California Medical Record Retention: HIPAA + CMIA Requirements for 2026
How long medical practices in California are required to keep patient records, what HIPAA and CMIA each demand, and what changes when records move from paper to scanned.
California medical practices operate under two overlapping retention regimes: federal HIPAA rules and California's Confidentiality of Medical Information Act (CMIA). The two regulations answer slightly different questions, and most practices get one wrong.
This post is a practical reference, not legal advice. It pulls together the rules that come up most often during chart cleanup, practice sale, and EHR migration.
What HIPAA actually requires
HIPAA's record retention rule covers HIPAA documentation: Notices of Privacy Practices, Business Associate Agreements, training records, risk assessments, breach notifications. Those must be retained for six years from the date of creation or the date when last in effect, whichever is later.
HIPAA does not set a retention period for the medical record itself. That part is left to state law.
This is the most common point of confusion: practices believe HIPAA requires them to keep charts for six or seven years. It does not. HIPAA requires them to keep HIPAA-related documentation for six years.
What CMIA requires
California's CMIA and related Business and Professions Code sections set retention requirements for the patient record itself. The baseline rules:
- Adult patients: at least seven years from the date of the patient's last discharge.
- Minor patients: at least one year after the patient reaches age 18, and never less than seven years.
Several specialty boards layer additional requirements. The Medical Board of California, the Dental Board, and the Board of Behavioral Sciences each publish guidance that may extend retention for specific document types.
Where the rules differ in practice
In a typical scanning project, the practical answer is: a record needs to survive at least seven years from last patient interaction, and longer for minors. After that, the practice may legally dispose of it, subject to confidential destruction requirements.
Two practical edge cases:
- Records of deceased patients: California requires the same retention as a living patient. Records cannot be destroyed earlier simply because a patient has died.
- Records involving litigation or audit: any record under active legal hold, subpoena, or insurance audit must be preserved regardless of the standard retention period.
Scanned records vs paper originals
Once a record has been digitized into a searchable, complete, and accessible format, California permits practices to dispose of the paper originals. The digital record is the legal record provided the digitization process meets reasonable accuracy and integrity standards.
This is the legal foundation for most scanning projects. Decades of paper can be reduced to a small, searchable archive, and the practice gains operational efficiency without sacrificing compliance.
The practical implications:
- The digital copy must be complete (no missing pages, no truncated documents).
- It must be readable for the full retention period.
- It must be protected against unauthorized access for the same period.
- Indexing should allow records to be retrieved on request within a reasonable time.
Destruction requirements
After the retention period ends, California requires that the destruction itself be handled in a way that protects the confidentiality of the information. For paper, this means shredding or pulping by a qualified destruction service, with a Certificate of Destruction retained. For digital media, certified data wiping or physical destruction of the storage media is required.
A practice that simply throws old charts into a recycling bin has likely committed a CMIA violation, regardless of how old the records are.
What ArchiveBridge does about this
ArchiveBridge digitizes patient records onsite under a Business Associate Agreement, indexes them by patient and document type, and delivers the searchable archive into your EHR or office-controlled storage. Physical originals stay in your office throughout the project. Once your team has verified the digital archive, we can coordinate with a certified destruction partner for the originals.
If you are heading into a practice sale, retirement, or EHR migration and are unsure about the retention rules, request a quote and we will walk through your specific archive before any scanning begins.
More from the blog
How Long Do California Dentists Need to Keep Patient Charts?
The actual record retention rules dental practices in California operate under, including the special cases that come up at practice sale, retirement, and Medicare/Medi-Cal participation.
ComplianceClosed Legal File Retention Under ABA Rule 1.6: A California Checklist
What ABA Rule 1.6 and California Rule of Professional Conduct 1.16(e) actually require for retention and disposition of client files, with practical guidance for chart cleanup and digitization.
ComplianceFTC Safeguards Rule for Small CPA Firms: A Practical Document Handling Guide
What the revised FTC Safeguards Rule actually requires for accounting firms, including the document handling requirements that matter for digitization and storage.