How Long to Keep Dental Records and How to Destroy Them (2026)

This article explains how long a dental practice has to keep records and how to destroy them. It is general information, not legal advice for your specific situation. For that, consult a healthcare attorney or a qualified HIPAA compliance professional.

How long do you actually have to keep dental records?

HIPAA does not set a retention period for patient records at all. The Privacy Rule requires you to keep your HIPAA compliance documentation, your policies, your risk analysis, your training logs, for at least six years, and the Security Rule says the same for its paperwork in 45 CFR 164.316(b). But that six-year rule is about the file that proves you follow HIPAA, not about the patient chart. For the chart itself, HHS is explicit: the Privacy Rule includes no medical-record retention period, and state law decides how long you keep it.

So the real question is your state's rule, and that is where the published guides get unreliable. We checked one widely shared state-by-state table that lists Texas at ten years; the actual Texas Dental Board rule, 22 TAC 108.8, says five. Numbers like these change, they vary by record type, and the online tables disagree with each other, so treat any chart you see, including this one, as a starting point and confirm your own state with your dental board or your attorney.

A few things stretch this out in practice. Minors are the big one: many states keep a child's record running until they turn 18 or 21, so a chart you opened for a seven-year-old may need to live for well over a decade. Malpractice carriers commonly recommend ten years for adults regardless of the state minimum, because that is the window a lawsuit can surface in. And if you bill Medicare or Medicaid, separate federal program rules can require you to keep certain cost and claims records longer still. The practical rule most advisors land on: default to ten years for adults, treat minor records as a separate long-tail, and never let a short state minimum talk you into destroying something a lawsuit or an audit might still need.

What HIPAA requires when you destroy records

Once a record is past every retention clock, HIPAA does not dictate which method you use to destroy it. It sets the outcome you have to reach. The standard, from HHS's own disposal guidance, is that the protected health information has to be rendered unreadable, indecipherable, and impossible to reconstruct before it leaves your control. How you get there is up to you, within reason.

For paper and film, HHS lists shredding, burning, pulping, and pulverizing as acceptable. For electronic records, the Security Rule requires you to address the final disposition of the data and the device, and HHS points to clearing, purging, or physically destroying the media, following the federal standard for media sanitization, NIST Special Publication 800-88. The one thing HHS rules out by name is the easy thing: you may not drop PHI, in any form, into a dumpster, recycling bin, or trash can that the public or anyone unauthorized can reach. A locked, access-controlled container is fine; the open bin behind the building is the exact move that produced the settlements in this article.

The parts dentists get wrong

Three things trip up dental offices specifically. The first is X-ray film. Old film is still a patient record, so it has to be destroyed in a way that leaves the image and any label unreadable, and a standard office shredder will not do it. There is a second, separate reason to hand film to a specialist: traditional film carries silver, a regulated metal, and very old film can be flammable. Washington State's health department, for example, says plainly that you cannot just throw old X-rays in the trash, both because they are private records under HIPAA and because of the silver. That is two different rule books, HIPAA and environmental law, pointing at the same answer: use a service that destroys the film and recovers the silver, and get a certificate of destruction.

The second is the computer nobody thinks about. When you replace a front-desk PC, a server, or an imaging workstation, the patient data does not leave when you delete the files. A deleted or reformatted drive can usually be recovered with free tools, which is why HHS treats wiping and purging as different things. The retired computer, the old server, the backup drive in the closet, even a staff member's phone that synced the office email, all hold patient data until that data is purged or the drive is physically destroyed. Donating or recycling the machine as it is hands the next owner everything on it.

The third is the one that bites hardest, because it feels like you did the right thing. You can hire a company to destroy your records and still be the one who pays when they fail. That is what happened to a Kokomo, Indiana dentist. He paid an outside company to retrieve and destroy roughly 63 boxes of old Comfort Dental charts. The boxes ended up in a church recycling dumpster instead, an investigative news crew found them, and in 2015 the dentist agreed to a $12,000 consent judgment with the Indiana Attorney General, the state's first HIPAA enforcement action. The vendor did the dumping; the dentist carried the liability. The lesson is the one HIPAA draws everywhere else: a company that handles patient data on your behalf is a business associate, you need a signed business associate agreement with them, and that contract plus a certificate of destruction is how you show the records were handled properly.

There is a sharper reason to get this right: putting PHI where it should not go is a reportable breach, not just a bad look. It triggers the same breach-notification duties as a ransomware attack, and it is something OCR has actually penalized. In 2022, a dermatology practice in Massachusetts, New England Dermatology, settled with OCR for $300,640 after spending years, from 2011 to 2021, discarding empty specimen containers whose labels carried patient names, dates of birth, and other details into a dumpster in its parking lot. The practice reported the breach to HHS as affecting 58,106 patients. A security guard found one of the containers; OCR cited the failure to safeguard the information and the impermissible disclosure. The acting OCR director put the principle in one line: "Improper disposal of protected health information creates an unnecessary risk to patient privacy."

If reading this made you wonder whether your own disposal is actually covered, that instinct is worth following. The two gaps that show up most often are a missing agreement with whoever shreds your records and a fuzzy sense of what happens to old drives, and both are on the list the free HIPAA Scorecard checks. It walks through your vendor agreements, your safeguards, and eight other core controls, then names your biggest gap in about three minutes. It is a starting point, not a full audit, but it tells you where you actually stand.

Closing or selling your practice

Retirement and practice sales are where disposal questions get expensive, because two natural instincts are both wrong. The first is that closing the practice ends your obligations. It does not. Your duty to keep and produce records, and your state's retention clock, do not reset when you sell or retire, and they do not transfer cleanly just because the new owner took the keys. The selling dentist stays the legal custodian until the records are properly transferred.

The second runs the other way, and you will see it stated confidently online: that HIPAA forbids handing patient records to the buyer without each patient's written authorization. For the ordinary case, that is not what the rule says. HIPAA treats the sale, transfer, or merger of a practice with another covered entity as "health care operations," a category a covered entity is permitted to disclose PHI for without separate patient authorization. If you sell your practice to another dentist or a group that is itself bound by HIPAA, you can generally transfer the records as part of the deal. Where that breaks is the edge cases, and they matter. If the buyer is not, and will not become, a covered entity, you do need authorization. And selling the records themselves for their own value, rather than transferring them as part of selling the practice, is a separate, restricted "sale of PHI" that also requires authorization. Structure the deal as the sale of a practice, not the sale of a patient list.

Then there is state law, which usually adds a layer HIPAA does not. Many state dental boards expect you to notify patients of the change and give them a chance to request their records or move to another provider, often 30 to 60 days ahead. Texas, for instance, requires a departing dentist under 22 TAC 108.8 to either keep the records, formally transfer them to the successor, or sign a records-maintenance agreement, and to tell the dental board within fifteen days. The clean structure that satisfies both HIPAA and most state rules is a written records-custody agreement plus a business associate agreement with whoever ends up holding the charts, patient notification before the close, and a clear record of what was transferred and what was kept. This is a transaction worth running past a lawyer; the cost of getting it wrong lands on both the buyer and the seller.

A clean disposal process

When a batch of records is genuinely ready to go, the process is short, and worth doing the same way every time so you can prove it later.

You do not need a consultant to start. The free HIPAA Scorecard checks the two things this article keeps circling back to, your agreements with the vendors who handle patient data and the state of your safeguards, along with eight other core controls, and names your biggest gap in about three minutes. It is a quick read on where you stand, not a full audit, and it is a sensible first step before you clear out a storage room or hand a buyer the keys.

This is general information about HIPAA and state recordkeeping rules, not legal advice, and retention periods and disposal rules vary by state and change over time. Before you destroy records or transfer them in a sale, confirm your current state requirements and, for anything beyond routine, check with a healthcare attorney or a qualified HIPAA compliance professional.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. Regulatory claims trace back to those sources, and figures name where they come from; anything that can't be verified is labeled rather than asserted. More about Hipsana →

Sources

• U.S. Department of Health and Human Services, Office for Civil Rights, "Frequently Asked Questions About the Disposal of Protected Health Information" (disposalfaqs.pdf, hhs.gov): the Privacy Rule sets no medical-record retention period (state law governs), and PHI may not be placed in trash or recycling that the public or unauthorized persons can access. Accessed June 2026.
• 45 CFR § 164.530(j) (Privacy Rule) and § 164.316(b) (Security Rule): a covered entity must retain required documentation for six years from creation or the date it was last in effect, whichever is later (eCFR, current as of June 2026). This applies to compliance documentation, not patient clinical records.
• 45 CFR § 164.310(d)(2) (final disposition and reuse of electronic media) (eCFR, current as of June 2026).
• NIST Special Publication 800-88, Revision 2, Guidelines for Media Sanitization (the current federal media-sanitization standard, finalized September 2025, superseding Revision 1) (csrc.nist.gov, accessed June 2026).
• 45 CFR § 164.501 (definition of "health care operations," including the sale, transfer, merger, or consolidation of a covered entity with another covered entity), § 164.506(c) (permitted uses and disclosures for treatment, payment, and health care operations), and § 164.508(a)(4) (authorization required for a sale of PHI) (eCFR, current as of June 2026).
• HHS Office for Civil Rights, Breach Notification Rule (hhs.gov), with the definition of breach at 45 CFR § 164.402 and the notification requirements at 45 CFR §§ 164.400 through 164.414: an impermissible disclosure of unsecured protected health information is presumed to be a reportable breach, and properly destroyed records are not treated as unsecured (hhs.gov and eCFR, current as of June 2026).
• HHS Office for Civil Rights, "OCR Settles Case Concerning Improper Disposal of Protected Health Information" (New England Dermatology, P.C.) (hhs.gov, Aug. 23, 2022), with the resolution agreement and corrective action plan: a $300,640 settlement and two-year corrective action plan over specimen containers discarded in a parking-lot dumpster from 2011 to 2021; OCR cited 45 CFR § 164.530(c) and § 164.502(a). The 58,106 figure is from the breach NEDLC reported to HHS, not from the resolution agreement.
• Indiana Attorney General and Marion County (Indiana) Superior Court, consent judgment with Joseph Beck (Comfort Dental), Jan. 5, 2015: a $12,000 penalty over roughly 63 boxes of patient records found in a recycling dumpster in 2013; Indiana's first HIPAA enforcement action (National Law Review and contemporaneous reporting, accessed June 2026). Beck's dental license had been revoked separately in 2011 for billing and negligence issues, before the 2013 disposal.
• 22 Tex. Admin. Code § 108.8 (Texas State Board of Dental Examiners): dental records kept at least five years from last treatment, and for a minor until age 21 or five years, whichever is longer; a departing dentist must retain, transfer, or arrange maintenance of records and notify the Board within fifteen days (Texas Administrative Code, accessed June 2026).
• New York State Education Department, Rules of the Board of Regents, 8 NYCRR § 29.2: patient records retained at least six years, and for a minor at least six years and until one year past age 21 (accessed June 2026).
• Washington State Department of Health, "Disposal of X-Ray Equipment, Film, Machines": old X-ray film may not be placed in the regular trash because it is both a protected health record under HIPAA and silver-bearing material regulated under environmental law (doh.wa.gov, accessed June 2026).