How long must you keep therapy records? If you have ever found yourself staring at a filing cabinet wondering whether those decade-old files can finally go, you are not alone. The answer involves a complex web of state laws, licensing board requirements, ethical guidelines, and practical considerations. Getting it wrong could expose you to significant liability or licensure issues years after treatment ends.
Record retention might not be the most exciting aspect of running a therapy practice, but it is one of the most consequential. A well-documented record retention policy protects you legally, supports continuity of care, and demonstrates professional competence. This comprehensive guide breaks down everything you need to know about keeping, storing, and eventually destroying clinical records.
Why Record Retention Matters More Than You Think
Many therapists view record retention as purely administrative busywork. In reality, your retention practices serve several critical functions that directly impact your professional standing and legal protection.
First, there is the legal dimension. Malpractice claims can surface years after treatment ends, particularly with cases involving repressed memories, childhood trauma, or complex psychological injuries. Without adequate records, you cannot defend your clinical decisions or demonstrate the standard of care you provided.
Second, licensing boards may investigate complaints from former clients at any time. Having comprehensive records allows you to respond to board inquiries with documented evidence of your professional conduct and treatment approach.
Third, clients sometimes return to therapy years later or need records transferred to new providers. Maintaining accessible records supports continuity of care and honors your ongoing ethical obligation to former clients.
Understanding the Layers of Retention Requirements
Record retention requirements come from multiple sources, and you must comply with all of them. When requirements conflict, always follow the most stringent standard.
Federal Requirements (HIPAA)
- •Minimum 6 years from creation date
- •Or 6 years from last effective date
- •Applies to all covered entities
- •Includes policies and procedures
- •State laws may require longer
State Licensing Requirements
- •Varies significantly by state
- •Typically 5-10 years for adults
- •Extended periods for minors
- •May differ by license type
- •Check your specific board rules
State-by-State Variations You Need to Know
State requirements for clinical record retention vary dramatically. Some states specify exact timeframes while others defer to professional association guidelines. Here are some examples that illustrate the range:
California requires licensed psychologists to maintain records for a minimum of seven years following termination of services, with minor records kept until the minor reaches age 18 plus an additional seven years. Texas mandates seven years from the date of last treatment for adults. New York requires six years from the date of last entry. Florida specifies seven years from the last patient contact.
The variation becomes even more complex when you consider that different license types within the same state may have different requirements. A licensed clinical social worker and a licensed professional counselor practicing in the same office might face different retention mandates.
Important Consideration
If you practice across state lines through telehealth, you must comply with the retention requirements of every state where you are licensed and where your clients reside. This often means defaulting to the longest retention period among all applicable jurisdictions.
Special Requirements for Minor Clients
Records for minor clients require significantly longer retention periods. The general principle is that the statute of limitations for most claims does not begin until the minor reaches the age of majority (typically 18).
Most states require retention of minor records until the child reaches age 18, plus the standard adult retention period. This means if your state requires seven years for adult records and you treated a five-year-old, you may need to retain those records for 20 years or longer.
Some jurisdictions extend this even further for certain types of treatment, particularly cases involving abuse, trauma, or conditions that may have delayed manifestation of harm. When in doubt, consult with a healthcare attorney familiar with your state requirements.
Adult Client Records
- ✓7-10 years from last service date
- ✓Follow state-specific requirements
- ✓HIPAA minimum is 6 years
- ✓Consider malpractice statutes
Minor Client Records
- ✓Until age 18 plus adult retention period
- ✓May be 15-25 years total
- ✓Extended for abuse or trauma cases
- ✓Statute of limitations considerations
Ethical Guidelines From Professional Associations
Beyond legal requirements, professional associations provide ethical guidance on record retention that may exceed state minimums. The American Psychological Association recommends maintaining complete records for a minimum of three years after termination and a full record or summary for an additional twelve years.
The National Association of Social Workers recommends retaining records for the period required by state regulations, contractual obligations, or relevant laws, whichever is longest. The American Counseling Association similarly advises following the most stringent applicable requirement.
These ethical guidelines serve as professional best practices. While not legally binding in the same way as state regulations, failing to follow your professional association guidelines could be relevant in licensing board proceedings or malpractice litigation.
Secure Storage Throughout the Retention Period
Retention requirements are meaningless if records are not stored securely. HIPAA requires appropriate administrative, physical, and technical safeguards throughout the entire retention period, whether you are keeping records for six years or twenty-six years.
For paper records, this means locked filing cabinets in secured spaces with limited access. For electronic records, encryption, access controls, audit logs, and regular security assessments are essential. Cloud storage solutions must be HIPAA-compliant with appropriate Business Associate Agreements in place.
Secure Storage Checklist
Physical Records
- ✓ Locked filing cabinets
- ✓ Secured office space
- ✓ Limited key access
- ✓ Fire and water protection
Electronic Records
- ✓ End-to-end encryption
- ✓ Multi-factor authentication
- ✓ Regular backups
- ✓ BAA with vendors
Critical Exceptions - When You Cannot Destroy Records
Even when records have reached the end of their mandatory retention period, certain circumstances require you to continue maintaining them indefinitely.
Never destroy records if you are aware of pending or threatened litigation, licensing board complaints, or any legal hold. Active legal proceedings require preservation of all potentially relevant documents. Destroying records under these circumstances could constitute spoliation of evidence, resulting in adverse inference instructions, sanctions, or even criminal charges.
Never Destroy Records When
- ✗Litigation is pending or threatened
- ✗Licensing board complaint is active
- ✗Legal hold has been issued
- ✗Records may be needed for ongoing care
- ✗You have any doubt about requirements
Proper Record Destruction Procedures
When records have legitimately reached the end of their retention period and no exceptions apply, destruction must be complete and documented. HIPAA requires that protected health information be rendered unreadable, indecipherable, and unable to be reconstructed.
For paper records, cross-cut shredding or professional destruction services are appropriate. For electronic records, simple deletion is insufficient. Secure erasure using methods that overwrite data multiple times, degaussing, or physical destruction of storage media may be necessary.
Document your destruction process with a destruction log that records what was destroyed, when, how, and by whom. This log should be maintained permanently as evidence of your compliant destruction practices.
Proper Destruction Methods
- ✓Cross-cut shredding for paper
- ✓Secure data wiping for digital
- ✓Professional destruction services
- ✓Certificate of destruction
- ✓Maintain destruction log
Never Do This
- ✗Throw files in regular trash
- ✗Simple delete without overwrite
- ✗Leave hard drives intact
- ✗Destroy without documentation
- ✗Delegate without oversight
Creating Your Written Retention Policy
Every practice should have a written record retention policy that documents your procedures and ensures consistency. This policy should specify retention periods for different record types, storage procedures during retention, criteria for extending retention, destruction procedures and documentation, and responsibilities for policy implementation.
Review your policy annually and update it whenever regulations change or you expand into new jurisdictions. Train all staff members on the policy and maintain documentation of that training.
Your Retention Policy Should Include
- •Specific retention periods by record type
- •Storage location and security measures
- •Access control procedures
- •Backup and disaster recovery plans
- •Destruction procedures and timelines
- •Staff responsibilities and training
- •Legal hold procedures
- •Annual review schedule
Technology Solutions for Record Retention
Modern practice management software can significantly simplify record retention compliance. Look for systems that automatically track retention periods, flag records approaching destruction eligibility, maintain audit trails of access and modifications, support secure storage with encryption, and facilitate compliant destruction with documentation.
Cloud-based solutions offer particular advantages for long-term retention, eliminating concerns about hardware failure, physical storage space, and local disaster recovery. However, ensure any cloud provider signs a HIPAA Business Associate Agreement and maintains appropriate security certifications.
Frequently Asked Questions
Can I keep records indefinitely to be safe?
Yes, you can always retain records longer than required. However, indefinite retention creates storage costs, security obligations, and potential discovery burdens in litigation. A balanced approach follows the longest applicable requirement plus a reasonable buffer period.
What if my state has no specific retention requirement?
Default to HIPAA minimum of six years, your professional association guidelines, and the statute of limitations for malpractice claims in your state. Most attorneys recommend seven to ten years as a safe baseline for adult clients.
Do different record types have different retention periods?
Potentially yes. Some jurisdictions distinguish between full clinical records and summary documents. Financial and billing records may have different requirements. When in doubt, treat all client-related documents with the same retention standard as clinical records.
What happens if I close my practice?
You remain responsible for record retention even after closing your practice. Options include transferring records to a successor practice, engaging a record storage company, or maintaining personal custody. Notify former clients of the arrangement and how to access their records.
How do I handle records after a client death?
Client death does not trigger immediate destruction rights. Follow your standard retention periods. The personal representative of the estate may have rights to access records, and records may be relevant to estate litigation or insurance claims.
Key Takeaways
- ✓Know your state-specific requirements and follow the most stringent applicable standard
- ✓Minor client records require significantly longer retention - often until age 18 plus the adult period
- ✓Never destroy records during pending or threatened legal proceedings
- ✓Maintain security throughout the entire retention period with appropriate safeguards
- ✓Use proper destruction methods and document everything in a permanent log
- ✓When uncertain about requirements, err on the side of retaining records longer
- ✓Create and maintain a written retention policy with annual reviews
Record retention may not be the most glamorous aspect of clinical practice, but it is essential for protecting yourself and honoring your ongoing obligations to clients. A thoughtful approach to record management demonstrates professional competence and provides peace of mind that you are meeting your legal and ethical responsibilities.
By understanding the requirements, implementing secure storage, and following proper destruction procedures, you can manage your records confidently throughout their entire lifecycle. When questions arise, consult with a healthcare attorney familiar with the regulations in your jurisdiction.
Simplify Your Record Management
TheraFocus helps you stay compliant with secure, HIPAA-compliant record storage and automated retention tracking designed specifically for mental health professionals.
Start Your Free TrialFound this helpful?
Share it with your colleagues
TheraFocus Team
Practice Management Experts
The TheraFocus team is dedicated to empowering therapy practices with cutting-edge technology, expert guidance, and actionable insights on practice management, compliance, and clinical excellence.