Healthcare storage and records-management vendors are increasingly finding themselves in a difficult position: provider customers stop paying, merge into other entities, dissolve entirely, or simply abandon their records.
At that point, the storage vendor is often left asking a deceptively simple question:
What can we legally do with the records?
The answer is rarely straightforward.
These situations sit at the intersection of HIPAA, state medical-record retention laws, contract law, patient-access requirements, and sometimes bankruptcy law. While many providers assume HIPAA controls the entire analysis, HIPAA is only one piece of the puzzle.
HIPAA Does Not Create a Universal Medical Record Retention Rule
One of the most common misconceptions in this area is that HIPAA establishes a universal retention period for medical records. It does not.
HIPAA generally requires retention of certain compliance-related documentation for six years, but patient medical-record retention obligations are primarily governed by state law and, in some cases, additional federal or industry-specific regulations.
That means retention requirements may vary based on:
- the state involved,
- the type of provider,
- the type of record,
- whether the patient is a minor,
- Medicare or Medicaid participation,
- behavioral-health regulations,
- or specialty-specific rules.
For vendors operating nationally, the compliance burden can become significant very quickly.
The Business Associate Agreement Matters — But It Is Not the Entire Analysis
In many of these situations, the first document to review is the business associate agreement (BAA), along with the underlying services agreement.
The BAA may define:
- permitted uses and disclosures,
- return or destruction obligations,
- custodianship responsibilities,
- transition procedures,
- and authority to transfer records.
However, even a well-drafted BAA may not fully resolve the issue when a provider closes, dissolves, files bankruptcy, or simply disappears.
In practice, regulators and courts are often more concerned with whether patients can still access their records and whether protected health information (PHI) remains secure.
What Storage Vendors Generally Cannot Do Safely
When invoices go unpaid, there can be a temptation to treat medical records like ordinary abandoned property. That approach creates substantial risk.
Generally speaking, vendors should be cautious about:
- destroying records early because bills are unpaid,
- refusing reasonable patient access,
- using or disclosing PHI outside the scope of the BAA or applicable law,
- assuming retention obligations disappear because the provider closed,
- or unilaterally abandoning records without documented procedures.
Even where the provider has breached its payment obligations, destruction or restriction of access can trigger regulatory scrutiny, litigation exposure, breach-of-contract claims, or allegations of improper disposal of PHI.
What Vendors May Be Able to Do
Depending on the governing agreements and applicable law, vendors may be able to:
- continue storing records while negotiating payment or transition arrangements,
- transfer records to authorized successor providers or custodians,
- charge contractually authorized storage or transition fees,
- implement abandonment procedures after defined notice periods,
- or destroy records after applicable retention periods expire and all legal requirements are satisfied.
The key point is that any destruction or transfer process should be deliberate, documented, and legally defensible.
The Operational Reality: Vendors Can Become the “Custodian of Last Resort”
A recurring issue in this space is that the storage vendor gradually becomes the only entity practically capable of providing access to the records.
At that point, the vendor may effectively become the “custodian of last resort,” even if the contract never intended that result.
That creates significant operational and legal risk, particularly where:
- the provider dissolved without a transition plan,
- ownership of the practice is disputed,
- bankruptcy proceedings are involved,
- or patients continue requesting records.
For that reason, these situations are often as much about operational planning as legal analysis.
Risk Allocation Going Forward
Healthcare vendors in this space should consider strengthening both their contracts and their internal procedures.
Key contractual provisions may include:
- abandonment procedures,
- transition obligations,
- authority to transfer records,
- destruction authorization language,
- prepaid reserve requirements,
- indemnification,
- insurance requirements,
- and detailed termination provisions.
Operationally, vendors should consider implementing formal protocols for:
- delinquency notices,
- escalation procedures,
- successor-provider outreach,
- litigation-hold checks,
- retention-law review,
- documented transfer decisions,
- and compliant destruction procedures.
Final Thoughts
These situations are rarely resolved by looking at HIPAA alone.
The analysis often depends on a combination of:
- the applicable state retention laws,
- the contractual language,
- the status of the provider,
- the vendor’s operational role,
- and whether patients can still reasonably access their records.
For healthcare vendors managing PHI, the goal is not simply compliance. It is avoiding the unintended role of uncompensated records custodian while maintaining defensible procedures that protect patient access and privacy.
As healthcare providers continue to merge, dissolve, and restructure, organizations are facing increasingly complex questions involving HIPAA, patient access, and medical-record retention obligations. Contact us to help you assess risk, strengthen contracts, and develop practical compliance strategies.