...

Ekim IT Solutions

Schedule a Fit Call
Blog / How Long Do Dental Practices Need to Keep Patient Records
All Dental

How Long Do Dental Practices Need to Keep Patient Records

Dental patient records retention requirements under HIPAA and state law

Record retention is one of the most commonly misunderstood HIPAA requirements in dentistry. Most practices know they need to keep records but are unclear on how long, which records apply, and what happens when records are eventually destroyed.

Here is a plain-language breakdown of what your practice is actually required to do.

Two Separate Requirements Apply to Your Practice
HIPAA Requirement 6 years

Security documentation, policies, risk assessments, and training records from date created or last in effect

State Dental Board 7–10 years

Patient clinical records including X-rays, treatment notes, and charts: varies by state, longer for minors

Running both systems without a documented policy is a compliance gap most auditors catch immediately. Your practice needs a written retention and destruction policy that covers both sets of requirements.

HIPAA Record Retention vs. State Dental Board Requirements

These are two separate requirements and both apply to your practice.

HIPAA: Federal

Security documentation: 6 years

HIPAA does not set a retention period for patient clinical records. It governs electronic protected health information and requires that security policies, risk assessments, training records, and audit logs be retained for six years from creation or last effective date.

State Dental Board: Varies

Clinical records: 7 to 10 years typical

Patient clinical records including X-rays, treatment notes, and charts are governed by your state dental board. Requirements vary by state but commonly range from seven to ten years. Records for minors typically must be kept until the patient turns eighteen plus an additional period set by state law.

Need your HIPAA technical safeguard documentation handled? Find out in 15 minutes if we are the right fit.
Schedule a Discovery Call →

What Records Must Be Retained Under HIPAA

HIPAA requires dental practices to retain the following for six years. Check each one your practice is currently documenting and storing.

Your IT Provider’s Role

Your IT provider should be generating and storing documentation of technical safeguards on your behalf. Encryption configurations, access logs, and backup verification records all fall under HIPAA documentation requirements. Ask your IT provider which of these they produce and where they are stored.

Records being retained 0 / 4

All four HIPAA documentation categories confirmed.

Your practice is retaining the required HIPAA documentation. Confirm that retention extends to six years and that older records are not being destroyed before the retention period expires. Also verify your state dental board retention requirements for clinical records separately.

Documentation gaps present.

The unchecked items are what OCR requests first in any investigation. A practice that cannot produce Security Risk Assessments, written policies, or training records from the past six years has no defense when those gaps are found. These items must be created, documented, and retained going forward.

Your practice is missing most required HIPAA documentation.

Without these records, any OCR investigation results in findings of non-compliance. The documentation requirements cannot be backdated, but starting now limits future exposure. Ekim IT Solutions handles the technical documentation side for dental practices.

Talk to Ekim about HIPAA documentation →

How Records Should Be Stored

Patient records must be stored in a HIPAA-compliant environment. That means encrypted storage, controlled access, and a documented backup and recovery plan.

Encrypted at rest and in transit

Electronic records must be encrypted both when stored and when transmitted. This applies to records on the server, workstations, and any cloud backup.

Access limited to documented need

Access to records must be limited to staff with a documented need. Role-based access controls and access logs must be maintained and reviewable.

Backup copies stored separately

Backup copies must be stored separately from primary systems. An offsite or cloud backup that is not connected to the main network protects records from ransomware and hardware failure.

Destruction documented and secure

Destruction of records must be documented and done securely. Paper records shredded by a certified service and electronic records permanently deleted using methods that prevent recovery.

What Happens if Records Are Not Retained

Missing documentation is one of the most common findings in HIPAA audits. A practice that cannot produce a Security Risk Assessment from three years ago, or staff training records from last year, has nothing to show an auditor.

Incomplete records do not just create a compliance gap. They remove your defense.

OCR looks for documented effort. Practices with no documentation face the highest penalties because they cannot demonstrate any attempt at compliance. The fine tiers escalate significantly based on whether OCR determines the violation resulted from willful neglect of HIPAA requirements. Missing documentation is the primary evidence of willful neglect.

Frequently Asked Questions

HIPAA sets a six-year retention rule for security documentation, not clinical records. X-ray retention is governed by your state dental board, which may require seven to ten years depending on the state.
Paper records should be shredded using a cross-cut shredder or through a certified document destruction service. Electronic records must be permanently deleted using methods that prevent recovery. Both destruction events should be documented.
Yes. HIPAA requirements apply equally to electronic and paper records. Electronic records must meet additional technical requirements including encryption and access controls that paper records do not.
OCR typically requests Security Risk Assessments, written HIPAA policies, staff training records, Business Associate Agreements, and documentation of your technical safeguards. Practices that cannot produce these within a short timeframe receive unfavorable findings.
Know how long to keep the records. Make sure the systems storing them are just as compliant.

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We make sure your patient records are stored, backed up, and secured in a way that meets HIPAA retention and technical safeguard requirements from day one through year ten and beyond.

Retention rules tell you how long to keep records. Your IT setup determines whether they survive that long.
Check your records storage setup →

Related Posts

Educational graphic titled "How to Migrate from Dentrix to Ascend," illustrating the transition between the legacy Dentrix logo and the Dentrix Ascend cloud software logo.
All Dental

Switching from Dentrix to Dentrix Ascend: What Changes

HIPAA corrective action plan guide for dental practices after a failed audit
All Dental

What Is a HIPAA Corrective Action Plan for Dental Practices

Dental practice data encryption guide explaining HIPAA requirements
All Dental

What Is Encryption and Why Dental Practices Need It