Practice Management FAQMedical Records
The information provided to you is intended for educational purposes only. In no event shall AAOMS be liable for any decision made or action taken or not taken by you or anyone else in reliance on the information provided. For legal or other professional advice, you need to consult your own professional advisers.
How long do we need to keep patient records?
Ideally, records should be maintained and kept accessible indefinitely, as they are the history of the patient's treatment. However regulations for record retention do exist. Record retention is mostly determined by individual state regulations. While HIPAA mandates a six-year requirement to keep records, state laws will supersede HIPAA if more stringent. Therefore if state law requires records to be retained for longer than six years, offices should abide by the state requirements. Due to storage issues, many times offices seek alternative means to keep records. Some choices to store records include using a records storage service, transferring records to microfilm or microfiche, or scanning records and storing them digitally. It is recommended to contact your state's Dental and Medical Boards for specific state regulations. In addition, refer to your liability carrier or healthcare attorney for further guidance, especially for regulations on treating patients with a medical power of attorney or patients involved in a civil or criminal proceeding. In these cases, records may need to be kept indefinitely.
For information on medical record retention, please visit the American Health Information Management Association (AHIMA) and the November/December 2003 Practice Management Notes The OMS's Guide to Record Retention.
How do I properly dispose of patient records?
Record retention and disposal are mandated by federal and state regulations. Your office should have a written record retention schedule and destruction policy in accordance with federal and state laws. These polices should also be reviewed and approved by your malpractice insurer and legal counsel.
Prior to disposing or donating your outdated computers, it is essential that you "scrub" them before doing so. This means you must make certain that your patients' protected health information (PHI) is completely removed from the computers' hard drives. Deleting files or documents, or repartitioning the hard drive does not completely erase the material from your computer. There are several options to consider for complete erasure. You can purchase software known as "secure erase tools" or you can have a reputable computer service center perform the proper erasure procedures. Please note that you would need to have a business associate agreement with the company assisting you with the erasure of your hard drives, since they will have access to your patients' PHI. Not only does complete erasure ensure the proper removal of the patients' PHI, it also protects the doctors and office personnel from potential identity theft and eliminates access to any financial data that was stored on the computer.
Can I charge patients a fee for copying their records?
HIPAA permits a covered entity to impose reasonable, cost-based fees for providing medical records to patients. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also be able to charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information. See 45 C.F.R. § 164.524 (c). For more information on state copying laws, please see Medical Records Copying Charges by State.
Can I charge interest to a patient's account?
Interest rates vary from state to state therefore it is suggested to consult with a Certified Public Accountant (CPA) to determine the approved interest rate for your state. Payment arrangements should be discussed with patients prior to their course of treatment or at the time of service. At this time the patient should be informed of any interest applied to monthly payments as well as options available, such as paying a certain percentage up front, and agreeing to pay the remaining balance in three installments. Patients should be notified of any penalties applied for not following the payment arrangement, for example, when they will be sent to collections after the first skipped payment, after three months, etc. Providing this information allows the patient to make an informed decision in regards to their method of payment and informs the patient of your practice's expectations.
Providing this information allows the patient to make an informed decision in regards to their method of payment and informs the patient of the practice's expectations. If the decision is made to proceed with payment arrangements, the practice should develop a written financial policy. This not only ensures that staff is aware of the procedures to be followed it ensures that you will be paid for your services, and allows your patients flexibility in paying for their health care.
For further information, you may refer to the Jan/Feb 2003 Practice Management Notes, Get Paid for Your Services - 7 Simple Steps. Also available through AAOMS Services, Inc., CareCredit offers various payment options and rates depending on the balance and length of time needed to pay the balance in full and IC System, Inc. for collection services.
May we ask patients for their social security numbers?
Patients' social security numbers may be obtained for identification purposes and also for collections and insurance reasons as long as the number is not being disclosed for unrelated purposes. Your HIPAA Privacy Notice should explain your intended use of their personal information. With identity theft on the rise, some states have also established rules or protocols for businesses, banks, and other organizations with regards to the use of an individual's social security numbers. While it is acceptable to ask a patient for their social security number, ultimately the patient does not have to provide it if they do not want to. The doctor can not refuse treatment if the patient refuses to provide it. The doctor can only request it and explain why they need it if asked. While refusing to provide it could impede the billing/payment process, there is no way in knowing if the patient even provides the correct number until you go to use it.
Do you have sample informed consent forms?
AAOMS recommends contacting your malpractice provider for sample informed consent forms. If you are a member of OMSNIC, sample consent forms can be obtained through their web site at dds4dds.com.
How long do I need to keep drug logs?
According to Title 21; part 1300 from the Drug Enforcement Administration's Diversion Program there is a 2-year mandate for keeping your drug inventory logs. Your state may have additional regulations on maintaining these records. You would need to abide by the more stringent regulation between your state and the Federal DEA office. For example the state of Illinois requires a 5-year retention of drug inventory logs. Since this is more stringent than the 2-year regulation from the DEA, you would need to abide by the state law. To find more information on Title 21, locate your state or regional DEA Diversion office, or access DEA applications and forms, please visit the DEA Diversion Control web site.
Are there requirements for storing drugs in the office?
All controlled substances should be stored in a locked cabinet or other secure storage container with limited access by the office staff. Even though the Federal regulations do not specifically define locked cabinet construction, the intent of the law is that controlled substances must be adequately safeguarded. Therefore, depending on other security measures, a wooden cabinet may or may not be considered adequate. In an area with a high crime rate, a strong metal cabinet or safe may be required. Some of the factors considered when evaluating a practitioner's controlled substances security include: (1) The number of employees, customers and/or patients who have access to the controlled substances. (2) The location of the registrant (high or low crime area). (3) Use of an effective alarm system. (4) Quantity of controlled substances to be kept on hand. (5) Prior history of theft or diversion. For more information on storage and security for practitioners, see Security Outline of the Controlled Substances Act of 1970.
DEA Frequently Asked Questions
When is the next National Prescription Drug Take Back Day?
October 29, 2011 from 10:00am - 2:00pm. For a location near you, please visit the following site:
Exact locations in your zip code area, county, and city will be available on this site in mid September.
Do I need to provide interpreters for my patients?
The American with Disabilities Act mandates health care providers to provide "auxiliary aids and services" to enable a patient with a disability to benefit from the services of the office. Under the ADA laws, if a patient requests an interpreter, one must be provided by the office. If the office refuses, they may be subject to a claim for discrimination. In addition, the cost of the interpreter must be covered by the office, and may not be passed on to the patient. For more information, please visit American with Disabilities Act or HHS Office for Civil Rights.
In addition, if the office earns any income from Medicare or Medicaid or any federal health care program, the requirement to provide interpreters also applies for Limited-English Proficiency (LEP) patients. It is recommended to contact your office attorney for further guidance on any additional state regulations that may apply. For more information, please see the Language Services Action Kit from NHeLP (National Health Law Program) which provides instruction and information on the federal laws and policies regarding interpreter services for people with Limited English Proficiency (LEP). There is also LEP information from the US Department of Justice and the HHS Office for Civil Rights web sites. In addition, state dental boards and dental associations may have additional information or guidance.
Do parents have the right to access to their children's medical records?
Access to a minor's records is determined primarily by state law. The HIPAA privacy rule allows a parent, serving as his or her child's personal representative, to have access to their children's medical record only when access is consistent with their state law. Parental access would be denied when state or other law prohibits such access. If state or other applicable law is silent on a parent's right of access in these cases, the clinician may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor's protected health information. As is the case with respect to all personal representatives under the privacy rule, the doctor can choose not to treat a parent as a personal representative when the doctor believes that the child has been or may be subjected to domestic violence, abuse, or neglect, or believes that treating the parent as the child's personal representative could endanger the child. To determine if you are able to release a minor's PHI to a parent, it is recommended to check your state laws and consult with legal counsel.
Questions on HIPAA?
For access to answers on other HIPAA questions, please visit HIPAA Privacy or HIPAA Administration-General Information, Security, NPI, Transaction and Code Sets.
Can a pregnant person operate the x-ray machine?
Safety precautions should be followed by all employees who access the x-ray machine, including using equipment that works properly and standing outside of the room at least 6 feet away from the active beam, shielded by a barrier/wall and leaded apron. State laws may require monitoring for all personnel, but specifically the National Council on Radiation Protection and Measurements (NCRP) recommends that personal dosimeters (x-ray badges) be provided for known pregnant personnel. Other work restrictions for pregnant employees including the use of dosimeters should be based on the recommendation of the employee's physician and institutional policies and state law, where applicable. For further information on Radiation Safety and the guidelines from the National Council on Radiation Protection and Measurements (NCRP) please visit osap.org and ncrponline.org.
OSAP's (Organization for Safety and Asepsis Procedures) February 2005 issue of Infection Control In Practice explains the guidelines from the NCRP, and outlines recommendations from the CDC, FDA and ADA).
Can I give extracted teeth to students or patients?
If you are using the extracted teeth for preclinical educational training, the teeth should be cleansed of visible blood and gross debris and maintained in a hydrated state. Extracted teeth must also be placed in a well-constructed container with a secure lid to prevent leaking during transport and labeled with the biohazard symbol. A liquid chemical germicide (e.g., sodium hypochlorite [household bleach] diluted 1:10 with tap water) could reduce bacterial accumulation during storage although it does not completely disinfect/sterilize the tooth. Prior to use in an educational setting, teeth should be sterilized to allow for safe handling. Students enrolled in dental educational programs should follow recognized universal precautions. The use of teeth that do not contain amalgam is preferred because they can be safely autoclaved. Extracted teeth containing amalgam restorations must not be heat sterilized because of the potential health hazard due to the risk of mercury vaporization and exposure. If extracted teeth containing amalgam restorations are to be used, immersion in 10% formalin solution for two weeks has been found to be an effective method of disinfecting both the internal and external structures of the teeth.
There is nothing in the standard which would prevent a dentist from giving patients their own extracted teeth when the patient desires them since the intent of the standard is to prevent exposure of employees to the blood of other individuals, not to protect individuals from their own blood. At the same time, it would be unacceptable for a healthcare provider to require that a patient take all of the contaminated items generated during their care in order to circumvent the standard's regulated waste requirements.
For more information, please visit:
What posters are required by OSHA?
Official posters such as the OSHA Workplace Poster and other publications are available at no charge to anyone seeking them. Simply visit the publications page on OSHA's web site or call 202/693-1888 to order the free posters and publications. Also check with your state to see if additional poster requirements apply. For more information, please visit the OSHA web site.
What are the steps I need to follow when an employee is stuck with a needle?
Your office is required to have an Exposure Control plan in the office by OSHA standards, and also required to document all incidents. The protocol of needlesticks injuries should be documented here and all staff should be trained on the information. AAOMS offers a Model Exposure Control Plan to help you comply with the requirements of OSHA and establish a written plan detailing: (1) job titles and duties of those who may be exposed to infection, (2) implementations of methods of exposure control, (3) vaccinations, (4) required post-exposure evaluation and follow-up, (5) procedures for evaluation, (6) training and steps to alert employees to biohazards and (7) record keeping requirements. The book also contains OSHA Regulations and the Needlestick Safety and Prevention Act, engineering control evaluation forms and a resource list. Further information on ordering this resource can be found by visiting the e-store on aaoms.org.
An exposure incident is defined as the specific contact of another person's blood, saliva or other potentially infectious material (OPIM) with an employee's eyes; mouth or other mucous membranes; non-intact skin (cracked, or abraded skin); or tissues via parenteral contact (i.e., cuts, or punctures of the skin with a contaminated needle or instrument). In the event that that someone in your office has had an exposure incident, there are several steps you must take according to OSHA's Occupational Exposure to Bloodborne Pathogens standard. Below, please find information regarding the exposed employee, the source patient, the employer, and documentation requirements when confronted with an exposure incident in the OMS office. This information has been collected from the CDC, OSHA, and the ADA.
The Exposed Employee
Once an exposure incident is suspected, the affected employee must report the incident immediately to his/her employer to allow appropriate medical follow-up and an opportunity to observe the environment where the incident happened.
If the employee consents, the exposed employee's blood is collected and baseline testing is conducted to establish the employee's HBV and HIV status. The employee has the right to decline testing or to delay testing of the collected blood for up to 90 days. If the employee consents to baseline blood collection, but does not give consent for HIV testing at that time, the sample must be preserved for at least 90 days. If, within 90 days of the exposure incident, the employee elects to have the baseline sample tested, such testing shall be done by a designated health care professional as soon as possible.
For employees who have not received the HBV vaccine series, the HBV vaccine is to be offered as soon as possible after the exposure incident, but no more than seven days after the incident. With regard to HIV disease, current CDC guidelines must be followed. The exposed employee should receive immediate post-exposure evaluation preferably within 1-2 hours, but no longer than 24 hours after the exposure incident.
The Source Patient
The employer must contact the source patient, if known, and ask his or her consent to be tested for HBV and HIV following an exposure incident. If consent is not obtained, and is required by local law, the employer must document that fact in writing as part of the report of the exposure incident. If consent is obtained, or if it is not legally required and the source patient's blood is available, the source patient's blood must be tested as soon as possible. The employer must identify and document in writing the source patient unless it is not feasible or prohibited by state or local law. The results of the testing must be made available to the exposed employee and he or she must be informed of applicable laws and regulations concerning further disclosure of the identity and infectious status of the source patient.
OSHA's Occupational Exposure to Bloodborne Pathogens requires the employer to make immediately available a confidential medical evaluation and follow-up at no cost to the exposed employee. OSHA's standard requires that medical records be kept confidential and not disclosed without the employee's consent, except as required by the standard or by law. For example, the standard does not prohibit the release of information if a law requires it to be released to a county or state health department.
The standard requires the employer to make available testing, post-exposure prophylaxis (when medically indicated), counseling and evaluation of reported illnesses. The employer must refer the exposed employee to a licensed health care professional who will perform all medical evaluations and procedures in accordance with the most current recommendations of the U.S. Public Health Service at the time the post-exposure testing and prophylaxis take place. The employer must ensure that the health care professional understands the requirements of the standard and agrees to comply. The employer must also provide the health care professional with the following information: a copy of the bloodborne pathogens standard; a description of the employee's job duties as they relate to the incident; a report of the specific exposure incident, including routes of exposure and the circumstances under which exposure occurred; the results of the source patient's blood testing, if available; and relevant employee medical records, including vaccination status. Once the exposure incident evaluation is complete, the health care professional must provide a written opinion to the employer. It is the employer's obligation to ensure that he or she obtains and provides the exposed employee with a copy of the health care professional's written opinion within 15 days of the completion of the evaluation. The original document should be placed in the employee's confidential medical record.
While the employer is required to arrange or provide post-exposure prophylaxis, and the evaluation of reported illnesses, treatment of disease is beyond the scope of the standard's follow-up requirements and is generally handled under workers' compensation or other disability insurance. In addition, once an employee is no longer employed, the employer would no longer be obligated to meet the requirements of the standard since the employer-employee relationship has ended unless there are state workers' compensation laws that apply.
The employer must prepare a report of the exposure incident, including the route(s) of exposure, the circumstances under which the exposure incident occurred, and the identity of the source patient, if known and if permitted by law. This report must be placed in the employee's confidential medical record. A copy also must be provided to the evaluating health care professional. Records must be maintained for the duration of employment plus 30 years in accordance with OSHA's standard on Access to Employee Exposure and Medical Records, 29 CFR 1910.20. Your office is required to have an Exposure Control Plan according to OSHA standards and all staff should be trained on the information. Your exposure control plan should include your needlestick protocol and provide a place to document any incidents.
Please Note: an exposure incident may meet the criteria for OSHA's Recordkeeping Requirements as a "recordable occupational injury." These requirements apply to dental employers with eleven or more employees and require the completion of OSHA forms 300, 300-A, and 301 forms, or equivalent forms, for recordable injuries and illnesses. The OSHA 300 form is called the Log of Work-Related Injuries and Illnesses, the 300-A is the Summary of Work-Related Injuries and Illnesses, and the OSHA 301 form is called the Injury and Illness Incident Report. The criteria for recording under such circumstances include: (1) The incident results in a loss of consciousness, transfer to another job, or a work restriction, or (2) The incident results in the administration or recommendation of medical treatment beyond first aid (e.g., gamma globulin, hepatitis B immune globulin, hepatitis B vaccine, zidovudine or other prescription medications), or (3) The incident results in a diagnosis of seroconversion. Dental employers with fewer than eleven employees must prepare a report of the exposure incident, but they may not be required to complete the OSHA forms 300,300-A and 301.
Additional Web sites for Information on Exposure Incidents:
- OSHA Post-Exposure Evaluation
- Recording and Reporting Occupational Injuries and Illness
- OSHA 300 Forms
- CDC Infection Control Guidelines
- AAOMS Model Exposure Control Plan
Disclaimer: Although this information is intended to be accurate, it should not be construed as client-specific advice, nor should be used alone to resolve specific legal or practice management problems. Specific legal or business advice should be sought through a personal attorney. Further information on specific state regulations can be found through your state dental board or dental society.
Does AAOMS recommend any vendors for equipment and supplies for my office?
For quick access to programs and services to benefit AAOMS members, please visit www.aaomssuppliermarketplace.com. You can search for companies by category, or by using the search options at the top of the page.
Does AAOMS have any resources available for bringing on an associate or partner?
Below, please find some information on Associateships and Partnerships.
- Buy-in Pay-out Manual (please note to see member pricing, you must login to AAOMS estore)
- AAOMS Supplier Marketplace - to find a practice management consultant or other resources
- Career Line
- Financial arrangements in an oral and maxillofacial surgery practice - part 2 (May/June 2009)
- Financial arrangements in an oral and maxillofacial surgery practice - part 1 (March/April 2009)
- Assessing Practice Value (Jan/Feb 2007)
- Protecting Yourself in a Partnership (July/Aug 2005)
- What Does it Mean to be a Partner? (May/June 2005)
Annual Meeting Courses
- 2010 Annual Meeting Courses
Practice Management Clinics
- P705 Buy-Ins and Pay-Outs in the OMS Practice
- 2009 Annual Meeting courses
- 2008 Annual Meeting Courses
- Associateships - Myths and Facts (PM Notes Nov/Dec 2000)
- Oral and Maxillofacial Surgery Practice Transition (PM Notes May/June 2002)
- Reasons for Adding an Associate or Partner
Please visit Starting a Practice on the AAOMS Web site for more information on salary.