From the Department of Health & Human Services:
Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?
No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, state laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).