Yundra
← All articlesPractical Guides

Closing Your Therapy Practice? Here's What HIPAA Requires

10 min read

Therapists retire. They move across the country. They pivot to coaching, take a job at a group practice, or simply decide they're done. It happens constantly — and almost nobody talks about what HIPAA expects when the lights go off.

Here's the uncomfortable truth: closing your practice does not close your HIPAA obligations. The records you've created don't stop being protected health information just because you've stopped seeing clients. Your duties as a covered entity follow those records until they're properly retained, transferred, or destroyed.

This guide walks through exactly what you need to do — the retention timeline, how to destroy records securely when the time comes, how to notify patients, and what happens to your vendor agreements.

HIPAA Obligations Don't End When You Close

A common misconception is that HIPAA only applies to "active" practices. It doesn't. As long as you hold protected health information (PHI), you remain a covered entity for the purposes of safeguarding that information.

That means even after you've stopped scheduling appointments, you're still responsible for:

  • Keeping records confidential and secure
  • Responding to patient requests for their records
  • Honoring breach notification rules if something goes wrong
  • Maintaining the safeguards required by the Security Rule for any ePHI you still store

In practical terms, if you have a hard drive in your closet with five years of session notes, HIPAA still governs that hard drive. The obligation persists until those records are gone or in someone else's lawful custody.

How Long You Must Keep Records

This is where most therapists get confused, because there are actually two different retention questions hiding inside one.

HIPAA documentation: 6 years

HIPAA itself does have a hard retention rule — but it's for your compliance documentation, not your clinical records. Under 45 CFR § 164.316(b)(2), you must retain your HIPAA policies, procedures, risk analyses, training logs, and similar documentation for six years from the date they were created or last in effect, whichever is later.

So if you wrote your Security Policy in 2021 and it stayed in effect until you closed in 2026, the six-year clock runs from 2026. Keep these documents. If OCR ever opens an investigation tied to your old practice, this is what they'll ask for.

Clinical records: governed by state law, not HIPAA

Here's the part that surprises people. HIPAA sets no federal minimum retention period for clinical records. It tells you to protect them, but it does not tell you how many years to keep a patient's chart.

That's governed by state law and, in some cases, by your professional licensing board. The rules vary widely, but common patterns look like:

  • Adults: often 7 years from the date of last contact (some states say 5, some say 10)
  • Minors: typically until the patient reaches the age of majority plus several years — for example, until age 21, or age of majority plus 7 years, depending on the state
  • Medicare/insurance considerations: some payers impose their own retention expectations

Because this varies so much, do not guess. Check your specific state's statute and your licensing board's rules before you destroy anything. When state law and HIPAA disagree, you follow the stricter requirement — and for clinical records, the stricter requirement is almost always your state's.

A safe default for many solo therapists is to retain clinical records for the longest applicable state period, and to keep minor patients' records well past the age of majority.

Securely Destroying Records When Retention Ends

Once a record has passed its required retention period, you can destroy it — but "destroy" has a specific meaning under HIPAA. The Privacy Rule (45 CFR § 164.530(c)) and OCR's disposal guidance require that PHI be rendered unreadable, indecipherable, and unable to be reconstructed.

Deleting a file or tossing a folder in the recycling bin does not meet this standard.

Paper records

  • Use cross-cut shredding (confetti-style), not strip shredding — strips can be reassembled
  • Pulping or incineration are also acceptable for large volumes
  • If you hire a shredding service, get a Certificate of Destruction and make sure that vendor has a Business Associate Agreement with you, since they handle PHI

Digital records

  • Hitting "delete" or emptying the trash is not secure destruction — the data is recoverable
  • Use certified data-wiping software that overwrites the drive, or physically destroy the storage media (degaussing or shredding the drive)
  • For cloud-stored ePHI, request verifiable deletion from your vendor and document their confirmation
  • Keep a destruction log noting what was destroyed, when, how, and by whom

OCR has repeatedly pursued cases involving improper disposal — paper PHI found in dumpsters, unwiped devices sold or discarded, and records left behind in vacated offices. The pattern is consistent: improper disposal is treated as a reportable breach. Document your destruction so you can prove it was done correctly.

Notifying Your Patients

When you close, your patients have a right to know — and to access their records before they become hard to reach. While HIPAA's notice requirements here intersect with state law and your professional ethics codes, the responsible and widely expected steps are:

  • Give advance notice. Many boards expect 30 to 60 days' written notice to active and recent patients before closure.
  • Explain how to request records. Tell patients how to obtain a copy of their chart, where it will be stored, and for how long.
  • Provide referrals. Offer guidance on continuity of care, especially for clients in active treatment.
  • Post a notice in your office and, where appropriate, in a local publication or on your website, so patients you've lost touch with can still find you.

Remember that the patient right of access under 45 CFR § 164.524 survives your closure. If a former patient asks for their records two years after you've shut down, you still have to provide them (within the usual 30-day window) as long as you hold the records.

Transferring Records to a Custodian

If you don't want to personally store records for years after closing — and most people don't — you can transfer them to a custodian of records. This is a person or entity that lawfully takes over storage and handles future access requests on your behalf.

A custodian might be:

  • Another licensed therapist or group practice
  • A professional record-storage company
  • A successor who is purchasing or absorbing your practice

A few things to get right:

  • Sign a written agreement spelling out who is responsible for safeguarding the records, responding to access requests, and eventually destroying them.
  • If the custodian is a vendor (a storage company rather than another clinician treating the patients), you'll typically need a Business Associate Agreement with them, because they're handling PHI on your behalf.
  • Tell your patients who the custodian is and how to reach them. This is part of your closure notice.

Transferring records doesn't erase your history with them, but it does put day-to-day responsibility in capable hands and gives your patients a real place to turn.

What Happens to Your Vendor BAAs

You almost certainly have Business Associate Agreements with vendors — your EHR, your email provider, your telehealth platform, your billing service. When you close, these don't just evaporate.

Work through them deliberately:

  • Export your data first. Before you cancel any EHR or platform subscription, export complete copies of the records you're legally required to retain. Vendors often delete your data shortly after cancellation.
  • Confirm the vendor's deletion obligations. A well-written BAA requires the business associate to return or destroy PHI at termination. Get written confirmation that they've done so.
  • Don't cancel blindly. If you stop paying for your EHR before exporting, you can lose access to records you're still required to keep — a compliance failure of your own making.
  • Keep copies of the terminated BAAs with your six-year HIPAA documentation.

How Long Your Obligations Persist

Putting it all together, here's the timeline you're actually managing after closure:

  • Clinical records: keep for the full period your state and licensing board require (commonly 7+ years for adults, longer for minors).
  • HIPAA compliance documentation: keep for 6 years under § 164.316(b)(2).
  • Patient right of access: honor it for as long as you hold the records.
  • Breach notification duties: apply for as long as you hold ePHI.
  • Secure destruction: required at the end of each retention period, with documentation.

Only when every record has been properly destroyed or lawfully transferred to a custodian — and your six-year documentation window has elapsed — are you truly free of HIPAA obligations from the practice.

Closing a practice is an emotional milestone. Don't let the paperwork undermine a career of careful, ethical work. A clean closure protects your former patients and protects you from a complaint or audit landing years after you thought you were done.

Take the next step

Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.

Start your free assessment →

Need these documents for your practice?

Yundra generates all 7 HIPAA documents — personalised to your practice, your vendors, your EHR. Starting at $399, ready in minutes.

Free · See your score instantly