Practice management faq

Ideally, records should be maintained and kept accessible indefinitely, since they are the history of the patient’s treatment, but retention laws do exist. HIPAA mandates for record retention are superseded by individual state regulations if state mandates are more stringent. Due to storage issues, sometimes offices seek alternative means for record keeping. Choices include using a records storage service, transferring records to microfilm or microfiche, or scanning records and storing them digitally. It is recommended that you contact your state’s Dental and Medical Boards for specific state regulations. In addition, refer to your liability carrier or healthcare attorney for further guidance, especially for regulations on treating patients with a medical power of attorney, or patients involved in a civil or criminal proceeding. In these cases, records may need to be kept indefinitely.

For information on medical record retention, please visit the American Health Information Management Association (AHIMA) and the November/December 2003 Practice Management Notes The OMS’s Guide to Record Retention.

Record disposal is mandated by federal and state regulations; your office should have a written record retention schedule and destruction policy in accordance with those laws. These policies should also be reviewed and approved by your malpractice insurer and legal counsel.

Prior to disposing of or donating your outdated computers, it is essential that you “scrub” them first, so your patients’ protected health information (PHI) is completely removed from the computers’ hard drives. Deleting files or documents, or repartitioning the hard drive does not completely erase the material from your computer. There are several options to consider for complete erasure. You can purchase software known as “secure erase tools” or you can have a reputable computer service perform the proper erasure procedures. Please note that you would need to have a business associate agreement with the company assisting you with the erasure of your hard drives, since they will have access to your patients’ PHI. Not only does complete erasure ensure the proper removal of the patients’ PHI, it also protects the doctors and office personnel from potential identity theft, and eliminates access to any financial data that was stored on the computer.

HIPAA permits a covered entity to collect reasonable, cost-based fees for providing medical records to patients. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has elected to receive a summary or explanation of his or her protected health information, the covered entity may also be able to charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information. See 45 C.F.R. § 164.524 (c). For more information on state copying laws, please see Medical Records Copying Charges by State.
Interest rates vary from state to state; we suggest you consult a Certified Public Accountant (CPA) to determine the approved interest rate. Payment arrangements should be discussed with patients prior to their treatment or at the time of service. At that time, the patient should be informed of any interest applied to monthly payments, as well as options available. Patients should be notified of any penalties applied for non-payment or skipping a payment. This allows the patient to make an informed financial decision and be aware of your practice’s payment expectations. If the patient desires payment arrangements, the practice should provide a written financial policy, so the staff is aware of the procedures to be followed, ensuring that you will be more likely paid for your services.
Patients’ social security numbers may be obtained for identification purposes, and also for collections and insurance reasons, as long as the number is not disclosed for unrelated purposes. With identity theft on the rise, some states have also established rules or protocols for businesses, banks, and other organizations regarding the use of an individual’s social security numbers, and you should familiar with them. Your HIPAA Privacy Notice should explain your intended use of patients’ personal information. While it is acceptable to ask a patient for their social security number, the patient does not have to provide it, and the doctor can not refuse treatment in that case. While denial could impede the billing/payment process, there is also no way to know if the patient has provided the correct number until you go to use it.
Lloyds Solutions recommends contacting your malpractice provider for sample informed consent forms. If you are a member of OMSNIC, sample consent forms can be obtained through their web site at
According to Title 21; part 1300 of the Drug Enforcement Administration’s Diversion Program, there is a 2-year mandate for keeping your drug inventory logs. Your state may have additional regulations on maintaining these records, so you will need to follow whichever regulations are more stringent. To find more information on Title 21, locate your state or regional DEA Diversion office, or to access DEA applications and forms, please visit the DEA Diversion Control web site.
All controlled substances should be stored in a locked cabinet or other secure storage container, with limited access by the office staff. Even though the Federal regulations do not specifically define locked cabinet construction, the intent of the law is that controlled substances must be adequately safeguarded. Therefore, depending on other security measures, a wooden cabinet may or may not be considered adequate. In a high crime area, a strong metal cabinet or safe may be required. Some of the factors considered when evaluating a practitioner’s controlled substances security include: (1) the number of employees, customers and/or patients who have access to the controlled substances; (2) the location of the registrant (high or low crime area); (3) use of an effective alarm system; (4) Quantity of controlled substances kept on hand; and, (5) prior history of theft or diversion. For more information on storage and security for practitioners, see Security Outline of the Controlled Substances Act of 1970.

The American with Disabilities Act mandates that health care providers provide “auxiliary aids and services” to enable a patient with a disability to benefit from practice services. Under the ADA laws, if a patient requests an interpreter, one must be provided by the office. If the office refuses to do so, the practice may be subject to a claim for discrimination. In addition, the cost of the interpreter must be covered by the office, and may not be passed on to the patient. For more information, please visit American with Disabilities Act or HHS Office for Civil Rights.

In addition, if the office earns any income from Medicare or Medicaid or any federal health care program, the requirement to provide interpreters also applies for Limited-English Proficiency (LEP) patients. We recommend you contact your office attorney for further guidance on any additional state regulations that may apply. For more information, please see the Language Services Action Kit from NHeLP (National Health Law Program), which provides instruction and information on the federal laws and policies regarding interpreter services for people with LEP. LEP information is also available from the US Department of Justice and the HHS Office for Civil Rights web sites. In addition, state dental boards and dental associations may have additional information or guidance.

Access to a minor’s records is determined primarily by state law. The HIPAA privacy rule allows a parent, serving as his or her child’s personal representative, to have access to children’s medical records only when access is consistent with state law. Parental access would be denied when state or other law prohibits such access. If state or other applicable law is silent on a parent’s right of access in these cases, the clinician may exercise professional judgment to the extent allowed by law to grant or deny parental access to the minor’s health information. As is the case with respect to all personal representatives under the privacy rule, the doctor can choose not to treat a parent as a personal representative, when the doctor believes that the child has been or may be subjected to domestic violence, abuse, or neglect, or if the physician believes that treating the parent as the child’s personal representative could endanger the child. To determine if you are able to release a minor’s PHI to a parent, it is recommended that you check your state laws and consult with legal counsel.
For access to answers on other HIPAA questions, please visit HIPAA Privacy or HIPAA Administration-General Information, Security, NPI, Transaction and Code Sets.

Safety precautions should be followed by all employees who access the x-ray machine, including making sure equipment works properly. Employees should stand outside the room at least 6 feet away from the active beam, and be shielded by a barrier/wall and a leaded apron. State laws may require monitoring of all personnel, but, specifically, the National Council on Radiation Protection and Measurements (NCRP) recommends that personal dosimeters (x-ray badges) be provided for known pregnant personnel. Other work restrictions for pregnant employees should be based on the recommendation of the employee’s physician, plus institutional policies and state law, where applicable. For further information on Radiation Safety and the guidelines from the National Council on Radiation Protection and Measurements (NCRP) please visit and

OSAP’s (Organization for Safety and Asepsis Procedures) February 2005 issue of Infection Control In Practice explains the guidelines from the NCRP, and outlines recommendations from the CDC, FDA and ADA).

Official posters such as the OSHA Workplace Poster and other publications are available at no charge to anyone seeking them. Simply visit the publications page on OSHA’s web site or call 202/693-1888 to order the free posters and publications. Also check with your state to see if additional poster requirements apply. For more information, please visit the OSHA web site.
Your medical office or dental office is required by OSHA standards to have an Exposure Control plan in the office, and you are required to document all incidents. The protocol of needlestick injuries should be documented in the plan, and all staff should be trained in the proper procedure. Lloyds Solutions offers a Model Exposure Control Plan to help you comply with the requirements of OSHA, and to establish a written plan detailing: (1) job titles and duties of those who may be exposed to infection, (2) implementations of methods of exposure control, (3) vaccinations, (4) required post-exposure evaluation and follow-up, (5) procedures for evaluation, (6) training and steps to alert employees to biohazards, and (7) record-keeping requirements. The Exposure Control Plan also contains OSHA Regulations, the Needlestick Safety and Prevention Act, engineering control evaluation forms, and a resource list. Information on ordering this resource can be found by visiting the e-store on However, since Lloyds offers training in this and many other areas as part of our Practice Management and Consulting services, you can also let us do it for you.

Additional websites for information on exposure incldes

  • OSHA Post-Exposure Evaluation
  • Recording and Reporting Occupational Injuries and Illness
  • OSHA 300 Forms
  • CDC Infection Control Guidelines
  • AAOMS Model Exposure Control Plan

The FAQs sampling above is just the tip of the iceberg as to the very strict laws and regulations governing a medical or dental practice. Especially for new practitioners, navigating the medical waters can be a nightmare, and the consequences of mistakes can be severe. Lloyds Solutions, Inc. has done it all before, and we can guide you to a successful, or more successful, worry-free practice.