Medical and Dental Record Issues: Frequently Asked Questions

Richard Cahill, JD, Vice President and Associate General Counsel, The Doctors Company

Medical and dental records are essential to the delivery of care and play a crucial role in all clinical operations. The following information provides answers to questions that we frequently receive from members.

You must follow federal and state-specific guidelines or laws. If no federal or state statutory requirements apply, The Doctors Company recommends the following:

  • Adult patients, 10 years from the date the patient was last seen.
  • Minor patients, 28 years from the patient’s birth.
  • Deceased patients, five years from the date of death.

Medical records: State medical boards or associations may also be able to provide policies or recommendations on how long to keep records. For example, the Colorado Medical Board Policy 40-07 recommends retaining medical records for a minimum of seven years after the last date of treatment for an adult and for seven years after a minor has reached the age of majority, or age 25. In California, the California Medical Association recommends that medical records be retained indefinitely or for at least 25 years after the patient’s last visit.

Dental records: Your attorney or state dental board or association may provide specific information regarding state statutes or administrative code provisions governing dental record retention. The length of retention may also vary by contracted dental plans.

For a more detailed discussion of record retention, see The Doctors Company article, “Medical and Dental Record Retention.”

Yes. Regardless of the format, any and all data collected at the time of a patient encounter is part of the medical or dental legal document. Retain computerized and physical 3D models used for surgical and dental treatment planning according to the same retention schedule.

Financial information is part of the designated record set as defined by HIPAA (45 CFR § 164.501) to include medical and billing records. Financial information should be kept separate from patient care entries, however, and it is not part of the legal health record (a subset of the designated record set). Follow a consistent policy on what is released as part of the legal health record for all patients who request a copy of their medical or dental record.

It is recommended that you check with your business attorney or state medical or dental board for details regarding retention laws on billing and insurance records—especially as the laws may relate to Medicare or Medicaid patients. For example, the Centers for Medicare and Medicaid Services require Medicare managed care providers to retain records for 10 years, and the Internal Revenue Service requires billing records to be retained for seven years.

The Doctors Company recommends the following:

  • Document in the medical or dental record all patient telephone calls and messages or text messages that pertain to care, and keep the documentation according to the above-referenced record retention guidelines.
  • Keep patient scheduling records for one year.

Review, extract, and copy any information that might be needed from that record for patient diagnosis or treatment. The retained information or documentation then becomes part of the patient’s permanent office record. Be aware that keeping all of the patient’s records could make the medical or dental professional liable for information related to other specialties. If the information is not used for patient care, destroy it or return it to the source.

Any destruction method must maintain the confidentiality of the information. Incineration or shredding are the only safe methods for destroying paper records. A destruction method for electronic media must render the information unreadable. Simply deleting the record is not sufficient. Use a reputable company for destruction of paper and electronic information, models/casts, and equipment, such as computers and copiers. Keep a log of the records destroyed.

Inactive records that have been kept for the required time period may be thinned from the active patient cases. Take the following factors into consideration when arranging long-term storage:

  • Privacy. Will the records be protected from unauthorized persons in a manner that is consistent with federal and state privacy laws?
  • Safety. Will the records be protected from fire or flood damage and from unauthorized access or theft?
  • Accessibility. Will the records be easy to retrieve and copy?

Yes. The factors in the previous question on privacy, safety, and accessibility can also guide you on transferring records to an electronic format. Any protected health information (PHI) transferred or stored electronically must be encrypted. Back up computer data at regular intervals and store it offsite.

Yes, best practice is to perform a backup every evening to the cloud or to a separate server stored in another physical location. Establish a schedule and periodically assess the backup function. All PHI stored electronically must be encrypted. If you use an application service provider—where your data is stored by the EHR vendor and you access it online—confirm that your contract includes terms that ensure your data will be available to you when you are ready to make arrangements for long-term storage.

Yes. Copies of other healthcare providers’ medical or dental records that are not directly related to your care, such as hospital records, can be purged because the originals will be maintained by the hospital. Keep records from other providers that are directly related to your care and are maintained as a regular part of your record for the same period of time that you retain your own records.

Yes. We suggest that you include the recommended retention time and access capability as part of your sales agreement. For more information, see The Doctors Company guide, Closing or Relocating a Healthcare Practice.

Yes, with the same conditions for retention and accessibility that prevail in a sale. It is reasonable to alert the patients in your active/current caseload about your move to give them an opportunity to request a copy of their records.

No. The original is the property of the medical or dental professional. That individual has a duty to maintain the record. The patient should be given a copy, never the original.

The only time an active, original paper medical or dental record should be out of an office is when it is required to be present in a court of law. Any access to electronic records while away from the office must be through an encrypted, HIPAA-compliant format.

You must first verify through your own records or from a death certificate that the patient has expired. Then, ensure that the individual requesting the record is a qualified representative of the decedent’s estate (for example, the executor). The individual should provide a copy of an official document from the state as proof, and the record request should be in writing and signed by the individual acting as the estate’s qualified representative.

For additional assistance, contact the Department of Patient Safety and Risk Management at or (800) 421-2368.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

J12972 07/21