Why Retention Requirements Matter
Medical record retention rules exist at three levels: federal law (HIPAA), state law, and payer contract requirements. ABA practices must comply with all three simultaneously — and the most restrictive requirement governs. Failing to retain records long enough can result in failed audits, uncollectable claims, and HIPAA penalties. Retaining records too long without proper security creates unnecessary PHI risk.
Federal Requirements (HIPAA)
HIPAA requires covered entities to retain documentation of policies and procedures for 6 years from creation or last effective date. HIPAA does not set a minimum retention period for actual patient medical records — that is left to state law. However, HIPAA does require that records be available for patient access and audits during the retention window.
General State Law Guidelines
| Record Type | Typical Retention Period | Notes |
|---|---|---|
| Adult patient medical records | 7–10 years from last service date | Varies significantly by state (some as few as 5 years, some as many as 10) |
| Minor patient medical records | Until age of majority + 7 years | If patient is a minor, the clock starts when they turn 18 in most states |
| Billing records and claims | 7 years | IRS requirement; also standard for Medicaid and Medicare audits |
| Authorization documentation | 7 years from last service covered | Retain auth number, effective dates, authorized units |
| ERA / EOB / payment posting records | 7 years | Required for audit and appeal purposes |
| HIPAA policies and procedures | 6 years from creation or last effective date | Federal HIPAA requirement |
| Business associate agreements (BAA) | 6 years after expiration | Retain after vendor relationship ends |
Payer Contract Requirements
Most commercial payer contracts and Medicaid provider agreements require records to be retained for 7–10 years and made available upon audit request within a defined timeframe (typically 30–60 days). Always review the specific retention clause in your provider agreements — this may be more stringent than your state's minimum.
What Must Be Retained for ABA Claims Audits
During a payer audit or RAC (Recovery Audit Contractor) audit, ABA practices are typically required to produce:
- Signed consent forms and intake documentation
- DSM-5 autism diagnosis documentation
- Behavior identification assessment reports (97151)
- Behavior intervention plans (BIPs) — all versions
- Session notes for every billed service date
- Supervision logs (BCBA oversight documentation)
- Authorization approvals with effective dates and authorized units
- ERA/EOB showing payment for each billed claim
- Staff credentials (BCBA certification, RBT certification, CPR, etc.) current as of service dates
Secure Destruction of Expired Records
Once records have passed their retention period, they must be destroyed securely to protect PHI. HIPAA requires destruction methods that make PHI unreadable and unrecoverable:
- Paper records: Cross-cut shredding by a HIPAA-compliant shredding vendor
- Electronic records: DoD-standard data wiping or physical destruction of storage media
- Cloud-stored records: Confirmed deletion from all backup systems, including vendor backups
Document all destruction with a certificate of destruction, and retain that certificate for 6 years.
State-Specific Resources
Because state requirements vary significantly, always verify retention requirements with your state's Department of Health, state Medicaid agency, and your healthcare compliance attorney. Key resources:
- Your state's Medical Records Act or Health Records Act
- State Medicaid provider manual (retention section)
- Your state's BCBA licensing board requirements