Texas Medical Records Retention Laws (2026 Guide)

Last verified: March 2026. This page reflects current Texas Administrative Code Titles 22 and 25, Texas Health and Safety Code Chapter 181, and SB 1188 (89th Legislature).

Table of Contents

• [Overview of Texas Medical Records Retention Laws](#overview)
• Physician Retention Requirements
• Hospital Retention Requirements
• Records for Minor Patients
• Federal Requirements: HIPAA and CMS
• Texas SB 1188: EHR Storage in the United States
• Patient Access Rights and Copy Fees
• Proper Destruction of Medical Records
• Practice Closure and Record Transfer
• Penalties for Noncompliance
• Frequently Asked Questions
• Sources and References

Overview of Texas Medical Records Retention Laws

Texas medical records retention requirements come from multiple sources. State regulations set minimum retention periods for physicians and hospitals. Federal rules from HIPAA and CMS add additional layers of compliance. Starting in 2026, a new Texas law also dictates where electronic health records must be physically stored.

Healthcare providers in Texas must navigate all of these overlapping requirements. When state and federal rules conflict, the stricter standard applies. This guide breaks down each requirement so physicians, hospitals, and healthcare administrators can stay compliant.

Primary Regulatory Sources:

• 22 TAC Chapter 165 (Texas Medical Board rules for physicians)
• 25 TAC 133.41 (Hospital licensing requirements)
• Texas Health and Safety Code Chapter 181 (Medical Records Privacy)
• SB 1188, 89th Legislature (Electronic Health Records)

Physician Retention Requirements

Under 22 TAC 165.1, the Texas Medical Board requires all licensed physicians to maintain patient medical records for a minimum of seven years from the date of the last treatment provided by that physician.

This seven-year period applies to adult patients. It covers all documentation related to the patient's care, including examination notes, test results, imaging reports, prescriptions, referrals, and correspondence.

Physicians must also retain records for longer periods when required by other federal or state statutes. For example, if a physician treats Medicare patients, CMS rules may impose additional requirements beyond the state minimum.

The retention clock starts on the date of the patient's last visit or treatment. If a patient returns after a gap in care, the clock resets from that new date of service.

Key points for physicians:

• Minimum 7 years from last treatment date
• Applies to all documentation in the medical record
• Longer retention required when mandated by other laws
• Records must be maintained in original or legally reproduced form
• Electronic records are acceptable if they meet integrity and accessibility standards

Primary Source: Texas Medical Board - Patient Information and Medical Records

Hospital Retention Requirements

Texas hospitals face a longer retention requirement than individual physicians. Under 25 TAC 133.41, hospitals licensed in Texas must retain medical records in their original or legally reproduced form for a minimum of 10 years from the date of last treatment.

A "legally reproduced form" includes records maintained in hard copy, microform (microfilm or microfiche), or other electronic medium. This gives hospitals flexibility in how they store records, as long as the format preserves the integrity of the original.

Hospital imaging records, including films, scans, and other image records, carry a separate retention period of at least five years.

Hospitals must also comply with CMS Conditions of Participation if they accept Medicare or Medicaid patients, which may impose additional documentation and retention standards.

Hospital retention summary:

• Medical records (reports and printouts): minimum 10 years
• Films, scans, and image records: minimum 5 years
• Records may be stored in hard copy, microform, or electronic format
• Must comply with both state and federal standards

Primary Source: 25 TAC 133.41 - Hospital Functions and Services

Records for Minor Patients

Texas law provides extended protections for the medical records of children. Under 22 TAC 165.1, when a patient is younger than 18 at the time of their last treatment, the physician must retain the medical record until the later of:

• The patient reaches age 21, or
• Seven years from the date of last treatment

Whichever period is longer controls. For example, if a physician last treats a 10-year-old child, the records must be kept until the child turns 21 (11 years). If the physician last treats a 16-year-old, the seven-year period (ending when the patient is 23) would be longer than waiting until age 21, so the seven-year rule applies instead.

This extended retention period exists because minors cannot independently request or manage their own medical records. It also accounts for the statute of limitations on medical malpractice claims, which is tolled during minority in Texas.

Parents and legal guardians may request copies of a minor's records on the child's behalf. Under SB 1188, parents of children age 17 and younger now have "complete and unrestricted access" to their child's electronic health records unless restricted by law or court order.

Federal Requirements: HIPAA and CMS

HIPAA

The HIPAA Privacy Rule does not establish a specific retention period for medical records. According to the U.S. Department of Health and Human Services, "the HIPAA Privacy Rule does not include medical record retention requirements" and states that "state laws generally govern how long medical records are to be retained."

However, HIPAA does require covered entities to retain HIPAA-related documentation for six years. This includes privacy policies, authorization forms, notice of privacy practices, and business associate agreements. This six-year requirement applies to the administrative documents, not to patient medical records themselves.

HIPAA also strictly governs how protected health information (PHI) must be handled during disposal, which is covered in the destruction section below.

Primary Source: HHS.gov - Does HIPAA Require Retention of Medical Records?

CMS/Medicare Requirements

The Centers for Medicare and Medicaid Services (CMS) requires providers who participate in Medicare to maintain medical records for a period consistent with state law but no less than five years from the date of service under 42 CFR 482.24.

For Texas providers, the state's seven-year physician requirement and ten-year hospital requirement already exceed the CMS minimum. Texas providers treating Medicare patients should follow the Texas retention periods, as they are stricter.

CMS also requires that medical records be "accurately written, promptly completed, properly filed and retained, and accessible." Hospitals must maintain a medical record for each inpatient and outpatient.

Primary Source: 42 CFR 482.24 - Condition of Participation: Medical Record Services

Texas SB 1188: EHR Storage in the United States

Senate Bill 1188, passed during the 89th Texas Legislature, introduced a significant new requirement for electronic health records in Texas. Starting January 1, 2026, all electronic health records under the control of a covered entity must be physically maintained on servers located in the United States or a U.S. territory.

This requirement applies regardless of when the record was originally created. Records prepared before January 1, 2026, must still be stored domestically after that date.

SB 1188 affects healthcare facilities, providers, and state agencies that maintain electronic health records. It also applies to third-party computing facilities and cloud services used to store EHR data.

Additional SB 1188 provisions:

• EHR systems must include a field for documenting biological sex at birth
• Practitioners may use AI for diagnostic purposes only if they review all AI-generated records and disclose AI use to patients
• EHR platforms cannot collect or retain voter registration data or voting history
• Parents of children 17 and younger receive complete and unrestricted access to their child's EHR
• Covered entities must implement "reasonable and appropriate administrative, physical, and technical safeguards" for record security

Enforcement: The Texas Attorney General may pursue injunctive relief and civil penalties for violations:

• Negligent violations: up to $5,000 per year
• Knowing or intentional violations: up to $25,000 per year
• Violations involving misuse of PHI for profit: up to $250,000

Primary Source: SB 1188 Enrolled Text, 89th Legislature

Patient Access Rights and Copy Fees

Texas patients have the right to obtain copies of their medical records. Under Texas Medical Board rules, a patient must submit a written request, and the physician has 15 business days to respond to a properly authorized request.

Patients may request records be sent to themselves, another provider, or an authorized third party. Written authorization is required for third-party transfers.

Maximum allowable fees for record copies:

Record Type	Fee
Paper copies, first 20 pages	$25 maximum
Paper copies, each additional page	$0.50 per page
Electronic format, 500 pages or fewer	$25 maximum
Electronic format, more than 500 pages	$50 maximum
Imaging studies	$8 per copy
Affidavit or certification	$15 maximum

Important exception: Providers may not charge a fee when the records are requested in connection with a claim for disability benefits or government assistance.

These fee limits are set by Texas Medical Board rules and apply to physicians. Hospitals may have separate fee schedules under Texas Health and Safety Code Section 241.154.

Primary Source: Texas Medical Board - Patient Information and Medical Records

Proper Destruction of Medical Records

Once the retention period expires, medical records containing protected health information (PHI) must be destroyed in a manner that renders the information unreadable and unable to be reconstructed.

Paper Records

Paper records must be shredded, burned, or pulped. Texas Health and Human Services specifies that shredders must produce crosscut particles no larger than 1 mm by 5 mm (0.04 inches by 0.2 inches). If shredding does not meet these specifications, the material must be safeguarded until additional destruction methods, such as burning or pulping, render it fully unreadable.

Simply placing records in a trash receptacle accessible to the public is a HIPAA violation, even if the retention period has expired.

Electronic Records

Electronic media containing PHI must be cleared, purged, or physically destroyed. Acceptable methods include:

• Clearing: Overwriting data with nonsensitive information
• Purging: Degaussing (exposing media to a strong magnetic field)
• Destruction: Disintegration, pulverization, melting, incinerating, or shredding the physical media

Using a Third Party

Healthcare providers may hire a business associate to handle record destruction. A Business Associate Agreement (BAA) must be in place that requires the associate to safeguard PHI through the destruction process. Providers should obtain a certificate of destruction for their records.

Primary Source: HHS.gov - Disposal of Protected Health Information

Practice Closure and Record Transfer

When a Texas physician retires, closes a practice, or leaves a group practice, specific rules govern what happens to patient records.

Notification Requirements

Under 22 TAC 165.5, the departing physician must:

• Send a letter or email to each patient seen in the last two years
• Post a notice in a conspicuous location in the office and on the practice website
• Provide this notice at least 30 days before the closure, departure, or relocation

Required Notice Content

The notification must include:

• The date of termination, retirement, or departure
• Instructions for patients to obtain or transfer their records
• The name and location of the new practice (if applicable)
• The name of another licensed physician, practice, or records custodian who will hold the records

License Surrender or Revocation

Physicians who voluntarily surrender their license or have it revoked face stricter requirements. They must notify patients within 30 days of the effective date and must identify a board-approved custodian for their records within that same 30-day window.

Protection of Patient Rights

Other physicians remaining in the practice may not prevent a departing physician from posting required notices. No physician, physician group, or organization may withhold information that a departing physician needs to notify patients.

Primary Source: 22 TAC 165.5 - Transfer and Disposal of Medical Records

Penalties for Noncompliance

Failing to comply with Texas medical records retention laws can result in disciplinary action by the Texas Medical Board, including:

• Formal reprimand or warning
• Administrative penalties
• License suspension or restriction
• License revocation in severe cases

For violations of the new SB 1188 EHR storage requirements, the Texas Attorney General may seek civil penalties of up to $5,000 per negligent violation, up to $25,000 per knowing violation, and up to $250,000 for violations involving misuse of PHI for profit. Regulatory agencies may also suspend or revoke licenses for three or more violations.

HIPAA violations carry separate federal penalties administered by the HHS Office for Civil Rights, ranging from $100 to $50,000 per violation depending on the level of negligence, with annual maximums up to $1.5 million per violation category.

Frequently Asked Questions

Sources and References

1. 22 TAC Chapter 165 - Medical Records (Texas Medical Board)
2. 25 TAC 133.41 - Hospital Functions and Services
3. Texas Health and Safety Code Chapter 181 - Medical Records Privacy
4. SB 1188, 89th Texas Legislature - Electronic Health Records
5. SB 1188 Bill Analysis - Senate Research Center
6. HHS.gov - Does HIPAA Require Retention of Medical Records?
7. 42 CFR 482.24 - CMS Conditions of Participation: Medical Record Services
8. HHS.gov - Disposal of Protected Health Information
9. Texas Medical Board - Patient Information and Medical Records
10. HHS.gov - HIPAA Privacy Rule Summary