What to Do When it Comes to Retention and Disposal of Patient Records  

Ever since we started leaning heavier on technology, we’ve been entering more and more of our information online. Think about it. Whenever we sign up for a free gift, subscribe to an e-zine, or register for Netflix or Amazon Prime, we provide personal information, including (but not limited to) our full name, shipping address, and method of payment.  

The same applies to a new patient that comes into the dental office and fills out a medical questionnaire online and provides their personal information before their first appointment. X-rays will usually be performed during the appointment, which will then be added to their dental record.  

It’s important to understand how to handle a patient’s records. How long do you keep the information? How do you dispose of it all safely?  

In this post, I will go over PIPEDA, and answer the question of how long to keep patient records, how to dispose of this information securely, and more importantly, why it is essential to retain dental records for a designated amount of time.   

What is PIPEDA? 

Whenever we submit personal information, as a patient, a customer, or a subscriber, we expect that our information will be safe and secure. This is where PIPEDA comes in. 

PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is a federal law that sets out the rules for how businesses can collect, use and disclose personal information for purposes of transactions, marketing, trade, etc. 


PIPEDA applies to most businesses but does not cover all provinces. Alberta, BC, and Quebec have their own version of PIPEDA, which will be discussed later in this post.   

What are the rules of PIPEDA? 

There are ten golden principles of PIPEDA that you may know very well or not at all: Accountability; Identifying purposes; Consent; Limiting Collection; Limiting use, disclosure, and retention; Accuracy; Safeguards; Openness; Individual access; Challenging compliance. 

 If you are unfamiliar, I recommend you check out the following link for more information on all ten. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/  

When it comes to the rule – limiting the use, disclosure, and retention of personal information, it is important that the personal information of patients and employees is protected. Know what information you have, where it is, and what you’re doing with it. Train your employees on the roles and responsibilities that come with protecting personal information, and limit and monitor employee access. You can learn more by visiting https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/principles/p_use/ 

Privacy protection for electronic documents and personal information in Alberta, BC, and Quebec 

For everyone in Alberta, the Personal Information Protection Act (PIPA) is your go-to for all information pertaining to collection, use, and disclosure of patient information: https://www.dentalhealthalberta.ca/wp-content/uploads/2019/01/Standard-of-Practice-Privacy-Management-Patient-Health-Information.pdf 

For everyone in BC, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) enforces both the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA): https://www.oipc.bc.ca/about/legislation/ 

For everyone in Quebec, you can reference Quebec’s Private Sector Privacy Act, found here: https://www.priv.gc.ca/media/1972/dec_050816_e.pdf 

Although these provinces are not covered by PIPEDA, most of the same rules apply. It is the responsibility of the custodian of all personal, financial, and medical data to review any differences and updates to make sure they are following the rules set out by their own province. 

How long do you retain patient records? 

In instances of retaining dental records, a specific allotted time to keep them is at least ten years from the date of their last entry, with minors’ records needing to be kept at least 10 years from the date they turn eighteen. These dental records include radiographs, consultant reports, financial records, and drug and lab prescriptions. This retention period also applies to appointment books, equipment maintenance records, sterilization log,s and drug register.  

Copies of dental claim forms must be kept for at least two years from the date the claim was provided to the patient or submitted on the patient’s behalf. 

When an office moves from paper to digital, it’s important to remember that retaining those paper records for at least ten years still applies, despite the transition. 

Why is it necessary to keep dental records so long? 

It might not seem like a big deal at first, but if something happens, like a lawsuit or patient complaint, or an audit by a third-party payor in order to justify treatment, those saved records will act as a lifeline and will save you a lot of stress. Ten years only seems like a long time when you’re looking forward, but not so much when you’re looking back. 

If a patient chart has little to no information, this can lower your credibility when it comes to your record-keeping duties. 

Think of your patient records as insurance. It is possible, even likely, that within that ten-year-long stretch of keeping those records, nothing will happen, but our reason for purchasing insurance is to protect us if something does. The dental records protect your clinic in the unlikely chance of something happening, be it a patient complaint, lawsuit, or other.    

What are the rules when it comes to the disposal of patient records? 

Disposal of paper records after those ten years must only occur when all patient identification/identifying labels are removed, destroyed, or rendered illegible. To prevent a privacy breach, securely shed paper files, or delete all electronic records fully and effectively.  

Any electronic records should be authorized by the dentist and be permanently deleted or irreversibly erased. This includes any backups or other copies. Keep a record that includes the following: name of the patient whose personal health information was disposed of, the time period to which the information relates, and the person responsible for authorizing the disposal of the information. 

In disposing of printers, scanners, and hard drives, ensure that all patient records have been deleted or irreversibly erased from them as well.  

Any personal information kept for statistical purposes only, make sure to render the information strictly anonymous.  

For more thorough information on PIPEDA, retention, and disposal of patient records, whether they are digital x-rays, personal information, or financial records, check out the resources below. Keeping yourself and your team well informed will guarantee proper and secure record-keeping and reduce stress on you and your team in the end.