Guideline: Record Retention

Chiropractic practices generate and maintain many different types of records, including patient health records and business records. These records help practices maintain critical information and deliver quality service and care. Because of their important role, records need to be appropriately maintained and managed throughout their lifecycle — from creation to destruction.


The objectives of this guideline are to:

  • Identify essential elements of formal record retention policies and procedures

  • Discuss the regulatory requirements and claims/risk management considerations used to determine appropriate record retention policies and procedures for patient health records

  • Review additional considerations for record retention, such as defining the legal patient record and determining appropriate processes for paper and electronic records.

  • Describe the process for destroying records

  • Review requirements for transferring records


To protect records, chiropractic practices should develop and implement formal record retention policies and procedures. Doing so will help establish a systematic and organized approach to record management. Further, formal policies and procedures may help defend against allegations that records were deliberately or maliciously destroyed.

At minimum, record retention policies and procedures should include:

  • The length of time records will be maintained

  • A list of records that will be maintained onsite and offsite

  • A definition of what documents constitute a “legal” record

  • The form/manner in which the records are maintained (i.e., paper, electronic, or a combination of both)

  • A designated individual (role) who is responsible for policy oversight, record maintenance, and initiating the destruction of records

  • The HIPAA-compliant methods for destroying records while preserving confidentiality (e.g., shredding, incineration, physical destruction of hard drives, high-level overwriting of electronic information, etc.)

  • Requirements for documenting the destruction of records

  • Backups and redundancies and how they’re addressed in the destruction process (for electronic health records [EHRs])


Patient health records are an important part of patient care. They provide essential patient information, historical details about the course of care, and a record of services provided. Further, thorough and accurate records may play a crucial role in defending a malpractice claim. When developing record retention policies, chiropractic practices should consider federal and state laws, accreditation and professional organization requirements, and professional liability recommendations.

Federal Requirements

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities (CEs), such as chiropractic practices billing Medicare, to retain required HIPAA-related documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.[1] Examples of HIPAA-related documentation include:

  • Notices of privacy practices

  • Authorizations for the disclosure of protected health information (PHI)

  • Business associate agreements (BAAs)

  • Risk assessments and risk analyses

  • Disaster recovery and contingency plans

  • Information security and privacy policies

  • Employee sanction policies

  • Incident and breach notification documentation

  • Complaint and resolution documentation

  • Physical security maintenance records

  • Logs recording access to and updating of PHI

  • Information technology security system reviews (including new procedures or technologies implemented)[2]

Further, the HIPAA Privacy Rule requires covered entities to apply appropriate administrative, technical, and physical safeguards to protect the privacy of health records and other forms of PHI for as long as they are maintained.[3]

The Centers for Medicare & Medicaid Services (CMS) requires chiropractors and organizations submitting cost reports to retain patient records for Medicare beneficiaries for at least 5 years after the closure of cost reports. CMS requires Medicare managed care program providers to retain records for 10 years. Medicaid requirements vary by state.[4]

State Requirements

Some states have specific requirements for the retention of patient health records. Often, these requirements are accessible via chiropractors’ professional licensing boards. In states that offer no specific requirements, the American Health Information Management Association (AHIMA) recommends that chiropractic organizations “keep health information for at least the period specified by the state’s statute of limitations or for a sufficient length of time for compliance with laws and regulations.”[5]

Additionally, in some circumstances, the statute of limitations may not begin until the patient realizes that he/she has a basis for a claim. Thus, many practices automatically retain records for as long as practical based on patient volume and storage availability.

Many states also have specific requirements for the retention of diagnostic study results. In the absence of state guidance, chiropractic practices should retain diagnostic study results for a minimum of 7–10 years. Diagnostic study results include, but are not limited to, X-rays and other imaging records.

Risk Management and Professional Liability Guidance

Coded claims data from ChiroPreferred by MedPro Group’s claims opened between 2009 and 2018 indicate that 82 percent of claims are opened within 3 years of the date of service, 95 percent of claims are opened within 5 years of the date of service, and 99 percent of claims are opened within 10 years of the date of service.

These malpractice claims statistics serve as the basis for the following risk management guidance, which should be used as a guide — not a rule — to determine length of record retention (after considering federal and state requirements):

  • Competent adults: Maintain records at least 7–10 years after the last date of service. This usually allows sufficient time for the statute of limitations and extensions and other delays to be exhausted.

  • Incompetent adults: Maintain records (a) until/unless the patient becomes competent (then follow guidance for competent adults), (b) at least 7 years after death, or (c) as long as possible (indefinitely).

  • Minors: Maintain records at least through the state-specific statute of limitations after the child reaches the age of majority (18 years of age in most states). If the patient is 16 or 17 when last seen, it is prudent to retain the records for 7–10 years from that date.

  • Deceased patients: States may have specific guidance for the retention of records for deceased patients. In the absence of state guidance, chiropractic practices should consider retaining a deceased patient’s records for 7–10 years from the date of the patient’s death.

AHIMA recommends that health organizations (a) keep adult patient records 10 years beyond the most recent encounter, and (b) keep pediatric records up to the age of majority, plus the statute of limitations. AHIMA also advises organizations to permanently keep master patient/person indexes, birth and death registries, and registries of surgical procedures.[6]

Other Record Retention Considerations

The Legal Patient Record

Chiropractic practices should develop policy statements that specifically define what each practice considers a “legal patient record.” These policies should consider documentation that occurs during patient encounters as well as other types of communications, such as emails, patient portal interactions, text messages, etc. Defining the legal patient record will help chiropractors and staff comply with documentation and retention standards.

Electronic Versus Paper Records

Although retention requirements do not differ based on record format (i.e., paper versus electronic), other aspects of retention, such as storage, may differ. Many chiropractic practices have transitioned from paper to electronic records in recent years; as such, they might maintain both types of records.

An important consideration for chiropractic practices is maintenance of paper records following implementation of EHR systems. State regulations might provide guidance on paper record retention requirements, and practices should be aware of specific guidance within their states. Further, practices should develop processes to ensure careful quality control of all records that are scanned. Missing or illegible information in scanned records can jeopardize the quality of patient care and increase liability exposure.


In addition to patient health records, chiropractic practices also generate various business-related records, such as contracts, billing documents, tax documents, organizational policies and procedures, etc.

Appropriately maintaining and managing these records is essential to reducing organizational risk. The practice’s accounting firm or the Internal Revenue Service (IRS) may offer useful information about the retention of business records.

Federal and state government guidelines may specify record-retention requirements for employee files and other personnel information. For questions or advice related to the maintenance of personnel records, chiropractic practices should contact their attorneys or management consultants.

Additional resources are listed in the “Resources” section of this guideline.


Destruction of records, when they are no longer needed, is an important component of the document lifecycle. As such, chiropractic practices should (a) include details about record destruction in their record retention policies, and (b) implement procedures to ensure a consistent approach to destruction.

Maintaining confidentiality of PHI is paramount during the destruction of records. HIPAA requires CEs to “implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”[7]

Some states also have specific requirements relative to the destruction of records. When developing retention and destruction policies, practices should follow both federal and state requirements. AHIMA also offers detailed information about the retention and destruction of health information

Paper Records

When paper records are identified for destruction, they should be shredded, incinerated, etc., preferably by a company that provides such services. The method of destruction should ensure that the records are unreadable and unrecoverable.

The company contracted to destroy the records should provide the service at the chiropractic facility so the destruction can be confirmed. If the company will destroy records that contain PHI, the practice will need to have a HIPAA BAA with the vendor. Visit the U.S. Department of Health and Human Services website to learn more about HIPAA BAAs, and use MedPro’s Checklist: Due Diligence of Business Associates to assess your screening process for business associates.

Electronic Records

As technology has advanced over the years, most chiropractic practices have transitioned to electronic records. Electronic records, like paper records, must be “destroyed with a method that provides for no possibility of reconstruction of information.”[8] To this end, the HIPAA Security Rule requires CEs to implement policies and procedures for:

  • Addressing the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored

  • Removing electronic PHI from electronic media before the media are made available for reuse[9]

Depending on the approach, destruction of electronic records may involve overwriting of electronic media, magnetic degaussing, pulverizing, incinerating, cutting, etc. Practices should select the approach that is appropriate for the type of data being destroyed.

Further, before selling or destroying computers or any media that holds information, a competent employee or service provider should destroy all electronic documents and database records stored on the equipment.


As part of the record disposal process, chiropractic practices should establish a method to document the destruction of records. AHIMA recommends that organizations maintain a destruction log that includes:

  • Date of destruction

  • Method of destruction

  • Description of the disposed records (e.g., name, date of birth, social security number, unique patient identifier, etc.)

  • Inclusive dates

  • A statement that the records were destroyed in the normal course of business

  • The signatures of the individuals supervising and witnessing the destruction[10]

AHIMA offers a Sample Certificate of Destruction for chiropractic organizations to use a documentation template.



If a chiropractic practice is closed or sold, arrangements must be made for retention of original records for the appropriate amount of time. Under no circumstances should original records be given to patients.

In some instances, chiropractors who are selling or closing practices may choose to store their records themselves. Many chiropractors retiring today do not have their records in electronic formats. When this is the case, the chiropractor assumes responsibility for storing the paper records.

In addition to the space requirements, this approach can be problematic if the records have not been maintained in an ordered system and a former patient requests a copy of his/her records (to which the patient is entitled under HIPAA). 


A second document maintenance option is the contracted services of a records storage company. Although these companies’ fees might be substantial, they offer several advantages. First, they will pick up the records and store them in a climate-controlled facility, which can protect them from environmental damage (e.g., dampness, mold, vermin, etc.). Second, these companies usually are bonded or insured, thereby reducing a chiropractor’s liability exposure if stored records are damaged, destroyed, or stolen while in the records storage company’s possession.


Third, records storage services are able to respond to patients’ requests for records. Patients can be referred directly to the storage service, which then will locate and copy the records and collect the fee from the patient. (HIPAA allows a reasonable fee to be charged for locating and copying records.)

At the time of records transfer, a records storage company will execute a BAA with the storing chiropractor. This HIPAA-required document obliges the storage company to protect the confidentiality of PHI contained in the patient records to the same standard that the chiropractor must protect it. Through the BAA, the chiropractor and his/her patients are assured that the PHI will be secure.

Another possible option for chiropractors who are selling a practice is for the purchasing chiropractor to become the custodian of the selling chiropractor’s records through execution of a BAA. In this case, in addition to compliance with HIPAA Privacy and Security Rules, the BAA should specify that the custodian will provide the selling chiropractor with access to the physical records upon reasonable notice (such as 2 business days), and that the custodian will not release or dispose of any original records without the seller’s written authorization.

Patients who continue their relationship with the practice can authorize release of their records to the purchasing chiropractor (who is already in physical possession of the records) as part of new patient consent processes. Records of patients who leave the practice can ultimately be placed in storage or archived.

Regardless of how chiropractors choose to store their records, compliance with HIPAA remains essential.


Chiropractic practices are responsible for various types of records, including patient health records, business records, personnel records, and more. To ensure consistency and accountability, practices should implement policies and procedures for the retention, maintenance, and destruction of records.

These policies should be based on federal and state requirements, general risk management and professional guidance, and advice from the practice’s attorneys, management consultants, accountants, and other sources of expertise/authority.



[1] Centers for Medicare & Medicaid Services. (2012, August 21). Medical record retention and media formats for medical records. MLN Matters, SE1022. Retrieved from

[2] HIPAA Journal. (2018, January 15). Clarifying the HIPAA retention requirements. Retrieved from

[3] Office for Civil Rights. (n.d.). The HIPAA Privacy and Security Rules: Frequently asked questions about the disposal of protected health information. U.S. Department of Health and Human Services. Retrieved from

[4] Centers for Medicare & Medicaid Services, Medical record retention and media formats for medical records.

[5] American Health Information Management Association. (2013). Retention and destruction of health information. Retrieved from

[6] Ibid.

[7] Office for Civil Rights, Frequently asked questions about the disposal of protected health information.

[8] AHIMA, Retention and destruction of health information.

[9] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.310(d)(2)(i).

[10] AHIMA, Retention and destruction of health information.

© 2021 MedPro Group Inc. All rights reserved.