Dental practices are required to follow specific regulations when destroying paper dental records. This is because patient charts are confidential records and may include highly sensitive information. You as the dentist have an obligation to protect the patient’s privacy and personal health and financial information. State and federal law may require secure destruction of sensitive personally identifiable records, and may even mandate specific destruction techniques.
Before you can decide to destroy records, it’s important for you to know your state’s requirements regarding patient record retention. It’s a good rule of thumb to consider those requirements a minimum and consider retaining all records for 10 years after the last visit by an adult patient. The most common practice for patient records of minor patients is to maintain records for at least five years after the minor reaches the age of majority which, while it varies by state, is often considered to be the age of 18.
Once you have reviewed your state requirements and determined it’s an appropriate time to destroy certain dental records, it’s also recommended that you check with your qualified legal counsel. It’s also a good idea to consult your professional liability carrier as well, since it’s possible that they may have recommendations for this activity.
Sound risk management practices include documenting the process used to destroy patient records. Those steps might include:
- Records of any calls or requests for information seeking advice on proper record destruction
- Steps taken to protect patient privacy and confidentiality throughout the process
- Whether, and how, you determined whether a records disposal contractor sub-contracted work and, if so, how you confirmed that the subcontractors complied with applicable privacy and security laws
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that paper, film or other hard copy records be shredded or destroyed such that the protected health information (PHI) cannot be read or reconstructed.
Be careful about the method(s) used to destroy records. In addition to complying with applicable state and federal law, you must follow the U.S. Department of Health and Human Services guidance on destruction techniques that are deemed to “secure” hard copy and electronic records for purposes of the HIPAA Breach Notification Rule. If protected health information is properly secured, notification is not required if the information is acquired or accessed by an unauthorized individual.
Under HIPAA, electronic media is secured if it has been “cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the media cannot be retrieved.”
Resources
- ADA Guidelines for Practice Success™ (GPS™) module on Managing the Regulatory Environment’s ADA Tip Sheet on the HIPAA Breach Notification Rule [PDF]
- NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization
- ADA Guidelines for Practice Success™ (GPS™) module on Managing Professional Risks’ ADA Do’s and Don’ts for Destroying Inactive Paper Records [PDF]