A dentist undergoing a practice closure or sale needs to consider, among many concerns, how to ensure secure storage of patient records and continued access to those records for a limited time. Continued access to patient records also is a consideration for a dentist who uses an electronic health record system because of the possibility that the EHR vendor is acquired by another company or the dentist switches systems. These situations require a dentist who is a covered entity to comply with HIPAA requirements and the California Confidentiality of Medical Information Act. This resource discusses the role of HIPAA business associate agreements and other steps a dentist can take to ensure the patient information in their possession remains private and secure following these events.
Patient records should be retained for at least seven years after practice closure. A dentist should take these steps:
Notify active patients (those seen in the practice the past two years) of the impending practice closure and of the process for obtaining a copy of their records for their new dentist. Include a release-of-records form with the notice.
Have staff pull paper charts of patients who have not been seen in more than seven years. Check for records at off-site storage, if used. Separate radiographs from paper. Shred paper or use a document destruction service. For disposal of radiographs, contact an X-ray film recycler or the local household hazardous waste program that accepts waste from very small quantity generators. Radiographs contain silver and state law requires proper disposal or recycling. A HIPAA business associate agreement must be signed with the service providers.
Have staff prepare paper charts for storage by organizing them by year and then alphabetical by patient name. Identify a secure storage area for the charts. Consider who will retrieve records when needed — either the dentist or the facility where the charts are stored. The dentist must have a HIPAA business associate agreement with a record retrieval service.
Determine when to end use of the electronic health record software. Have staff create PDF documents of each electronic patient chart and have them stored on an encrypted device. The PDF copies allow the dentist to email or to print and send records to patients who request copies. Ensure any unencrypted patient information is wiped from devices.
In case of a malpractice claim, a dentist will want to retain a secure archival copy of the software and all documentation. If this was not included in the original software contract, inquire with the software company. According to the Office of the National Coordinator for Health Information Technology:
“The [contract language] could be important to you in the defense of a medical malpractice claim since it may be necessary to use an old version of the EHR vendor’s software to determine what information could have been available to a health care professional who reviewed a patient’s records at a particular point in time. If your EHR vendor provides the EHR as a service under a cloud model, you typically would not have received the software. Therefore the EHR contract should impose an obligation on the vendor to maintain copies of all software versions and to provide services to facilitate your access to the software in the circumstances discussed above. You could include a mechanism in your EHR contract to pay a reasonable amount for these services (if the vendor required).”
HIPAA rules place responsibility for the security of electronic health information on the covered entity which generates or has possession of it. A covered entity who contracts with an electronic health record system should ensure from the start of its contract with an EHR vendor that the covered entity maintains control of the information, including when the vendor changes ownership and when the covered entity switches to a different EHR vendor.
A dentist should take the following steps when selling a practice.
Notify active patients (those seen in the practice the past two years) of the practice transition to a new owner. Include a partially completed release of records form which the patient can sign and return indicating authorization to release their record to the new owner. Authorization is implied when a patient who had not returned the release of records form makes an appointment to be seen by the practice. Patient authorization to release records to a new practice owner is a requirement of CMIA and not of HIPAA.
Reach an agreement with the buyer on the disposition of patient records. It is likely the buyer will want to keep only the active patient records but may end up with all of the records. Whoever has physical possession of the records is responsible for their security and proper disposal, according to California law. In case of a malpractice claim, the seller should arrange for access to patient records for a recommended period of 10 years. The selling dentist may access patient information generated during the time the selling dentist was the care provider.
Contact the electronic health record company to arrange for transfer of the software license to the new owner. If the new practice owner thinks they may switch later to a different electronic health record system, they will need to ensure appropriate contract language is included to allow for the transition. The selling dentist should arrange for an archival copy of the software and information as described above.
If unsuccessful in finding a buyer for the practice, find a dentist who is willing to store the patient records and to fulfill patient access to record requests. Be sure to:
- Have the charts separated as described above and dispose materials appropriately.
- Agree to formal terms for records storage and retrieval, fees and access to records for a limited time. The agreement can include a process allowing the dentist to convert patients to their practice.
- A HIPAA business associate agreement should be signed if the dentist has no interest in converting the patients to their practice and is simply providing a records storage and retrieval service.
- Notify patients of your retirement and include a release of records form. The notification should include the date when the other dentist will start fulfilling patient access to record requests.
- Arrange for PDF copies of patient charts as described above. Provide encrypted drive with the patient records to the other dentist per agreement.
- In case of a malpractice claim, arrange for access to records for a recommended period of 10 years and arrange for archival copy of the electronic health record and documentation as described above.
Death or Incapacity of a Dentist
If a dentist is suddenly unable to practice, California law allows the dentist’s estate or legal representative to operate the dental practice for no longer than 12 months under specified conditions, including notifying the dental board. The estate or legal representative must notify patients of the dentist’s death or incapacity within 30 days of the event and provide any relevant information about the continuation of the dental practice. The dentist or dentists contracted by the estate or legal representative to operate the practice must obtain patients’ signed authorization releasing records to the dentist or dentists.