Access Platform

Rebrief Support

Insights

7 min read

How Long Do Dental Records Need to Be Kept? A State-by-State Guide for 2026

Dental record retention requirements vary by state, and getting them wrong can expose a practice to serious liability — whether from a malpractice claim filed years after treatment or a payer audit demanding documentation you no longer have. For practice administrators and clinicians alike, understanding how long records must be kept is foundational to both compliance and risk management.

The challenge is that no single federal law governs how long dentists must retain patient records. HIPAA establishes baseline requirements for covered-entity documentation, but dental record retention is primarily governed at the state level — meaning a practice in California operates under different rules than one in Texas or New York. This guide breaks down the general landscape, highlights common state-level thresholds, and offers a practical framework for staying compliant in 2026.

The Federal Baseline: What HIPAA Does and Does Not Require

HIPAA’s Privacy Rule requires covered entities — which includes dental practices — to retain documentation of their privacy policies and procedures for six years from the date of creation or the date they were last in effect, whichever is longer. Critically, HIPAA does not set a minimum retention period for patient clinical records themselves. That gap is filled entirely by state law.

What HIPAA does govern is how records are protected during their retention period: access controls, audit trails, data encryption, and breach-notification obligations. Compliance with HIPAA’s Security Rule applies regardless of whether a record is one year old or nine. Practices storing records in cloud-based EHR systems — Epic, Dentrix, Curve Dental, Open Dental — should confirm that their vendor agreements include appropriate Business Associate Agreements covering the full retention window.

State Dental Record Retention Requirements: A Tiered Overview

Most state dental practice acts, or the accompanying administrative rules issued by state dental boards, define minimum retention periods for adult patient records. These typically fall into one of three tiers:

  • 5 to 6 years from the date of last patient contact — a smaller group of states, some of which apply the general medical-records statute rather than a dental-specific rule.
  • 7 years from the date of last patient contact — the most common threshold, adopted by a majority of states.
  • 10 years or longer — applicable in several states where dental records fall under broader health-record retention mandates or where the dental practice act sets a higher floor.

Because these rules evolve through regulatory action and board guidance rather than always through legislation, the safest working approach is to treat 10 years as a conservative default for adult records, then verify your specific state’s current requirement with the state dental board or a dental-law attorney.

Minor Patient Records

Records for patients who were minors at the time of treatment carry a distinct rule in virtually every state: the retention clock does not simply start at last contact. Instead, the holding period is typically calculated as the longer of:

  • The standard adult retention period (e.g., 7 or 10 years from last contact), or
  • A fixed number of years — usually 3 to 7 — after the patient reaches the age of majority (18 in most states).

In practical terms, a pediatric dental record created for a four-year-old patient may need to be retained until that patient is 25 or older. Practices with a significant pediatric population should treat minor records as a separate retention category with a longer holding requirement than the adult default.

State-Specific Benchmarks Worth Knowing

The following represent commonly cited retention benchmarks as of 2026. Dental board regulations are updated periodically, so confirm current requirements directly with your state board before establishing or revising your policy:

  • California: 7 years from the date of last patient contact; minor records retained until 1 year after the patient reaches majority or 7 years from last contact, whichever is longer.
  • New York: 6 years from the date of last patient contact under general medical-records law; minor records retained until 3 years after majority or 6 years from last contact, whichever is longer.
  • Texas: Generally 10 years from the date of service or last patient contact under the dental practice act.
  • Florida: 5 years from the date of last patient contact, with additional requirements for minor records extending beyond the standard window.
  • Illinois: 10 years from the date of the last professional service, with longer periods applicable for minor patients under some interpretations of the statute.

Several other states — including Massachusetts, Washington, and Ohio — track the 7-year standard but apply their own minor-record provisions. When in doubt, retaining longer rather than shorter is always the more defensible position.

What Must Be in a Dental Record to Satisfy Retention Requirements

Retention requirements only matter if the records being retained are complete. State boards and payers are increasingly focused not just on whether a chart exists, but whether it contains the clinical content needed to reconstruct what was done, why, and how. A chart note that lacks treatment rationale, consent documentation, or accurate procedure codes is a liability even if it is technically on file.

At minimum, a defensible dental record for retention purposes typically includes:

  • Dated clinical notes for each encounter, with examination findings, clinician-identified treatment needs, and procedures performed.
  • Radiographs and imaging, properly labeled with patient identifiers and acquisition dates.
  • Consent forms — both general treatment consent and specific informed-consent documentation for surgical or irreversible procedures.
  • Medical history forms, including allergy and medication histories, updated at clinically appropriate intervals.
  • Referral letters, lab orders, and any specialist correspondence relevant to the patient’s care.
  • Billing and coding records tied directly to clinical documentation.

This is where documentation quality becomes a compliance issue, not just a clinical one. Sparse or ambiguous chart notes — the kind produced when a clinician is moving quickly between operatories — can satisfy a retention checklist while still failing a payer audit or a deposition review years later. The Rebrief charting platform is built specifically to address this gap, using ambient capture and structured note generation to produce chart notes that hold up under scrutiny long after the encounter ends.

Documentation Quality and Audit Defense

Retention is the floor; documentation quality is the ceiling. Industry data consistently shows that the overwhelming majority of claim denials trace back to administrative and documentation deficiencies rather than clinical ones — and when a practice is audited, the records retained are the records under examination. Keeping files for 10 years means nothing if those files cannot support the claims submitted against them.

PracticeShield™, Rebrief’s chart-audit and denial-defense layer, is designed with exactly this scenario in mind. It evaluates existing documentation against payer and regulatory standards, flagging notes likely to fail under audit review before they become a problem. For practices building or revisiting their retention infrastructure, the audit-readiness of the records being retained is as important a question as how long those records are being kept.

Consider that 72.88% of claims are denied due to administrative deficiencies. That figure represents more than lost revenue — it represents documentation that was retained but not defensible. A retention policy that preserves inadequate records does not protect a practice; it preserves the evidence of its documentation gaps.

Building a Retention Policy That Works in Practice

A functional dental record retention policy should answer four questions clearly:

  • How long are records kept? Segmented by adult and minor patient status, verified against current state requirements.
  • Where are records stored? On-premise, cloud-based EHR, or hybrid — with access controls and backup procedures documented.
  • How is retention tracked? Automated flags in the EHR or an administrative calendar that surfaces records approaching the end of their retention window.
  • What is the destruction protocol? HIPAA-compliant disposal methods for records past their retention period, with a destruction log maintained as evidence of proper handling.

EHR systems like Dentrix, Open Dental, Tab32, and Denticon each have varying levels of built-in retention tooling. Understanding what your system automates — and what it leaves to manual process — is the practical starting point for any retention audit. Practices that generate complete, structured notes at the point of care are better positioned from day one, because every record added to the retention archive is already audit-ready rather than requiring reconstruction later.

If reducing the documentation burden that makes retention management harder is a priority for your practice, reserve a demo to see how Rebrief structures clinical encounters into complete, defensible chart notes from the moment the patient sits down.

Dental record retention requirements are not static — state boards update them, payer standards shift, and the stakes attached to documentation gaps only grow as claims volumes increase. The practical approach: default to a 10-year retention window for adult records, treat minor records as a separate long-tail category, verify your state’s current rules directly, and make sure what you are retaining is worth keeping. Documentation that is both complete and compliant is the foundation of every other risk-management strategy a practice can build.