Table of Contents
Every medical practice accumulates years of patient data. Over time, your active EHR system fills with records from patients who moved away, passed on, or simply haven’t been seen in years. Left unaddressed, this data buildup slows your system, complicates audits, and creates unnecessary security exposure.
The answer isn’t deletion — it’s proper archiving. Done correctly, EHR archiving keeps your practice HIPAA compliant, reduces operational overhead, and ensures records remain accessible when you need them. This guide walks through exactly how to do it.
6 yrs
Minimum HIPAA retention requirement from creation or last use
10 yrs
MNew Jersey adult medical record retention requirement
$50K+
Potential HIPAA fine for improperly disposed records
Why Archiving Old EHR Records Matters
Medical practices often treat record archiving as a back-burner task — something to deal with later. But the longer inactive records sit in an active EHR, the more problems accumulate:
- System performance degrades. Bloated databases slow query times, reporting, and overall EHR responsiveness — affecting every provider in your practice.
- Security surface expands. Every record in an active system is a potential breach target. Inactive records that aren’t needed for daily care should be removed from your primary attack surface.
- Audits become harder. Sifting through years of undifferentiated data to respond to an audit or legal request wastes time and increases error risk.
- Storage costs rise. Cloud-based EHR pricing often scales with data volume. Archiving old records to lower-cost storage tiers can meaningfully reduce your annual costs.
- Compliance risk increases. Both HIPAA and state regulations require records to be retained and properly secured. An active EHR packed with records from a decade ago may not be meeting that standard.
HIPAA & State Retention Requirements
Before archiving or disposing of any records, you must understand the applicable retention requirements. Federal and state rules can differ significantly, and the more stringent rule always applies.
Federal HIPAA Requirements
Under the HIPAA Privacy Rule (45 CFR §164.530(j)), covered entities must retain documentation of their policies and procedures for a minimum of 6 years from the date of creation or the date when they were last in effect. While HIPAA does not directly set a retention period for clinical records themselves, it does require that records be protected for as long as they are maintained.
State-Specific Requirements
Many states have their own medical record retention laws that exceed federal minimums. Always consult your state health department and a healthcare attorney for precise guidance — below is a general overview of common state requirements:
| State | Adult Records | Minor Records | Notable Notes |
|---|---|---|---|
| New Jersey | 10 years | Until patient turns 23 | One of the stricter state requirements |
| New York | 6 years | 3 years after majority | Hospital records: 6 years from discharge |
| California | 7 years | 3 years after majority | Minors: whichever is later |
| Florida | 5 years | 7 years or until age 18, whichever is later | Obstetrical records: 7 years |
| Texas | 10 years | Until age 21 | From the date of last treatment |
Archiving vs. Deleting: What’s the Difference?
These terms are sometimes used interchangeably — but in the context of healthcare compliance, they mean very different things with very different consequences.
| Factor | Archiving | Deletion |
|---|---|---|
| Record status | Preserved in secure, read-only storage | Permanently removed |
| HIPAA compliance | ✅ Compliant if done correctly | ❌ Non-compliant before retention period |
| Retrievability | Accessible within defined timeframe | Not recoverable |
| Audit support | Searchable and auditable | No audit trail |
| System load | Removed from active EHR | Removed from active EHR |
| Legal exposure | Low, if properly managed | High if retention period not met |
Deletion is only appropriate once all applicable retention periods have been met and has been reviewed by your compliance officer. Even then, HIPAA requires that deletion be done securely — meaning records cannot simply be dragged to the trash.
What Records Should Be Archived?
Not all records need to move to archive at the same time. A well-structured archiving policy identifies specific triggers that move a record out of the active EHR. Common criteria include:
- Inactive patients — Patients with no visits, prescriptions, or clinical activity within the last 3–5 years (based on your policy)
- Deceased patients — Records should be archived, not deleted, and retained per applicable state law
- Transferred care — Patients who have formally transferred to another provider
- Legacy system records — Records migrated from a previous EHR that are no longer actively referenced
- Resolved legal matters — Records tied to workers’ comp, litigation, or no-fault cases that have fully closed
Best Practices for EHR Archiving
A compliant, efficient archiving program doesn’t happen by accident. The following best practices are aligned with HHS guidance on HIPAA administrative safeguards and widely accepted healthcare records management standards.
1. Develop a Written Records Retention Policy
Your practice must have a documented policy that defines retention periods, archiving triggers, storage requirements, and disposal procedures. This policy must be reviewed and updated at least annually, and it must be retained itself for 6 years under HIPAA.
2. Use Encryption for All Archived Data
Archived records are still Protected Health Information (PHI). Whether stored on-premises or in the cloud, they must be encrypted at rest (AES-256 is the current standard) and in transit (TLS 1.2 or higher). This is a technical safeguard requirement under HIPAA’s Security Rule (45 CFR §164.312).
3. Maintain Access Controls and Audit Logs
Access to archived records should be restricted to authorized personnel only — not open to all clinical staff by default. Every access event must be logged, creating an audit trail that demonstrates compliance in the event of an investigation.
4. Ensure Retrievability Within a Reasonable Timeframe
Archiving cannot mean “impossible to find.” If a patient requests their records, or if you receive a subpoena or audit request, you must be able to retrieve archived records in a reasonable timeframe. Define this expectation (e.g., within 5 business days) in your policy.
5. Execute Business Associate Agreements (BAAs)
If you use a third-party cloud storage vendor or archiving service, a signed BAA is required under HIPAA before any PHI is transmitted or stored on their platform. Failure to have a BAA in place is one of the most common HIPAA violations found during audits.
6. Document Your Archiving and Disposal Activities
Every time records are archived or disposed of, document what was done, when, by whom, and under what authority. This documentation is your shield in an audit — and it must be retained for 6 years.
7. Train Your Staff
Staff who handle records — including front desk, billing, and clinical personnel — should understand your archiving policy, why it matters, and how to execute it. HIPAA requires workforce training on privacy and security policies.
Choosing an EHR Archiving Solution
The right archiving solution depends on your practice size, technical infrastructure, and budget. Here are the main approaches:
Built-In EHR Archive Features
Many modern EHR platforms include native archiving capabilities that allow you to flag records as inactive without removing them from the system entirely. This is the simplest option but may not fully reduce system overhead or storage costs.
Dedicated Healthcare Archive Platforms
Purpose-built healthcare archiving platforms allow you to export and store records in a HIPAA-compliant environment entirely separate from your active EHR. These solutions typically offer robust search, access control, and audit logging — critical for larger practices or those switching systems.
Cloud Storage with HIPAA-Compliant Vendors
Access to archived records should be restricted to authorized personnel only — not open to all clinical staff by default. Every access event must be logged, creating an audit trail that demonstrates compliance in the event of an investigation.
Archiving When Switching EHR Systems
One of the highest-stakes archiving scenarios is when a practice switches from one EHR platform to another. This is a situation where records from the old system must be handled carefully — you cannot simply abandon them when your contract ends.
Key steps when switching EHR systems:
- Request a full data export before your contract with the old vendor ends. Most EHR vendors are required to provide this under applicable data portability standards.
- Export in an open, non-proprietary format such as C-CDA (Consolidated Clinical Document Architecture) or HL7 FHIR where possible, to ensure long-term readability.
- Validate the exported data for completeness before terminating your old system subscription.
- Store exported records in a HIPAA-compliant archive with a signed BAA from your storage vendor.
- Document the entire process including export date, format, storage location, and who performed each step.
Medi-EHR supports data export in industry-standard formats and provides full documentation of data portability processes to help practices transition smoothly. See our Term, Termination and Return of Data FAQ for details.
Frequently Asked Questions
At minimum, HIPAA requires covered entities to retain health record documentation for 6 years from the date of creation or last effective use. However, most states have their own requirements — and the stricter rule applies. For example, New Jersey requires 10 years for adult records. Always verify your specific state requirements and consult legal counsel.
Archiving moves records to a secure, separate, read-only storage environment while keeping them accessible for retrieval. Deleting permanently removes records. Under HIPAA, deletion before retention periods are met is non-compliant and can result in significant penalties. Even after retention periods expire, deletion must be done securely with documented procedures.
Archiving does not reduce your HIPAA obligations — archived records are still PHI and must be encrypted, access-controlled, and auditable. The archiving process itself, if done correctly with proper documentation, actually supports compliance by demonstrating your practice’s adherence to a written retention and security policy.
Technically yes, but format choice matters long-term. Records stored in proprietary formats may become unreadable if the vendor is discontinued. Best practice is to archive in open, standard formats (such as C-CDA, PDF/A for documents, or structured data exports) that will remain readable regardless of what software changes occur in your practice.
Your HIPAA Privacy Officer and Security Officer should oversee the archiving program. Practical execution may involve your practice manager and IT staff (or your EHR vendor’s support team). Having a single designated owner for records management — with documented responsibilities — is a HIPAA administrative safeguard requirement.
Conclusion: Build a Sustainable Records Management Strategy
Archiving old EHR records is not a one-time project — it’s an ongoing practice management discipline. The practices that do it well share a few common traits: they have a written policy, they’ve trained their staff, they use secure and compliant storage, and they document everything.
The cost of doing this wrong — in fines, breach liability, audit failures, and system performance degradation — far outweighs the investment of building a proper archiving program.
Whether you’re managing decades of legacy records, preparing for an EHR migration, or simply trying to bring your current system under better control, the principles outlined in this guide provide a solid foundation. Always work with your HIPAA compliance officer and legal counsel to tailor these practices to your specific situation.
Get Started with Medi-EHR Patient Intake Software
Join thousands of healthcare practices that have eliminated paper forms,
reduced wait times, and improved patient satisfaction with Medi-EHR.
Trusted Industry References
- U.S. Department of Health & Human Services — HIPAA for Professionals
- HealthIT.gov — Health IT and Health Information Exchange
- Centers for Medicare & Medicaid Services — Electronic Health Records
- 45 CFR Part 164 — HIPAA Security & Privacy Rules (eCFR)
- Medi-EHR — Term, Termination and Return of Data FAQ
- Medi-EHR — Compliance & ONC Certification