(702) 555-0199
OC
ClosureRx
Back to BlogCompliance

HIPAA Compliance During Medical Practice Closure

Brad Palubicki7 min readFebruary 10, 2026

HIPAA doesn't stop applying when you close your doors. In fact, practice closure is one of the highest-risk periods for HIPAA violations because systems are being decommissioned, staff are leaving, and records are being transferred or stored — all creating opportunities for breaches.

Your HIPAA Obligations After Closure

Even after your practice closes, you remain responsible for:

  1. Records retention — for the state-mandated period (typically 7-10 years for adults, age of majority + additional years for minors)
  2. Patient access — to their records during the retention period
  3. Secure storage — of both paper and electronic records
  4. Business associate agreements — with any entity storing records on your behalf

Records Custodian Requirements

You must designate a records custodian before closing. Options include:

  • Successor practice: Ideal if a colleague is taking over your patient panel
  • Records storage company: HIPAA-compliant storage services that handle patient requests
  • Hospital or health system: Some will accept custody of closed practice records
  • Personal custody: You can serve as your own custodian, but this creates ongoing obligations

The custodian must be able to: - Respond to patient records requests within 30 days (HIPAA requirement) - Maintain security of records (physical and electronic) - Properly destroy records after the retention period expires - Execute proper authorization before releasing records to third parties

Common HIPAA Pitfalls During Closure

1. EHR System Decommission Don't just cancel your EHR subscription. Export all records in a portable format first. Ensure the EHR vendor's data destruction certificate covers your BAA requirements.

2. Paper Records Disposal Never put patient records in regular trash or recycling. Use HIPAA-compliant shredding services and get a certificate of destruction for records past the retention period.

3. Staff Departures When staff leave during wind-down, immediately revoke system access. Former employees with active credentials are a significant breach risk.

4. Device Disposal All devices that have accessed PHI (computers, tablets, phones, fax machines) must be properly sanitized before disposal. A factory reset is NOT sufficient.

5. Forwarding Contact Information You must provide patients with the records custodian's contact information. Include it in your closure notification letter and post it at the practice location.

The Cost of Getting It Wrong

HIPAA violations during practice closure can result in: - Fines of $100 to $50,000 per violation (up to $1.5M per year) - State attorney general enforcement actions - Malpractice claims based on records access failures - Personal liability that follows you regardless of entity dissolution

Getting It Right

ClosureRx builds HIPAA compliance into every phase of our closure process. Our team tracks all records management requirements for your specific state and generates the documentation you need to prove compliance.

Need Help With Your Practice Closure?

Schedule a free consultation for a personalized assessment of your situation.

Schedule Free Consultation
PreviousAR Recovery When Closing a Medical Practice: Don't Leave Money on the TableNextState Medical Board Notifications: What Every Closing Practice Must Know