Mental Health Record Retention: How Long to Keep Therapy Records

Overview

Mental Health Record Retention: How Long to Keep Therapy Records

How long should you keep therapy records? The answer isn't simple - it depends on federal regulations, state laws, insurance requirements, malpractice considerations, and the population you serve.

Key takeaways

• Mental Health Record Retention: How Long to Keep Therapy Records How long should you keep therapy records?
• The answer isn't simple - it depends on federal regulations, state laws, insurance requirements, malpractice considerations, and the population you serve.
• Getting it wrong can leave you vulnerable to liability, licensing board complaints, and regulatory violations.
• Keep records too short and you can't defend against malpractice claims.
• Keep them too long and you face storage costs, security risks, and increased breach exposure.

Details

Getting it wrong can leave you vulnerable to liability, licensing board complaints, and regulatory violations. Keep records too short and you can't defend against malpractice claims. Keep them too long and you face storage costs, security risks, and increased breach exposure.

This comprehensive guide helps you navigate record retention requirements and establish compliant retention policies.

Why Record Retention Matters

Legal Protection

Your records may be needed years after treatment ends:Malpractice lawsuits (statutes of limitation can be long)Licensing board complaintsSubpoenas for court proceedingsDisability determinationsInsurance audits

If you don't have records, you can't defend your care.

Regulatory Compliance

Multiple regulatory frameworks impose retention requirements:State licensing lawsHIPAAMedicare/Medicaid conditionsState medical records lawsProfessional ethics codes

Continuity of Care

Former clients may:Return for treatmentNeed records for new providersRequest records for legal mattersNeed documentation for disability, custody, or other proceedings

Insurance and Billing

Payers may audit claims years after payment:Medicare: 5+ yearsMedicaid: Varies by stateCommercial: Per contract terms

For billing and audit guidance, see our documentation requirements guide.

Federal Requirements

HIPAA

HIPAA does not directly mandate clinical record retention periods. However, HIPAA does require:

Documentation Retention: HIPAA-related documentation must be retained for 6 years from creation or last effective date:Policies and proceduresPrivacy practices noticesAuthorization formsAccounting of disclosuresBusiness Associate AgreementsRisk assessmentsTraining records

Access Requirement: If a patient requests records you're required to maintain, you must provide access. This implies retention for whatever period state law requires.

The HHS HIPAA FAQ confirms HIPAA defers to state law for clinical record retention.

For comprehensive HIPAA guidance, see our HIPAA compliance checklist.

Medicare

Medicare Conditions of Participation require providers to retain records for at least 5 years from the date of service. Some Medicare Administrative Contractors (MACs) have longer requirements.

For Medicare billing guidance, see our Medicare billing guide.

Medicaid

Medicaid requirements vary by state but typically range from 5-10 years. Many states require retention for the longer of:5-6 years from date of service, OR3 years after final audit resolution

42 CFR Part 2

Substance use disorder records covered by 42 CFR Part 2 should be retained per state law and Part 2 requirements. Part 2 doesn't specify a retention period but requires records to be available for certain audits and patient requests.

For Part 2 guidance, see our 42 CFR Part 2 guide.

State Requirements

Variation Across States

State record retention requirements vary significantly:

Common patterns:Adult records: 7-10 years from last serviceMinor records: Until age of majority plus several yearsSome states: 10+ yearsSome states: No specific mental health retention period (general medical records law applies)

State-by-State Overview

Note: Laws change. Always verify current requirements with your state licensing board.

Important: This table is for general guidance only. Requirements may have changed, and specific rules may apply to different license types, settings, or record types. Always verify with your state licensing board.

Finding Your State's Requirements

Resources for current state requirements:State licensing board websiteState department of healthState medical records lawProfessional association guidanceAmerican Health Information Management Association

Malpractice Considerations

Statutes of Limitation

Malpractice statutes of limitation affect how long you may be sued for past services:

General pattern:2-6 years from injury or discovery of injury"Discovery rule" may extend period (limitation starts when injury is discovered)Special rules for minors (often extended until after reaching majority)

Recommendations from Malpractice Carriers

Most malpractice insurers recommend retention beyond minimum legal requirements:Adults: 10 years or statute of limitations, whichever is longerMinors: Until age 21-28 (age of majority plus statute of limitations)

Contact your malpractice carrier for their specific recommendations. Some carriers require certain retention periods for coverage.

Practical Recommendation

Conservative approach (recommended):Adult records: 10 years from last service OR until any statute of limitations expires, whichever is longerMinor records: Until patient reaches age 21-25 PLUS 7-10 years (varies by state)

This approach protects against most conceivable claims while managing storage burden.

Minor Records: Special Considerations

Extended Retention Required

Records for minors must be retained longer because:Statutes of limitation often don't begin until majorityDiscovery rule may extend limitationsMinor may not know about potential claims until adulthood

Calculating Retention Period

Formula: Age of majority + State retention period + Statute of limitations buffer

Example (California):Age of majority: 18State retention: 7 yearsStatute buffer: Add 3 years for discovery ruleMinimum: Until age 28

Example (New York):Age of majority: 21 (for some purposes)State retention: 6 yearsStatute buffer: Add 2.5 years (infant tolling rules)Minimum: Until approximately age 30

Practical Approach

For simplicity and protection, many practices retain minor records until the patient reaches age 25-30.

Parental Access Issues

Remember that minor records involve parental access rights, which complicates retention:Parents generally can access minor's recordsSome exceptions exist for certain treatmentsDocument any access restrictions

For confidentiality with minors, see our informed consent guide.

Special Record Types

Psychological Testing Materials

Psychological test materials have special considerations:Test protocols are proprietaryRaw test data requires professional interpretationSome materials should not be released directly to patientsAPA guidelines recommend retaining test data

Psychotherapy Notes (HIPAA Definition)

HIPAA-defined psychotherapy notes (personal notes kept separate from the medical record) may have different considerations:Not subject to same access requirementsMay be destroyed sooner if serving no clinical purposeConsult state law for specific requirements

Billing Records

Billing records should be retained for:Duration of clinical record retentionPlus any additional payer audit periods7-10 years is common recommendation

Correspondence and Releases

Retain all correspondence, authorization forms, and releases for at least the clinical record retention period:Signed authorizationsLetters to other providersRecords received from othersCommunications with third parties

Practice Closure or Retirement

Planning for Practice End

When closing a practice:Records must continue to be maintainedNotify patients and offer recordsTransfer records to another provider (with authorization)Arrange for secure storagePlan for record access during retention period

Options for Record Storage

Transfer to another provider:Notify patientsObtain authorization (recommended)Ensure receiving provider will maintain

Transfer to custodian:Another professionalProfessional associationRecords storage companyMust ensure security and compliance

Personal retention with access plan:Maintain personal controlEnsure successor has access if you become incapacitatedDocument procedures

State Requirements for Practice Closure

Many states have specific requirements for:Patient notification timeframeTransfer proceduresLicensing board notificationContinued availability of records

Check your state licensing board for specific requirements.

Secure Storage Requirements

Physical Records

Security requirements:Locked filing cabinetsLimited access (authorized personnel only)Secure facilityFire and water protectionEnvironmental controls

Organization:Clear filing systemEasy retrieval capabilityRegular inventoryDestruction scheduling

Electronic Records

Security requirements:Encryption at restEncryption in transitAccess controlsAudit loggingRegular backupsOff-site backup storageMalware protectionSecurity updates

Cloud storage considerations:Business Associate Agreement requiredData location/jurisdictionBackup proceduresProvider security certifications (SOC 2, HITRUST)Long-term provider viability

For HIPAA security requirements, see our HIPAA compliance guide.

Hybrid Approaches

Many practices have both paper and electronic records:Maintain consistent retention periodsConsider digitization of paper recordsDocument what is stored whereEnsure security for both formats

Record Destruction

When to Destroy

Create a destruction schedule:Identify retention period for each record typeCalculate destruction date based on last service + retention periodFlag records approaching destruction dateReview before destruction (ensure no litigation holds)Destroy according to secure methodsDocument destruction

Litigation Holds

Never destroy records that might be relevant to pending or anticipated litigation.

When litigation is possible:Suspend destruction for relevant recordsDocument the holdMaintain hold until litigation resolvedConsult attorney before lifting hold

Secure Destruction Methods

Paper records:Cross-cut shredding (confetti cut, not strip cut)Professional shredding service (obtain certificate of destruction)Incineration

Electronic records:Secure deletion software (not just "delete")Physical destruction of mediaDegaussing (for magnetic media)Certificate of destruction from vendor

Documentation of Destruction

Maintain permanent log of destroyed records:Patient identifier (may be coded)Date range of servicesDate of destructionMethod of destructionPerson responsibleCertificate from destruction vendor (if applicable)

Do NOT destroy the destruction log. Keep indefinitely.

What to Keep After Destruction

Even after destroying clinical records, consider retaining:Destruction logBasic identifying informationTreatment datesDischarge summary (in some cases)

This may help respond to future inquiries about whether treatment occurred.

Creating a Retention Policy

Policy Elements

Your written retention policy should include:Retention PeriodsAdult records: X years from last serviceMinor records: Until age X + Y yearsSpecial record types (testing, billing, etc.)Basis for chosen periods (state law, malpractice considerations)Storage RequirementsPhysical storage standardsElectronic storage standardsBackup proceduresSecurity measuresDestruction ProceduresTrigger for destruction reviewReview process before destructionDestruction methodsDocumentation requirementsLitigation hold proceduresPractice Closure ProvisionsNotification proceduresTransfer proceduresContinued access arrangementsResponsibility AssignmentWho monitors retention scheduleWho authorizes destructionWho maintains destruction log

Sample Policy Framework

[Practice Name] Record Retention PolicyRetention Periods:Adult clinical records: 10 years from date of last serviceMinor clinical records: Until patient reaches age 25, plus 10 yearsBilling records: 10 years from date of serviceHIPAA-related documentation: 6 years from creation or last effective dateAnnual Review: On [date] each year, records meeting destruction criteria will be identified and reviewed for litigation holds before destruction.Destruction Method: Paper records will be cross-cut shredded by [vendor]. Electronic records will be securely deleted using [method/software]. Certificates of destruction will be maintained indefinitely.Destruction Log: A permanent log will be maintained documenting all record destruction, including patient identifier, date range, destruction date, method, and responsible party.Litigation Hold: Upon notice of actual or anticipated litigation, relevant records will be preserved regardless of retention schedule. The [Privacy Officer/designated person] will be responsible for implementing and lifting litigation holds.

Frequently Asked Questions

Can I scan paper records and destroy the originals?

Yes, in most states, properly created electronic copies can replace paper originals. Ensure:Scan quality preserves all informationElectronic storage meets security requirementsBAA in place if using cloud storageOriginal is properly destroyed

What if I've already destroyed records I need?

If records were destroyed according to policy after the retention period:Document that records were destroyed per policyProvide what information you can from remaining documentationConsult attorney if litigation is involved

If records were destroyed improperly:Consult attorney immediatelyDocument what happenedReport to malpractice carrier if claim possible

Do I need to keep records for clients who never returned after intake?

Yes. All clinical records require retention regardless of treatment duration. One-session records should be retained for the same period as ongoing treatment records.

What about records from before I had a policy?

Apply your current retention policy to all records. Establish destruction dates based on last service date. Don't destroy records simply because they're old without following proper procedures.

Can patients request destruction of their records?

Generally, no. You have legal obligations to retain records regardless of patient preference. You may explain retention requirements to requesting patients.

How do I handle records after a client's death?

Continue to apply standard retention periods after a patient's death. Records may still be needed for:Estate proceedingsFamily members' health needsLegal mattersResearch

What about records for clients I never billed insurance for?

Retention requirements apply regardless of payer source. Cash-pay records need the same retention as insured records.

Should I keep records longer than required "just in case"?

Some providers do retain records indefinitely, but this creates:Storage costsSecurity burdensIncreased breach risk exposure

A well-documented retention policy followed consistently provides protection while managing burden.

Ease Health's EHR includes retention tracking, destruction scheduling, and compliant storage to help you manage records throughout their lifecycle. Schedule a demo to see how we simplify compliance.

Next steps

• Review the key takeaways and adapt them to your practice workflow.
• Use the details section as a checklist when you implement or troubleshoot.
• Share this with your billing or admin team to align on process and terminology.