A practical guide for mental health providers on building retention policies that meet legal standards and support quality patient care.

Running a private practice means wearing many hats. You serve as a clinician first, but you also run a business that protects sensitive patient records long after a client walks out the door. Records retention covers how long you keep records and how you store them, and it becomes urgent if a subpoena or audit shows up.

A good retention policy protects your clients, your license, and the practice you built. This guide walks through what goes into a policy and the daily choices that keep it solid.

Key takeaways

  • The Health Insurance Portability and Accountability Act (HIPAA) requires six years of compliance documentation. State laws set the clock for patient records.
  • Psychotherapy notes earn extra protection, so keep them in a separate file from the main chart.
  • Electronic records need encryption, access controls, multi-factor login, and offsite backups.
  • A written policy, reviewed each year, protects you during audits, complaints, and practice changes.

Why does records retention matter for private mental health practices?

Good retention keeps healthcare running smoothly, supports your defense against malpractice claims, and demonstrates due diligence during licensing reviews. Weak practices can potentially lead to HIPAA violations, board discipline, and a loss of trust.

Federal regulations and privacy laws

Under the Business Associate Agreement (BAA), the HIPAA Privacy Rule requires covered entities to retain compliance documentation for six years from the date of creation or the last effective date. This covers policies, risk assessments, business associate agreements, training logs, and breach notifications. HIPAA does not set a timeline for patient records themselves. State law fills that gap.

Did you know?

In November 2024, the HHS Office for Civil Rights imposed a $100,000 penalty against a mental health center specifically for failing to provide timely access to patient records — a records management failure, not a data breach. Proper retention policies protect not just against breaches, but against compliance failures that can result in significant penalties.

State laws and licensing board requirements

State laws set the minimum retention period for patient records. Most states require five to 10 years for adult records, and records for minors remain longer. For example, in Texas, records must be kept for seven years, or five years after a client reaches the age of majority — whichever duration is greater. Licensing boards may layer their own rules on top. Check both before finalizing your policy.

Payer, insurer, and contract-based requirements

Insurance companies often demand longer storage than state law requires. The Centers for Medicare & Medicaid Services requires a minimum of seven years, and Medicare managed care extends that to up to 10 years, depending on plan type. Commercial payers list their own time frames. Read every contract before signing it.

Professional association guidelines and standards of care

The American Psychological Association recommends seven years after the last adult visit, and three years past the age of majority for children, whichever comes later. The National Association of Social Workers and the American Counseling Association do not have recommended retention time frames, but both organizations encourage clinicians to follow state guidelines.

New to private practice compliance?
Read our HIPAA basics guide for mental health providers

What are the core components of a records-retention policy?

Every policy spells out five things: what records you keep, who oversees them, how long you keep them, where they live, and how you destroy them.

Roles and responsibilities within the practice

A records custodian is vital even in a solo practice. This person oversees storage, responds to requests, and tracks destruction. In group practices, name who handles intake, who owns patient records, and who signs off before destruction.

Retention periods and destruction timelines

Providers must list each record type next to its storage period and include the start and end dates of service. They must also set an annual check to identify records ready for destruction.

Procedures for secure storage and access

Providers should also document where records are stored, who can access them, and how to track access. For electronic records, that means user permissions, audit trails, encryption, and multi-factor login. For paper, locked cabinets in locked rooms with limited keys are often important.

Procedures for secure destruction and disposal

When it comes to document disposal, providers must shred paper using a cross-cut shredder or hire a HIPAA-aligned vendor that provides a certificate of destruction. Electronic files need secure deletion. At the same time, they have to log what they destroyed, when, and who did it.

Build your practice on a compliant foundation.
See if Grow is right for you

What are the different types of clinical and administrative records?

Clinical treatment records include progress notes, treatment plans, diagnoses, and session summaries. Psychotherapy notes, your private thoughts about a session, earn extra protection and live in a separate file. They never include session times, medication details, or treatment modalities, which all stay in the main chart.

Intake, consent, and assessment paperwork covers history forms, informed consent, releases, and first assessments. Billing and financial records include superbills, insurance claims, payment logs, and explanations of benefits.

Psychological testing splits into two categories. You can release test data (client responses and scores) with valid authorization, while test materials (the manuals and questions) remain proprietary. Don’t share them with unqualified people, since exposure compromises the test’s future validity.

How do I determine appropriate retention periods?

When state law, professional standards, and insurance contracts give different answers, it is best practice to follow the longest timeline. For most adult clients, the safe baseline is seven to 10 years after the last visit. That window aligns with APA guidance and most state statutes of limitations.

Special considerations for minors and adolescents

Records for minors stay on file until the client reaches the age of majority plus the adult period, as defined by the state where the services took place. For example, depending on the state, a chart you opened for a client who was 7 at the time of treatment might need to be retained until that person turns 28.

High-risk cases and extended retention

Cases involving suicide risk, court involvement, custody fights, or serious medical issues call for longer storage. Many providers keep these records forever, since lawsuits can surface years later.

Handling records after client death or long-term inactivity

A client’s death does not end your duty. HIPAA protects a deceased person’s health information for 50 years following the date of death, and only a legal personal representative can request records during that window. 

For clients who discontinue care, you can measure elapsed time starting from the last documented contact.

Aligning with statutes of limitations for malpractice and complaints

Your state’s statute of limitations for professional negligence sets the outer edge of your legal risk. The statute of repose puts an absolute cutoff on when someone can file a claim, even if a client discovers the injury years later. Records should remain at least until the statute of repose expires.

Paper versus electronic health records

Most practices now use electronic health records (EHRs), but paper still appears in intake packets, signed consents, and older files. Each format calls for its own plan.

Paper records need a clear filing system, fireproof storage, limited access, and a process for pulling and returning files. EHRs make searching and logging easier, but add new risks. A strong backup follows the 3-2-1 rule: three copies of the data, on two types of media, with one offsite or in the cloud.

Hybrid systems, with some records on paper and others online, often appear during transitions. It’s important to note which records live in which format, and plan to scan or retire older paper files on a schedule.

Want guidance on setting up a secure, HIPAA-aligned practice?
Read our home office compliance guide

What privacy and confidentiality concerns should I consider?

Privacy work in a private practice reaches well past locked cabinets. Different note types, communication tools, session formats, and legal requests each bring their own rules.

Protecting psychotherapy notes versus designated record sets

HIPAA treats psychotherapy notes differently from the rest of the chart. Releasing them requires separate authorization, and clients have no general right to see them. Keep them in their own file, apart from the main chart.

Use of email, texting, telehealth platforms, and portals

Regular email and standard text messaging platforms do not meet HIPAA requirements. Secure messaging within your EHR or a HIPAA-aligned platform is a must. You can also run telehealth on vendors that will sign a business associate agreement. Recordings and transcripts become part of the record.

Managing records for couples, families, and groups

Many practices keep one chart per case and record each participant’s involvement in the sessions. Other practices maintain one chart using the information of the identified client. A release requires authorization from every adult involved.

Responding to subpoenas, court orders, and legal requests

A subpoena from an attorney carries less weight than a court order signed by a judge. If you receive any legal notification for a release of records, call your professional liability carrier or an attorney immediately, notify the client when legally permissible, and release only the specific documentation the order requires. If a request appears overly broad or puts patient privacy at risk, your legal counsel can file a motion to protect the record.

How do I develop a written records retention policy?

It is best to start with every law and standard that applies, which includes state statutes, licensing board rules, HIPAA, and insurance company contracts. Draft clear steps that your team can follow without guesswork and list the source for each retention period.

Communicating retention policies to clients

Your Notice of Privacy Practices explains how you handle personal information, how long you retain it, and how clients can request access.

Responding to client requests to amend or restrict records

HIPAA gives clients the right to request changes to their personal information. You have 60 days to respond in writing. If you decline, the client can submit a statement of disagreement that stays in the file alongside the original note.

Staff training, onboarding and ongoing reviews

Thorough onboarding training minimizes future clerical errors. Yearly refresher courses and update training when laws or your EHR change also help prevent misunderstandings. Make sure to log every session for record purposes.

How do I manage paper and electronic data for records retention?

Paper security begins with locked cabinets, limited keys, and a sign-out sheet. Move to a secure offsite facility if your volume calls for it. On the other hand, digital storage needs backups, encrypted cloud copies, multi-factor login, and a tested restore plan. 

Any cloud vendor that handles client data must sign a business associate agreement. Build a written plan to maintain access during a power outage, storm, or cyberattack. A yearly review with a healthcare attorney heads off bigger problems.

How are records managed across a practice’s lifecycle?

Opening a new private practice is the best time to build records retention into your foundation. Our guide to starting a private therapy practice covers the early choices that shape how your records system grows.

When a clinician joins or leaves a group, spell out ownership rules in writing and revoke digital access the day they depart. Client charts usually stay with the practice unless the agreement says otherwise.

Selling, merging, or closing a practice triggers legal duties. Naming a trusted colleague as records custodian ensures continuity in the event of an unexpected absence, illness, or closure. This person can notify clients, transfer files, and protect continuity of care. When selling a practice, you must give patients 90 days’ written notice and establish a records custodian and a business associate agreement with the new owner.

What are some common records retention mistakes?

Most retention failures trace back to the same handful of patterns. Watch for these four during your annual review.

Over-retention versus under-retention of records

Keeping records forever feels safe, but it piles on storage costs, breach risk, and audit confusion. However, destroying them too soon creates legal risk. The safest method is to set a clear time frame and stick to it.

Inconsistent documentation and policy drift

As practices grow, shortcuts can quietly replace written steps. Always review your policy yearly to catch shortcuts as they pop up.

Inadequate security for electronic devices and media

Any electronic devices that touch patient records need encryption, strong passwords, and remote wiping. An unencrypted lost device counts as a reportable HIPAA breach.

Lack of documentation for record destruction

Destruction without a paper trail appears to an auditor as a missing record. Log what you destroyed, when, why, and who did it. Keep certificates of destruction from your shredding vendor.

Building a records retention policy takes time that most providers would rather spend with clients. That is where Grow Therapy can come in. Our credentialing and compliance support helps providers meet legal and payer rules.

Ready to simplify the compliance side of your practice?
See if Grow is right for you

Frequently asked questions

Under HIPAA, clients generally do not have the right to access psychotherapy notes — these are specifically excluded from the standard right of access that applies to the rest of the medical record. Psychotherapy notes are defined as a mental health professional’s private notes about a session, kept separately from the main chart. However, you can choose to share them with a client’s written authorization if you determine it is clinically appropriate. Some states have broader patient access rights than HIPAA provides, so it’s worth checking your state’s specific rules. If a client requests their records, you are required to provide access to the designated record set — which includes progress notes, treatment plans, diagnoses, and billing records — within 30 days of the request.

It depends on your state, your licensing board, and any insurance contracts you’ve signed. Most states require adult records to be kept for five to 10 years after the last date of service. Records for minors typically must be retained until the client reaches the age of majority plus the adult retention period. When state law, professional standards, and payer contracts give different answers, follow the longest timeline. For most providers, a safe baseline is seven to 10 years after the last visit.

When closing a practice, you are required to give patients at least 90 days’ written notice and establish a records custodian — a trusted colleague or professional service — who can respond to future records requests. You must also sign a business associate agreement with any entity that will store or manage the records going forward. Records cannot simply be destroyed at closure; they must be retained for the full applicable period and properly secured throughout.

Yes. Under HIPAA, psychotherapy notes must be stored in a separate file from the rest of the client’s medical record. This separation is what gives them their heightened privacy protection — including the requirement for separate written authorization before they can be released. Commingling psychotherapy notes with the main chart can inadvertently reduce their legal protection.

Miguel Olave

About Lianne Fachetti

Lianne Fachetti is a writer who specializes in topics related to psychology, neuroscience, mood disorders, and child development. She worked as a researcher at the Brain Research Center of the University of British Columbia, where she investigated memory formation and the impact of hormones on mental health, memory, and sleep. Additionally, she is a certified ABA therapy technician with over a decade of experience working with young children on the Autism spectrum who exhibit severe behavioral challenges.
This article is not meant to be a replacement for medical advice. We recommend speaking with a therapist for personalized information about your mental health. If you don’t currently have a therapist, we can connect you with one who can offer support and address any questions or concerns. If you or your child is experiencing a medical emergency, is considering harming themselves or others, or is otherwise in imminent danger, you should dial 9-1-1 and/or go to the nearest emergency room.