvania physician participating in Medicare, both the state 7-year rule (49 Pa. Code 16.95) and the federal 7-year CMS rule (42 CFR 424.516) apply. Since both are 7 years, the result is the same. But if a different federal program required a longer period, the provider would need to follow the longer federal requirement.

For hospitals, Pennsylvania's 7-year post-discharge rule is stricter than the CMS 5-year post-discharge rule, so the state rule controls.

Patient Access to Medical Records in Pennsylvania

Pennsylvania patients have rights to access their medical records under both state and federal law.

State Law: 42 Pa.C.S. Sections 6152 and 6155

Under 42 Pa.C.S. Section 6155, patients in Pennsylvania have the right to obtain copies of their medical records from any healthcare provider. Providers can charge reasonable fees for producing copies.

The Pennsylvania Department of Health publishes updated fee schedules annually. As of January 1, 2026, the maximum allowable charges are:

Fee Category	Amount
Pages 1 through 20	$2.00 per page
Pages 21 through 60	$1.48 per page
Pages 61 and beyond	$0.52 per page
Microfilm copies	$2.95 per page
Search and retrieval fee	$29.61
Flat fee (Social Security/needs-based programs)	$37.52
Flat fee (district attorney requests)	$29.61

Providers cannot charge the search and retrieval fee when a patient requests their own records. Actual postage, shipping, and delivery costs may be added.

HIPAA Access Rights

Under HIPAA (45 CFR 164.524), patients have the right to inspect and obtain a copy of their protected health information (PHI) maintained in a designated record set. Providers must respond to a request within 30 days (with one 30-day extension if needed).

For records maintained electronically, patients can request copies in an electronic format. Providers may only charge labor costs for responding to the request and cannot include search and retrieval expenses for electronic copies. The patient also has the right to direct the provider to transmit an electronic copy directly to a third party.

Destruction of Medical Records in Pennsylvania

Once the retention period has passed, providers can destroy medical records. However, both Pennsylvania law and HIPAA impose requirements on how destruction must be handled.

Pennsylvania Notice Requirements

Under 28 Pa. Code 115.23 and 28 Pa. Code 563.6, before destroying medical records, hospitals and ambulatory surgical facilities must provide public notice to allow former patients or their representatives to claim their own records. This notice must appear in at least two forms:

• A legal notice in a newspaper of general circulation in the area
• A display advertisement in the same or another newspaper

This dual-notice requirement ensures that patients have a reasonable opportunity to retrieve their records before destruction occurs.

HIPAA Disposal Standards

According to HHS guidance on disposal of protected health information, covered entities must implement reasonable safeguards when disposing of PHI in any form.

Providers may not dispose of PHI in dumpsters, recycling bins, garbage cans, or other receptacles accessible to the public or unauthorized persons. Acceptable disposal methods include:

For paper records:

• Shredding
• Burning
• Pulping
• Using a licensed document destruction service

For electronic records:

• Clearing (overwriting media with non-sensitive data)
• Purging (degaussing or exposing media to a strong magnetic field)
• Physical destruction (disintegrating, pulverizing, melting, incinerating, or shredding the media)

Providers should document the destruction process and maintain a log of destroyed records, including patient identifiers, record dates, and the date and method of destruction.

Practice Closure and Records Transfer

When a physician retires, relocates, or closes a practice in Pennsylvania, specific obligations apply regarding patient records.

Physician Practice Closures

Under the general principles of 49 Pa. Code 16.95, a physician closing a practice must still satisfy the 7-year retention requirement. The physician cannot simply abandon records when the practice closes. Options include:

• Transferring records to another physician or practice that agrees to maintain them
• Arranging for secure storage with a records management company
• Providing patients with reasonable notice and an opportunity to obtain copies before the practice closes

Abandoning medical records constitutes a violation of Board regulations and could lead to disciplinary action. The physician-patient relationship creates an obligation that outlasts the practice itself.

Hospital and Facility Closures

When a hospital or ambulatory surgical facility discontinues operations, Pennsylvania law under 28 Pa. Code 115.23 and 28 Pa. Code 563.6 requires the facility to:

1. Notify the Pennsylvania Department of Health about where records will be stored
2. Store records in a facility offering retrieval services for at least 5 years after the closure date
3. Publish public notice (legal notice and display advertisement) before destroying any records, allowing former patients or their representatives to claim their own records

These requirements ensure that patients do not lose access to their medical history simply because a facility closes.

Special Categories of Records

Mental Health Records

Pennsylvania's Mental Health Procedures Act (Act 143 of 1976) and regulations under 55 Pa. Code Chapter 5100 impose additional confidentiality protections on mental health records. All documents concerning persons in treatment are kept confidential and cannot be released without the patient's written consent, except in limited circumstances (treatment providers, county administrators, or courts under specific legal proceedings).

The base retention period for mental health records follows the same state rules (7 years for physicians, 7 years post-discharge for facilities), but the heightened confidentiality requirements make proper handling and destruction of these records especially important.

Substance Use Disorder Records

Under Pennsylvania's Drug and Alcohol Abuse Control Act, substance use disorder (SUD) treatment records carry strict confidentiality protections. These records cannot be released without the patient's consent except in narrow circumstances. Act 33 of 2022 updated Pennsylvania law to align state SUD confidentiality protections with federal requirements under HIPAA and 42 CFR Part 2.

Providers handling SUD records should ensure that their retention and destruction practices comply with both the state confidentiality law and federal 42 CFR Part 2 requirements.

Long-Term Care Facility Records

Nursing homes and long-term care facilities in Pennsylvania follow 28 Pa. Code Section 211.5, which requires records of discharged residents to be completed within 30 days of discharge. The information contained in a resident's record is privileged and confidential, and written consent of the resident or resident representative is required for release, except for authorized federal and state government representatives conducting official duties.

Consequences of Non-Compliance

Failing to properly retain or protect medical records in Pennsylvania can result in several types of consequences.

Licensing and Disciplinary Action

The Pennsylvania State Board of Medicine can take disciplinary action against physicians who fail to maintain medical records as required by 49 Pa. Code 16.95. This can include fines, license suspension, or license revocation.

For hospitals and facilities, the Pennsylvania Department of Health can take action through its licensure authority under Title 28. Altering medical records during a licensure survey to appear compliant constitutes fraud and can justify refusal to renew a facility's license.

Civil Liability

Inadequate record-keeping can expose providers to medical malpractice claims. If a provider cannot produce records to demonstrate the standard of care was met, courts may draw negative inferences. In medical malpractice litigation, the absence of records can be as damaging as the presence of records showing errors.

Federal Penalties

For providers enrolled in Medicare or Medicaid, failure to maintain records as required under CMS regulations can lead to revocation of enrollment under 42 CFR 424.535(a)(10). This effectively prevents the provider from billing federal healthcare programs.

HIPAA Enforcement

While HIPAA does not set retention periods, it does require proper safeguards for records as long as they are maintained, and proper disposal methods when records are destroyed. Violations of these requirements can result in civil monetary penalties ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category, enforced by the HHS Office for Civil Rights.