Therapy Records Retention and Destruction: What Every Therapist Needs to Know

Therapy Records Retention and Destruction: What Every Therapist Needs to Know

A practical guide covering how long therapists must keep client records, how to destroy them properly, what happens when you retire or close a practice, and the common mistakes that create liability.

Why Records Retention Creates More Anxiety Than It Should

Most therapists have a vague sense that they are supposed to keep records "for a certain number of years," but the details stay fuzzy until something forces the question. A client calls five years after termination asking for their records. You get a subpoena for a case from 2019. You decide to retire and realize you have a storage unit full of paper files and no idea what to do with them.

The rules around records retention (how long you must keep clinical records) and records destruction (how to safely dispose of them) are genuinely complicated, mostly because they exist at multiple legal layers simultaneously: federal law, state law, licensing board rules, and malpractice insurance requirements. These layers sometimes agree with each other and sometimes point in different directions. When they conflict, the more protective standard usually wins, which almost always means keeping records longer than the federal minimum.

This guide gives you a practical framework. It covers the general rules, the critical exceptions for minor clients, state-by-state variation, digital versus paper destruction methods, what to do when you retire or transfer a practice, and the mistakes that most commonly create liability. It is not a substitute for your state's specific rules or for a consultation with a healthcare attorney when the stakes are high, but it will give you the knowledge to ask the right questions.

The Federal Baseline: What HIPAA Actually Requires

Let us start with the most common misconception. HIPAA, the Health Insurance Portability and Accountability Act, does not require therapists to keep client records for a specific number of years. What HIPAA does require is that covered entities retain their policies and procedures related to the Privacy and Security Rules for six years from the date of creation or the date they were last in effect, whichever is later (45 CFR § 164.530(j)).

That is a policy document retention requirement, not a clinical records retention requirement.

HIPAA defers to state law for how long actual client records must be kept. This is why the first step in any records retention question is always: what does my state say?

The exception is if you participate in Medicare or Medicaid. CMS (Centers for Medicare and Medicaid Services) requires that records related to Medicare services be kept for at least five years from the date of service. Medicaid adds another layer: records supporting Medicaid claims must generally be retained for five years, though some states extend this to seven or even ten years. If you bill either program, use their requirements as a floor, not a ceiling.

State Law Is Where the Real Rules Live

Every state has its own statute or regulation governing how long mental health records must be retained. The variation is significant:

  • California: Seven years from the date of service (or from the client's discharge from treatment). For minors, records must be kept until the client turns 25 or for seven years from the last date of service, whichever is later.
  • Texas: As a general rule, ten years from the date of service for adults.
  • New York: Six years from the date of service for adults, with extensions for minors.
  • Florida: Seven years from the date of the last entry for mental health records; minors' records must be kept until the client turns 18, plus an additional seven years.
  • Illinois: Ten years from the date of last treatment for most licensed mental health professionals.

These numbers should be treated as illustrative, not authoritative for your jurisdiction. State rules change through legislative sessions and regulatory updates, and the specific wording of your state's statute matters: some states measure from the date of last service, others from the date of discharge or termination, and others from the date of the last entry in the record.

Your state licensing board is the most reliable source. Most boards publish retention requirements in their administrative rules or FAQs, and some have ethics guidance that supplements the statutory language. Looking up your licensing board's published guidance takes ten minutes and is worth the effort.

Minor Clients: The Rule That Surprises Therapists

The rules that most frequently catch therapists off guard involve minor clients. When you see an 8-year-old client, the standard adult retention clock does not apply.

Most states require that records for clients who were minors at the time of treatment be retained until the client reaches the age of majority (typically 18) plus an additional period, often the standard adult retention requirement. So if your state requires seven years from the last date of service, and you treated a 12-year-old client, you may be required to keep that record until the client turns 25 (age 18 + 7 years), even if the actual treatment lasted only a few months.

The rationale is straightforward: a minor cannot sue in their own name during childhood. Statutes of limitations for malpractice claims by minors typically do not begin running until the client reaches adulthood. Destroying records before the minor client can bring a claim, if they ever have reason to, would eliminate the only evidence relevant to that claim.

Example: Dr. Valentina Ruiz treats 10-year-old Santiago for anxiety following a family trauma. Treatment ends when Santiago is 12. Her state requires a seven-year adult retention period from last date of service. She should plan to keep Santiago's records until he turns 25 (age 18 + 7 years), not until 2031 (seven years from the last session).

This is a meaningful operational difference, especially for therapists who see a lot of children and adolescents. If you work in a school-based setting, with pediatric populations, or in community mental health where minor clients are common, your retention periods are likely longer than you think.

Insurance Company and Malpractice Carrier Requirements

Your malpractice insurance carrier may impose retention requirements that exceed your state's minimum. This is especially common with policies that use a claims-made structure rather than an occurrence structure.

Under a claims-made policy, you are only covered for claims made while the policy is active, or within a specific tail coverage period after the policy ends. If a client from 2018 files a complaint in 2026 and you let your claims-made policy lapse in 2022 without purchasing extended reporting (tail) coverage, you may have no malpractice coverage for that claim. More relevant to records: if you destroyed the records in 2024, you also have no documentation to defend yourself.

Under an occurrence policy, you are covered for anything that happened during the policy period, regardless of when the claim is made. These policies are more protective in long-tail situations, but they are also less common in mental health practice.

Check your policy documents or call your carrier. Ask: "What retention period do you recommend for client records, and does this change based on whether I have claims-made or occurrence coverage?" The answer may surprise you. Some carriers recommend ten years or longer for clinical records, regardless of what your state requires.

Digital Records: Cloud Storage, EHR Systems, and What "Retained" Actually Means

The shift to electronic health records (EHR) and cloud-based documentation platforms has introduced a question therapists in the paper era never had to ask: if my records are stored in a third-party system, am I the one retaining them, or is the vendor?

From a legal standpoint, the answer is clear: you are the custodian of your client's records regardless of where they are physically stored. If you document sessions in an EHR and the EHR company goes out of business, takes the data offline, or changes its terms of service, you are the party with the legal obligation to have retained those records. The technology vendor is not your co-defendant if records are inaccessible when you need them.

This has practical implications:

Backup your records independently. If you use a cloud-based EHR or documentation tool, maintain your own periodic export of client records in a secure, encrypted format. Most EHR systems allow data export. Do it at least annually and store the export in a location you control: a HIPAA-compliant cloud storage account or an encrypted external drive kept somewhere physically secure.

Know your vendor's data retention policy. If you stop paying for a service, how long does the vendor retain your data? What format is it in? Can you export it after account cancellation? These questions matter enormously if you ever switch platforms, retire, or close your practice.

Understand what "end of life" means for your data. Some tools delete records after account termination. If you cancel a subscription and then need records three years later for a subpoena, "the software company deleted them" is not a legal defense.

If you use a tool like NotuDocs to draft session notes and then transfer finalized notes into your EHR or a secure file system, make sure the final retained copy is in your controlled storage, not only in the drafting tool.

Proper Destruction: What "Destroying Records" Actually Requires

When the retention period is over, you cannot simply recycle paper files or delete digital files from your desktop. Improper destruction of records containing PHI is a potential HIPAA violation and, in some states, a licensing board violation.

Paper Records

Paper records containing PHI must be destroyed in a way that renders the information unreadable and unreconstructable. The HIPAA Security Rule guidance (45 CFR § 164.310(d)(2)(i)) specifies shredding as an appropriate method. Crumpling papers and throwing them in a dumpster does not meet the standard.

Acceptable destruction methods for paper records:

  • Cross-cut shredding (not strip shredding, which leaves strips that can be reassembled)
  • Burning (where legally permitted)
  • Pulping or macerating (dissolving in liquid)
  • Certified destruction through a professional document destruction service

If you use a document destruction vendor, the vendor should provide a certificate of destruction, a document that records the date, method of destruction, and the specific records or volume of records destroyed. Keep that certificate permanently. It is your evidence that you destroyed the records appropriately if a client or regulator later questions you.

Electronic Records

Digital destruction is more complex than paper destruction. Deleting a file from your computer, even emptying the trash, does not destroy the data; it removes the file directory entry but leaves the data recoverable on the drive.

Acceptable electronic destruction methods:

  • Overwriting the storage media with random data (often called "wiping"), using DOD 5220.22-M or equivalent multi-pass standard
  • Degaussing, which uses a strong magnetic field to scramble magnetic storage media (effective for hard drives but not SSDs or flash storage)
  • Physical destruction of storage media: shredding, crushing, or disintegrating the drive
  • Cryptographic erasure: if the data was encrypted with a key you control, destroying the encryption key renders the data permanently unrecoverable

For cloud-stored records, "destruction" means ensuring the vendor has confirmed data deletion through their secure deletion processes, and ideally obtaining written confirmation. Read your vendor's data deletion policy before relying on it.

Documenting Destruction

Whether you destroy paper or digital records, document the act. A simple destruction log entry is sufficient:

  • Client name or identifier (if your destruction log itself is a record, handle it securely)
  • Type of records destroyed (e.g., "progress notes, intake, treatment plan")
  • Date range of records destroyed
  • Date of destruction
  • Method used
  • Your signature, and if you used a vendor, the certificate they provided

Some state licensing boards require therapists to maintain destruction logs for a specified period. Even if yours does not require it, a destruction log protects you.

Practice Closure and Retirement: The Most Overlooked Scenario

The most common point at which therapists discover they had no plan for records is when they decide to retire, close a private practice, or otherwise stop seeing clients.

The obligations do not end when you stop practicing. Your clients' records must remain accessible and retained for the full statutory period regardless of whether you are actively licensed and seeing clients. If a client who terminated with you in 2020 needs their records in 2028, the fact that you retired in 2023 is not a legal reason to have destroyed them prematurely.

Steps for a Planned Practice Closure

Plan early. If you know you are retiring in 12 months, start your records planning now. Do not leave this to the final weeks.

Notify clients. Send written notice to all current clients well in advance, and attempt to notify former clients by the method listed in their file (mail, email) that your practice is closing. Include: your expected last date of seeing clients, how records will be stored and by whom, how they can request their records before and after closure, and any applicable fees.

Arrange for record custodianship. You need someone who will physically or electronically hold the records for the remainder of the required retention period and respond to records requests on your behalf. Options include:

  • A successor clinician who is taking over your caseload and agrees to serve as records custodian
  • A secure record storage service that specializes in medical and mental health records
  • A healthcare attorney or practice management consultant who provides records custodianship services

Whatever arrangement you make, document it in writing. If you die or become incapacitated without an arrangement in place, your estate executor may not have any idea what to do with your client files, and the results can be chaotic and potentially harmful to your former clients.

Update your HIPAA Notice of Privacy Practices (if you are covered under HIPAA) to reflect the new custodian's contact information.

Close digital accounts carefully. If your records are in an EHR or cloud platform, export everything before you cancel your account. Then follow the platform's account closure procedures and obtain confirmation of data handling.

Transferring Records to a Successor Clinician

When a therapist closes a practice and a colleague takes over an active caseload, record transfer requires more than just handing someone a box of files.

First, you need client consent for the transfer. Under HIPAA, transferring a client's records to a new treating provider typically falls within the treatment exception to the authorization requirement, meaning you can share records with a successor treating clinician without a separate signed authorization. But some state laws require explicit written consent before records transfer even between treating providers. Know your state's rule before assuming the HIPAA treatment exception is sufficient.

Second, the receiving clinician needs to understand what they are taking on. This includes: knowing the retention period still applies from the original date of service, understanding that psychotherapy notes (as defined under HIPAA) require separate authorization to disclose even to a successor provider, and confirming that the successor clinician's system can securely store the records for the duration of the required retention period.

Third, once records are transferred and the original therapist's retention obligation is met by the new custodian, the original therapist should document the transfer and confirm it in writing.

Common Mistakes That Create Liability

Applying a Single Retention Period to All Records

The most common error is treating every client record the same. Minor client records, records tied to Medicare or Medicaid billing, records from states with ten-year requirements, and records from a client who filed a complaint all have different retention considerations. A blanket "seven years from last contact" policy will be wrong in some portion of your caseload.

Destroying Records Without Documentation

Destroying expired records is appropriate and often necessary. Destroying them without a paper trail is the mistake. If you ever need to demonstrate that records were appropriately destroyed, or that certain records never existed, a destruction log is your only evidence.

Relying on a Vendor's Default Data Deletion

Assuming that cancelling a software subscription deletes your records in a HIPAA-compliant way is a mistake. Read the data deletion policy, confirm the process in writing, and export your data before cancellation.

Failing to Plan for Death or Incapacity

Every therapist in private practice should have a professional will: a document that designates who will take over client notification, records custodianship, and closure responsibilities if the therapist dies or becomes incapacitated suddenly. This is not morbid planning; it is an ethical and legal obligation to your clients. The American Psychological Association and NASW both publish guidance on professional wills. If you do not have one, create one.

Assuming State Requirements Match the State Where You Were Licensed

If you provide telehealth to clients across state lines, the relevant records law may be the law of the state where the client is located, not the state where you are licensed. This is unsettled in some jurisdictions, but the safer approach is to apply the more protective of the two state standards.

Destroying Records Before the Clock Actually Starts

The retention clock starts from a specific triggering event: last date of service, date of termination, date of discharge, or date of last entry, depending on your state's language. Misreading the trigger can mean destroying records years before they are legally eligible for destruction. For minor clients, read the rule again: the clock may not start until the client turns 18.

Quick Reference Checklist

Before Establishing Your Records Policy

  • Look up your state's specific statutory retention period (board website or legal counsel)
  • Check for separate minor client retention rules in your state
  • Review your malpractice policy type (claims-made vs. occurrence) and carrier retention recommendations
  • If you bill Medicare or Medicaid, confirm CMS retention requirements and apply whichever is longer

For Active Records Management

  • Maintain a records index so you know what you have and when each file becomes eligible for destruction
  • Back up electronic records independently from your documentation platform, at least annually
  • Know your EHR or documentation vendor's data retention and deletion policies in writing
  • Store destruction logs permanently, separate from the records they document

For Records Destruction

  • Confirm the retention period is genuinely expired before scheduling destruction
  • Use cross-cut shredding (paper) or verified digital wiping, degaussing, or physical media destruction (electronic)
  • Obtain a certificate of destruction from any third-party vendor you use
  • Log every destruction event: client identifier, record type, date range, destruction date, method

For Practice Closure or Retirement

  • Begin planning at least 12 months before your intended last date of service
  • Send written notice to current and former clients with records custodian information
  • Arrange for a named records custodian and document the arrangement in writing
  • Draft or update your professional will to address records if you die or become incapacitated
  • Export all electronic records before cancelling any platform subscriptions
  • Confirm successor clinician's capacity to hold records for the full remaining retention period

For Minor Client Records

  • Identify all minor clients in your records system with a separate retention flag
  • Calculate the correct destruction date: age of majority + state adult retention period
  • Apply the longer standard if there is ambiguity between state-law triggers

Related reading: What to Do When a Client Requests Their Therapy Records | How to Document Crisis Intervention and Suicide Risk Assessments | How to Catch Up on a Documentation Backlog

Verwandte Artikel

NotuDocs vs BastionGPT: Template-First Notes vs HIPAA-Compliant AI Platform

NotuDocs vs BastionGPT: Template-First Notes vs HIPAA-Compliant AI Platform

A detailed comparison of NotuDocs and BastionGPT for healthcare professionals. Covers workflow differences between recording-based and template-based documentation, HIPAA compliance posture, template control, pricing tiers, and which tool fits solo practitioners versus regulated institutional environments.

NotuDocs vs Carepatron: Focused Clinical Documentation vs All-in-One Practice Platform

NotuDocs vs Carepatron: Focused Clinical Documentation vs All-in-One Practice Platform

Direct comparison of NotuDocs and Carepatron for therapists and clinics choosing between a dedicated documentation workflow and an all-in-one practice management platform.

NotuDocs vs Chartnote: Template-First Notes vs Multi-Specialty AI Medical Scribe

NotuDocs vs Chartnote: Template-First Notes vs Multi-Specialty AI Medical Scribe

A direct comparison of NotuDocs ($25/mo) and Chartnote (free to $99.99/mo) for clinicians across medicine, behavioral health, chiropractic, and beyond. Covers workflow differences, hallucination risk, credit-based pricing, HIPAA compliance, template control, and which tool fits which practice type.

Schluss mit Notizen von Grund auf

NotuDocs verwandelt Ihre rohen Sitzungsnotizen automatisch in strukturierte, professionelle Dokumente. Wählen Sie eine Vorlage, nehmen Sie Ihre Sitzung auf und exportieren Sie in Sekunden.

NotuDocs kostenlos testen

Keine Kreditkarte erforderlich