Destroy Medical Records Securely

When medical records are eligible for destruction, they can be shredded (and recycled) or burned. Here are some guidelines to follow:

  • Maintain records scheduled for destruction in a secure location to guard against inappropriate access until the destruction is complete.
  • Whether you shred the records yourself in your office or hire a record destruction company, create a permanent record destruction log, individually listing all medical records with the following information:  
    • Patient name and medical record number (or other identifier);
    • Date of destruction, combined with a notation that the record was destroyed in accordance with the retention policy; and
    • Signature of staff person performing the destruction, or if you are using a record destruction company, the name of the company and signature(s) of individuals witnessing the destruction. (Add signatures after the destruction has been completed.)

Also, if you use an outside company,

  • Make sure the destruction contract specifies the method of destruction and time to elapse between acquisition and destruction.
  • Establish safeguards for confidentiality.
  • Follow the record destruction company's protocol for carrying out the actual destruction.
  • Obtain a certificate of destruction from the company and file it with your log.
  • Obtain a statement that records were destroyed in the normal course of business.
  • Indemnify your practice from loss due to unauthorized disclosure.

Note: Medical records are eligible for destruction in a minimum of seven years from the anniversary of the last date of treatment or, if the patient is a minor, seven years from the anniversary of the last date of treatment or until the minor reaches 21 (whichever is later). Do not destroy medical records that relate to any civil, criminal, or administrative proceeding if you know the proceeding has not been finally resolved. Follow any state and federal regulation that requires you to retain medical records longer than the above time periods. Read Retention of Medical Records (TMA members only) for more details. See also: How to Delete Data — for Real for advice on destroying electronic storage securely, and the U.S. Health and Human Services' Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

TMA Knowledge Center reports it receives more questions from physicians and their staff about medical records than about any other topic. You can find valuable information in the TMA publication Managing Your Medical Records , available for purchase through the TMA Education Center.

Revised Feb. 28, 2013

NOTICE: Please check the Texas Medical Board Web site ( ) for current updates on its rules and policies with respect to this issue. The Texas Medical Association provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither TMA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. This is not a substitute for the advice of an attorney. While every effort is made to ensure that content is complete, accurate and timely, TMA cannot guarantee the accuracy and totality of the information contained in this publication and assumes no legal responsibility for loss or damages resulting from the use of this content. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought.

 TMA Practice E-tips main page



Last Updated On

June 28, 2016