Medical Record Destruction It’s HIPAA Mandated

Wed, Jun 26, 2019
By: Jim Beran
Medical Record Destruction It’s HIPAA Mandated

If your company collects and stores medical records, then you know that it’s your legal responsibility to secure those records to protect your patients’ privacy. Likewise, medical record destruction is something that’s mandated by HIPAA.

Gilmore Services is a NAID-certified vendor that also insured by Downstream Data Coverage to offer our customers total confidence and assurance in our services. That means that we’re experts at storing and managing medical records in compliance with HIPAA regulations. We understand what you (and we) need to do to protect your patients’ confidentiality and avoid HIPAA violations.

What Does HIPAA Say About Medical Record Destruction?

HIPAA regulations are very clear about when medical records should be destroyed and what kinds of medical records must be destroyed.

Timeline for the Destruction of Medical Records

Let’s start with how long providers must keep medical records and when they must destroy them. According to HIPAA, medical records must be kept for either:

  • Six years from their creation; or
  • Six years from their last use

Most states have data retention laws, too. If the state’s law specifies a shorter retention period than HIPAA, the HIPAA regulation prevails. If the state requires a longer retention period, then providers must adhere to the state law and destroy the records according to the state’s schedule.

List of Medical Records to Destroy

Just as HIPAA lays out a timeline for the destruction of medical records, they specify the types of records that must be destroyed. These include patient charts and medical records as well as any other patient health information (PHI) that includes personal and confidential data.

Here’s the list of information that must be properly secured and destroyed under HIPAA regulations:

  • Patient names
  • Dates (birth dates and other relevant dates)
  • Geographic identifiers
  • Social Security numbers
  • Phone numbers
  • Fax numbers
  • Email address
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Biometric identifiers, including retinal scans or fingerprints
  • Full face photos and comparable images
  • Certificate and license numbers
  • Device identifiers and serial numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Web URLs
  • IP addresses
  • Other unique identifying numbers, characteristics, or codes

As a provider, it’s your job to secure any information that is on HIPAA’s list appropriately and destroy it according to either HIPAA regulations or your state regulations.

What Are HIPAA Requirements for Medical Record Destruction?

While HIPAA regulations are very clear about which records to keep and destroy, they don’t go into detail about the methods to use to destroy records. However, there are some general guidelines that say:

Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.

They also state that it’s up to providers to safeguard their patients’ privacy and take special care with the destruction of any data that might lead to identity theft.

Here are some suggestions from HIPAA for the destruction of medical records:

  • PHI in paper records may be shredded, burned, pulped, or pulverized so the PHI is unreadable, indecipherable, and may not be reconstructed.
  • PHI in electronic media may be cleared by overwriting it, purged by degaussing or exposing the media to a magnetic field, or otherwise destroyed by disintegration, pulverization, melting, incinerating, or shredding.

They also state that it’s acceptable to maintain PHI in opaque bags in a secured area while it waits for destruction.

The key is that any medical records you get rid of must be destroyed in a manner that prevents them from being reconstructed or otherwise accessed.


Medical record destruction is your responsibility under HIPAA. Partnering with an experienced data destruction specialist will ensure that you’re compliant with regulations and doing your best to protect your patients’ privacy.

Click here to learn how Gilmore Services can help with medical record destruction.