HIPAA Rules
Software for HIPAA
Other Resources
HIPAA vs State Medical Record Laws
Medical Record Access Period
Federal HIPAA law mandates a maximum 30-day period for accessing medical records. Once a patient requests their medical record, the healthcare provider has 30 days to furnish it. Some states however have laws that are stronger - that is, the time period is shorter than 30 days. Other states have a longer time period so are weaker and federal HIPAA law prevails. Yet other states have no specific law for this access period - in this case federal HIPAA law of 30 days prevails. Certain states have laws that govern only specific entities, in which case federal HIPAA applies to covered entities (CAs). The following chart shows where each state stands compared to HIPAA.
- State = less than 30 days, state law applies (state tronger than federal)
- HIPAA = equal to or greater than 30 days, HIPAA law applies
- Split = HIPAA applies to covered entities, state law applies for entities not covered under HIPAA
Medical Record Retention Period
HIPAA federal law doesn't specify a minimum rention period for medical records, so state law dictates this for patient medical records (EMR/EHR). Although there are no HIPAA retention requirements for medical records, there is a requirement covering how long other ePHI documents must be retained. The documents must be retained for a minimum of six years from when the document was either created or last updated (like a privacy notice):
- Privacy Policies
- PHI Access Logs
- Business Associate Agreements
- Authorizations for PHI Access
- Risk Assessments and Risk Analyses
- Disaster Recovery and Contingency Plans
- Information Security Policies
- Employee Sanction Policies
- Incident and Breach Notification Documentation
- Complaint and Resolution Documentation
- Physical Security Maintenance Records
- IT Security System Reviews
| State Laws | Access Period | Retention Period (Doctors) | Retention Period (Hospitals) |
| Alabama | HIPAA | as needed | 5 years |
| Alaska | HIPAA | X | |
| Arizona | HIPAA | X | |
| Arkansas | HIPAA | X | |
| California | State | ||
| Colorado | State | ||
| Connecticut | X | ||
| Delaware | HIPAA | X | |
| DC | X | ||
| Florida | HIPAA | X | |
| Georgia | X | ||
| Hawaii | State | ||
| Idaho | HIPAA | ||
| Illinois | X | ||
| Iowa | HIPAA | X | |
| Kansas | HIPAA | ||
| Kentucky | HIPAA | ||
| Louisiana | State | ||
| Maine | HIPAA | X | |
| Maryland | State | ||
| Massachusetts | HIPAA | X | |
| Michigan | X | ||
| Minnesota | HIPAA | X | |
| Mississippi | HIPAA | X | |
| Missouri | HIPAA | X | |
| Montana | split | ||
| Nebraska | State | ||
| Nevada | State | ||
| New Hampshire | HIPAA | X | |
| New Jersey | X | ||
| New Mexico | HIPAA | X | |
| New York | State | ||
| North Carolina | split | ||
| North Dakota | HIPAA | X | |
| Ohio | HIPAA | ||
| Oklahoma | HIPAA | X | |
| Oregon | X | ||
| Pennsylvania | HIPAA | X | |
| Rhode Island | X | ||
| South Carolina | HIPAA | X | |
| South Dakota | X | ||
| Tennessee | State | ||
| Texas | State | ||
| Utah | HIPAA | ||
| Vermont | split | ||
| Virginia | State | ||
| Washington | State | ||
| West Virginia | HIPAA | X | |
| Wisconsin | HIPAA | X | |
| Wyoming | State |