How Long Must Dental Practices Keep Patient Records? State-by-State

⚠️ Retention periods below are placeholders pending review by a licensed compliance/legal professional — do not publish as-is.

Dental record retention is one of the most frequently misunderstood areas of practice compliance. Many teams assume that because HIPAA is a federal law governing protected health information, it must also tell them how long to keep a patient's chart. It does not. This article explains where retention rules actually come from, why minors are handled differently, what HIPAA does require, and how all of this shapes your backup strategy. It is general educational information and is not legal advice — confirm your specific obligations with a licensed compliance or legal professional.

Does HIPAA say how long to keep dental records?

No — HIPAA does not set a retention period for clinical dental records. This surprises a lot of practice owners, but the HIPAA Privacy and Security Rules are silent on how long a patient's chart, radiographs, or treatment notes must be kept. That decision is left to the states.

HIPAA does contain one retention rule, and it is important not to confuse it with clinical retention. Covered entities must retain certain HIPAA documentation — written policies and procedures, risk analyses, security incident records, training logs, and signed business associate agreements — for six years from the date of creation or the date it was last in effect, whichever is later . This is the HIPAA documentation rule. It applies to your compliance paperwork, not to the patient record itself.

So a complete picture looks like this: HIPAA tells you to keep your compliance documentation for six years, and your state tells you how long to keep the actual patient records. The two rules run in parallel and you must satisfy both.

Why is retention set by state law, not HIPAA?

Because regulating the practice of dentistry has historically been a state responsibility. Each state licenses its own dentists, runs its own dental board, and writes its own dental practice act and medical-records statutes. Retention requirements live inside that state framework — sometimes in the dental practice act, sometimes in general medical-records law, sometimes in board rules.

The practical consequences are significant:

• The required period varies from state to state. A retention period that satisfies one state's board may fall short in another.
• The trigger date can differ. Some states count from the date of last treatment; others count from record creation.
• Multiple rules can apply to the same record. State retention law, statutes of limitations for malpractice claims, and payer or insurance-audit requirements can each impose their own timeframe. Retain for the longest applicable period.
• Multi-state groups face multiple regimes. A DSO operating across state lines must comply with each state's rules for the records generated in that state.

Because of this complexity, you cannot rely on a single number. The table below is structured so your compliance reviewer can fill in the verified figures for each jurisdiction you operate in.

Why do records for minors have special rules?

Because a minor cannot bring a legal claim until they reach adulthood, so the retention clock is usually extended to protect their rights. In most states, the period for a minor's dental record does not start running at the last date of treatment. Instead, it commonly begins when the patient reaches the age of majority (typically 18), and then the standard retention period runs on top of that.

The effect is that a child treated at age 6 may have a record that must be kept well into their twenties — far longer than an adult record from the same visit. The exact age of majority, the length of the add-on period, and any exceptions are all set by state law, which is why every minor cell in the table below is a placeholder for verified review.

This is also the scenario where practices most often fall short: a chart that looks old enough to purge under adult rules may still be legally protected because the patient was a minor when treated. When in doubt, keep it.

State-by-state dental record retention

⚠️ Every value below is a placeholder. Do not rely on this table until each entry has been verified by a licensed compliance or legal professional for your jurisdiction.

State	Adult records	Minor records (special rules)
Alabama	{{VERIFY: Alabama}}	{{VERIFY: Alabama}}
Alaska	{{VERIFY: Alaska}}	{{VERIFY: Alaska}}
Arizona	{{VERIFY: Arizona}}	{{VERIFY: Arizona}}
Arkansas	{{VERIFY: Arkansas}}	{{VERIFY: Arkansas}}
California	{{VERIFY: California}}	{{VERIFY: California}}
Colorado	{{VERIFY: Colorado}}	{{VERIFY: Colorado}}
Connecticut	{{VERIFY: Connecticut}}	{{VERIFY: Connecticut}}
Delaware	{{VERIFY: Delaware}}	{{VERIFY: Delaware}}
District of Columbia	{{VERIFY: District of Columbia}}	{{VERIFY: District of Columbia}}
Florida	{{VERIFY: Florida}}	{{VERIFY: Florida}}
Georgia	{{VERIFY: Georgia}}	{{VERIFY: Georgia}}
Hawaii	{{VERIFY: Hawaii}}	{{VERIFY: Hawaii}}
Idaho	{{VERIFY: Idaho}}	{{VERIFY: Idaho}}
Illinois	{{VERIFY: Illinois}}	{{VERIFY: Illinois}}
Indiana	{{VERIFY: Indiana}}	{{VERIFY: Indiana}}
Iowa	{{VERIFY: Iowa}}	{{VERIFY: Iowa}}
Kansas	{{VERIFY: Kansas}}	{{VERIFY: Kansas}}
Kentucky	{{VERIFY: Kentucky}}	{{VERIFY: Kentucky}}
Louisiana	{{VERIFY: Louisiana}}	{{VERIFY: Louisiana}}
Maine	{{VERIFY: Maine}}	{{VERIFY: Maine}}
Maryland	{{VERIFY: Maryland}}	{{VERIFY: Maryland}}
Massachusetts	{{VERIFY: Massachusetts}}	{{VERIFY: Massachusetts}}
Michigan	{{VERIFY: Michigan}}	{{VERIFY: Michigan}}
Minnesota	{{VERIFY: Minnesota}}	{{VERIFY: Minnesota}}
Mississippi	{{VERIFY: Mississippi}}	{{VERIFY: Mississippi}}
Missouri	{{VERIFY: Missouri}}	{{VERIFY: Missouri}}
Montana	{{VERIFY: Montana}}	{{VERIFY: Montana}}
Nebraska	{{VERIFY: Nebraska}}	{{VERIFY: Nebraska}}
Nevada	{{VERIFY: Nevada}}	{{VERIFY: Nevada}}
New Hampshire	{{VERIFY: New Hampshire}}	{{VERIFY: New Hampshire}}
New Jersey	{{VERIFY: New Jersey}}	{{VERIFY: New Jersey}}
New Mexico	{{VERIFY: New Mexico}}	{{VERIFY: New Mexico}}
New York	{{VERIFY: New York}}	{{VERIFY: New York}}
North Carolina	{{VERIFY: North Carolina}}	{{VERIFY: North Carolina}}
North Dakota	{{VERIFY: North Dakota}}	{{VERIFY: North Dakota}}
Ohio	{{VERIFY: Ohio}}	{{VERIFY: Ohio}}
Oklahoma	{{VERIFY: Oklahoma}}	{{VERIFY: Oklahoma}}
Oregon	{{VERIFY: Oregon}}	{{VERIFY: Oregon}}
Pennsylvania	{{VERIFY: Pennsylvania}}	{{VERIFY: Pennsylvania}}
Rhode Island	{{VERIFY: Rhode Island}}	{{VERIFY: Rhode Island}}
South Carolina	{{VERIFY: South Carolina}}	{{VERIFY: South Carolina}}
South Dakota	{{VERIFY: South Dakota}}	{{VERIFY: South Dakota}}
Tennessee	{{VERIFY: Tennessee}}	{{VERIFY: Tennessee}}
Texas	{{VERIFY: Texas}}	{{VERIFY: Texas}}
Utah	{{VERIFY: Utah}}	{{VERIFY: Utah}}
Vermont	{{VERIFY: Vermont}}	{{VERIFY: Vermont}}
Virginia	{{VERIFY: Virginia}}	{{VERIFY: Virginia}}
Washington	{{VERIFY: Washington}}	{{VERIFY: Washington}}
West Virginia	{{VERIFY: West Virginia}}	{{VERIFY: West Virginia}}
Wisconsin	{{VERIFY: Wisconsin}}	{{VERIFY: Wisconsin}}
Wyoming	{{VERIFY: Wyoming}}	{{VERIFY: Wyoming}}

What does retention mean for your backups?

It means a backup is only compliant if it actually preserves every record for the full mandated period — and can produce it on demand. A retention rule is meaningless if the underlying data has been overwritten, corrupted, or aged out of your backup system before the legal clock runs out.

That puts real requirements on how backups are designed:

• Retention-tiered storage. Backups must be kept at least as long as the longest applicable legal requirement, including the extended timelines for minors. DDSArk keeps retention-tiered backups configured to your obligations.
• Immutability. Records under a legal hold or a long retention requirement should not be silently deletable. DDSArk keeps immutable backups so a stored record cannot be tampered with or quietly removed before its period ends.
• Encryption and off-site copies. Protecting records across a multi-year horizon means they must survive local disasters and stay confidential. DDSArk keeps encrypted, off-site copies of your data.
• A signed BAA. Any vendor that stores PHI on your behalf is a business associate. DDSArk signs a HIPAA business associate agreement, and the backups are MSP-managed so retention is configured and monitored for you.

To confirm whether your current setup would actually hold up, start with our HIPAA backup audit self-check, and see is cloud backup HIPAA compliant? for how managed cloud backup fits the broader compliance picture.

The bottom line: HIPAA sets a six-year clock for your documentation, your state sets the clock for patient records, minors usually get a much longer clock — and your backups have to outlast all of them. Get the verified numbers for every state you operate in, then make sure your retention configuration meets the longest one.