by  Ann L. McNary, JD

Ms. McNary is a Senior Risk Manager at PRMS, Inc.

FUNDING: No funding was provided for the preparation of this article.

DISCLOSURES: The author is an employee of PRMS Inc., a risk-management consulting company for health care providers.

This ongoing column is dedicated to providing information to our readers on managing legal risks associated with medical practice. We invite questions from our readers. The answers are provided by PRMS, Inc. (, a manager of medical professional liability insurance programs with services that include risk management consultation, education and on-site risk management audits, and other resources offered to health care providers to help improve patient outcomes and reduce professional liability risk. The answers published in this column represent those of only one risk management consulting company. Other risk management consulting companies or insurance carriers might provide different advice, and readers should take this into consideration. The information in this column does not constitute legal advice. For legal advice, contact your personal attorney. Note: The information and recommendations in this article are applicable to physicians and other health care professionals so “clinician” is used to indicate all treatment team members.

Innov Clin Neurosci. 2021;18(4–6):


I recently made the decision to close my medical office and practice telepsychiatry from my home. Now I need to figure out what to do with the 30+ years of medical records I was keeping in the basement of my office. How long am I required to keep records, what is the proper way to destroy them once that period has passed, and how do I safely store them in the meantime?


You pose a question many psychiatrists have been asking of late. Your medical records are your most important practice asset, and it is imperative that they be maintained and disposed of properly. I have addressed each part of your question below, but please remember to seek the advice of your own malpractice carrier before destroying records.

Retaining Records 

Many (but not all) states have statutes and/or regulations governing the creation and maintenance of patient records, including the time period for which records must be kept. Federal statutes and/or regulations may also address record maintenance. The time periods mandated in these statutes and regulations represent the minimum amount of time you are “legally” required to keep patient records. Additionally, if you are a participating provider with any insurance plans, you might be contractually obligated to retain records for a specific period of time. If the statutory/regulatory retention period is different from that of an insurance plan, you should keep the records for whichever time period is the longer (at a minimum).

That answers the question of how long you are required to keep records, but there is still the question of how long you should keep records, and to that there is no clear answer. Patient records exist for a reason—to support good patient care. A good record substantiates clinical judgment and choices; it demonstrates the knowledge and skill exercised during treatment; it provides a contemporary assessment of the patients’ needs and behaviors; and it documents explanations of your decisions, significant events, and revisions to the treatment plan. Importantly, it allows someone else (e.g., another psychiatrist) to know and understand what happened during treatment and why. Psychiatric patients might see many providers over time, and it is often beneficial for subsequent treating providers to have access to earlier treatment information.

A secondary benefit derived from a patient record is the ability to provide a defense in an adversarial situation, such as litigation or an administrative or ethics complaint. The importance of patient records in these types of situations cannot be overemphasized. Because of this, records should be kept until well after your state’s statute of limitation for medical malpractice actions has run. You cannot, however, absolutely rely on these statutes to protect you from litigation. Depending on the nature and wording of a complaint, an action might be brought against you even though it is not brought within the limitations period. State law usually also contains provisions for “tolling” the statute of limitations in cases where the patient (i.e., prospective litigant) is a minor or suffers under some other legal disability or incompetence. This means that for some patients, the time in which a suit can be filed is extended. 

Additionally, your state’s statutes of limitations, that limit the time during which malpractice actions might be filed against you, might not limit the time litigation resulting from allegations involving fraud, conspiracy, or criminal acts might be brought against you. Remember, too, that these laws are not applicable to professional and ethical complaints or allegations involving federal laws, rules, and regulations (e.g., Medicare billing complaints). Some physicians believe that actions cannot be brought against them if they no longer have records. That is absolutely untrue, but what is true is that they cannot defend themselves without their records.

Due to the variety of statutes, regulations, legal principles, and professional obligations affecting psychiatric records, the most conservative risk management advice dictates that records be kept indefinitely, or as long as reasonably possible. 

Destruction of Medical Records 

If after careful consideration (and consultation with your malpractice carrier) you do decide to destroy and discard patient records, you should establish and follow written policies and procedures for doing so. The ability to demonstrate that you have followed an established procedure might help to defend against potential allegations that a record was destroyed to conceal unfavorable information. As part of your policies and procedures, consider creating a log of what records were destroyed, how and when they were destroyed, the dates of treatment covered, what method of destruction was used, a statement that the records were destroyed in the normal course of business, and the signatures of the individuals supervising and witnessing the destruction. You should maintain destruction documentation permanently.

Utilize a method of destruction that will completely destroy all records and copies of records selected for discarding. Different media require different methods of destruction: shred, burn, or pulverize paper records; recycle or shred microfilm or microfiche; purge and destroy computerized records. Whatever method is used, ensure that third parties cannot discern or reconstruct patient information from destroyed records.

Medical Record Storage 

Psychiatrists are legally and professionally obligated to ensure the physical security of patient records wherever those records might be stored. This means that records must be reasonably protected from natural disasters (e.g., flood or fire), unauthorized access (e.g., theft), or inadvertent disclosure (e.g., lost or mislaid files). Records should always be stored somewhere safe and secure and should be accessible only to authorized individuals. If you have determined the number of files you plan to retain is not voluminous, storing them in your own home might be an option; however, you must carefully consider their placement. Files should be kept locked either in filing cabinets or a locked room (preferably both) and kept away from potential harm, e.g., pipes that could burst or basements that might flood. 

Should you have a larger number of records to store, you might want to consider using a professional record storage company. Such companies can be found online or through the records department of the local hospital or medical society. Your personal attorney or accountant might also be able to suggest a company. If a storage company is used, it should have experience handling confidential medical information, guarantee the security and confidentiality of records, and allow access by authorized individuals. 

Make certain that you have a written agreement with the storage company that ensures the security and privacy of your records. If you cannot go to your assigned space and retrieve records directly, the contract should indicate the time frame in which records can be retrieved. (Remember, if you are provided with a valid record request, you will only have so much time in which to respond so you must ensure that records can be obtained in a timely manner.) Pay close attention to provisions in the agreement that outline the facility’s remedies in the event of your nonpayment of storage fees. Some contracts provide that the facility retains the right to destroy the contents or even to sell the contents. Although it might seem unlikely that this would ever occur, consider the consequences in the event that something happened to you that caused payment to be overlooked. 

If you are a covered-entity under the Health Insurance Portability and Accountability Act (HIPAA) and the storage facility will have access to patient information, you must ensure that the facility is willing to enter into a Business Associate Agreement (BAA). Failure to have a BAA in place is a violation of the HIPAA Privacy Rule and could result in fines being assessed against you, even if there is no evidence of a breach. 

For additional information on retaining and discarding records, contact your state licensing board, and other professional organizations to which you belong. The American Health Information Management Association (AHIMA), a professional healthcare information organization, is an invaluable resource.