Compliance

Medical Record Retention Requirements for ABA Providers

How long ABA practices must retain patient records, billing documentation, and authorization records under HIPAA, federal, and state law.

6 min read·May 5, 2025

Why Retention Requirements Matter

Medical record retention rules exist at three levels: federal law (HIPAA), state law, and payer contract requirements. ABA practices must comply with all three simultaneously — and the most restrictive requirement governs. Failing to retain records long enough can result in failed audits, uncollectable claims, and HIPAA penalties. Retaining records too long without proper security creates unnecessary PHI risk.

Federal Requirements (HIPAA)

HIPAA requires covered entities to retain documentation of policies and procedures for 6 years from creation or last effective date. HIPAA does not set a minimum retention period for actual patient medical records — that is left to state law. However, HIPAA does require that records be available for patient access and audits during the retention window.

General State Law Guidelines

Record TypeTypical Retention PeriodNotes
Adult patient medical records7–10 years from last service dateVaries significantly by state (some as few as 5 years, some as many as 10)
Minor patient medical recordsUntil age of majority + 7 yearsIf patient is a minor, the clock starts when they turn 18 in most states
Billing records and claims7 yearsIRS requirement; also standard for Medicaid and Medicare audits
Authorization documentation7 years from last service coveredRetain auth number, effective dates, authorized units
ERA / EOB / payment posting records7 yearsRequired for audit and appeal purposes
HIPAA policies and procedures6 years from creation or last effective dateFederal HIPAA requirement
Business associate agreements (BAA)6 years after expirationRetain after vendor relationship ends

Payer Contract Requirements

Most commercial payer contracts and Medicaid provider agreements require records to be retained for 7–10 years and made available upon audit request within a defined timeframe (typically 30–60 days). Always review the specific retention clause in your provider agreements — this may be more stringent than your state's minimum.

What Must Be Retained for ABA Claims Audits

During a payer audit or RAC (Recovery Audit Contractor) audit, ABA practices are typically required to produce:

  • Signed consent forms and intake documentation
  • DSM-5 autism diagnosis documentation
  • Behavior identification assessment reports (97151)
  • Behavior intervention plans (BIPs) — all versions
  • Session notes for every billed service date
  • Supervision logs (BCBA oversight documentation)
  • Authorization approvals with effective dates and authorized units
  • ERA/EOB showing payment for each billed claim
  • Staff credentials (BCBA certification, RBT certification, CPR, etc.) current as of service dates

Secure Destruction of Expired Records

Once records have passed their retention period, they must be destroyed securely to protect PHI. HIPAA requires destruction methods that make PHI unreadable and unrecoverable:

  • Paper records: Cross-cut shredding by a HIPAA-compliant shredding vendor
  • Electronic records: DoD-standard data wiping or physical destruction of storage media
  • Cloud-stored records: Confirmed deletion from all backup systems, including vendor backups

Document all destruction with a certificate of destruction, and retain that certificate for 6 years.

State-Specific Resources

Because state requirements vary significantly, always verify retention requirements with your state's Department of Health, state Medicaid agency, and your healthcare compliance attorney. Key resources:

  • Your state's Medical Records Act or Health Records Act
  • State Medicaid provider manual (retention section)
  • Your state's BCBA licensing board requirements
← Back to Coding Library
Was this helpful?