In these cases, secure PHI retention is absolutely necessary. The Centers for Medicare & Medicaid Services (CMS) requires that hospitals keep their records for five years at a minimum, with a six year PHI retention requirement for critical access hospitals.