Skip to content

What Dentists Need To Know About Disposing Dental Records and HIPAA Compliance

Apr 12, 2021

After only a few years of practicing, dentists can accumulate a lot of medical records. Once you’ve practiced for a decade or more, it’s easy for these records to take over your office. Keeping detailed information on your patients is essential to providing quality care, but sometimes those records are no longer necessary.

It’s difficult to know exactly how you can legally and ethically dispose of protected health information when you haven’t seen a patient for a few years or have already passed their records along to a new provider.

HIPAA rules provide detailed guidelines for how dental and medical providers should protect a patient’s personal information, but what happens when the time comes to dispose of their paper and or electronic records? Earlier this year, an Indiana-based healthcare group faced $800,000 in fines from the Department of Health and Human Services for dumping dozens of boxes of medical records on the doorstep of a retiring physician. Clearly, that is not the best strategy for maintaining your practice’s medical records; however, the guidelines that HIPAA provides can be confusing.

According to the Department of Health and Human Services (HHS), “… covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.” These records include everything from hard copy patient records to prescription bottles. HHS also requires that all employees must understand the rules and follow all of the procedures for disposal of records.

The first step in making sure your dental office is compliant is to create a written policy governing record disposal, as well as the other numerous HIPAA rule and regulations. HCA is very specific as to what types of disposal methods are allowed.

They include:

  1. Methods by which the paper records can in no way be restored and hence readable: shredding, burning, pulping, or pulverizing.
  2. Placing prescription bottles in nontransparent bags, locked away until a third party disposal company can retrieve them.
  3. Physically destroying and purging the hard drives of the electronic media.

Even if the records are unreadable and cannot be reconstructed, it is advisable to not dispose of them in trash or recycling receptacles accessible to the public.  If you’re concerned about ensuring no patient information is exposed in your disposal system, there are plenty of third-party companies trained in medical record disposal, offering a secure way for you to offload old records. Keep in mind, you are required to have a contract or agreement with the vendor ensuring the documents/hardware are being safeguarded in accordance with HIPAA. These companies should have the ability to transport the records in a secured vehicle and deliver them to an offsite location to be shredded or pulverized before being disposed. The American Dental Association also offers resources for dentists looking for guidance in this matter.

HIPAA does not stipulate requirements for how long medical records must be maintained; the number of years is governed by individual states. The Centers For Medicare and Medicaid Services requires that Medicare and Medicaid patient records be retained for at least five years for claims and billing purposes. If these files are stored digitally, computers and servers that hold the information must be thoroughly wiped before being reused for other purposes.

Whether you decide to perform your own records disposal or enlist the help of a professional, the responsibility for maintaining patients’ personal medical information falls on the shoulders of the providers. Establishing a secure disposal protocol in whatever form works best for your dental practice will help ensure that both your patients and your practice are protected from the accidental exposure of private health information, and the consequences that may ensue.

What's on Your Mind?

a man in a suit

Erick Cutler

Erick Cutler is a Partner in the Private Client Services Group, with nearly 25 years of public accounting experience including health care and the real estate industry.

Start a conversation with Erick

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.