Dental IT Support For Pennsylvania Practices
Pennsylvania rewrote its breach notification law twice in recent years, and most of what circulates about it is wrong. We support PA dental practices with safeguards, backups, and retention that match what the code actually says.
Dental IT Built Around Pennsylvania Practices
Pennsylvania has amended its breach notification law twice recently — Act 151 of 2022 took effect in May 2023, and Act 33 of 2024 followed in September 2024. The result is that a lot of the guidance aimed at PA practices is describing a version of the law that no longer exists, or describing rules that were never aimed at private practices in the first place.
The most common error is the seven-business-day deadline, which gets quoted at dental offices constantly. It applies to state agencies, counties, municipalities, and public schools. It does not apply to your practice. Below is what actually governs a Pennsylvania dental practice, with citations you can check.
Pennsylvania At A Glance
The Pennsylvania Rules That Shape Your IT
Much of what circulates about these rules is wrong or out of date. Here is what the statutes and codes actually say, with citations you can check yourself.
Pennsylvania requires 5 years from the last dental entry
The Pennsylvania Code is direct: "A patient dental record shall be retained by a dentist for a minimum of 5 years from the date of the last dental entry." The same section requires that copies be furnished within 30 days of a written request — and explicitly regardless of any unpaid balance, so records cannot be withheld over a bill. Five years is the shortest requirement across the three states we serve, which matters if you operate a group spanning state lines: a single retention policy has to satisfy the strictest state, not the nearest one.
49 Pa. Code § 33.209(b)
The 7-business-day deadline is not yours
Pennsylvania’s breach law does contain a seven-business-day notification deadline, and it is probably the single most misquoted rule in PA practice-compliance content. It applies to State agencies, and to counties, public schools and municipalities. A private dental practice is subject to neither provision. Your deadline is "without unreasonable delay" — no fixed day count — and if you comply with your primary functional federal regulator’s requirements, HIPAA deemed compliance applies.
Breach of Personal Information Notification Act, Act 94 of 2005, 73 P.S. §§ 2301–2329
Act 33 of 2024 narrowed what counts as medical information
The 2024 amendment lowered the credit reporting agency threshold from 1,000 residents to 500, added Attorney General notice for breaches affecting more than 500 residents, and requires 12 months of credit monitoring when Social Security numbers, bank accounts, or driver’s license numbers are exposed. It also narrowed the definition of "medical information" to information held by a State agency or State agency contractor — meaning a private practice’s clinical records now fall outside PA’s "personal information" definition. Your clinical data is governed by HIPAA here, not by the state statute. The administrative data you hold — payroll, payment cards, staff records — is a different question worth raising with counsel.
Act 33 of 2024 (S.B. 824), effective Sept. 26, 2024; Act 151 of 2022, effective May 2, 2023
Regulatory summaries are provided for general information and were verified against primary sources at the time of writing. They are not legal advice — confirm your practice's obligations with your own counsel.
Where We Work In Pennsylvania
Dental IT Services For Pennsylvania Practices
Common Questions From Pennsylvania Practices
Ready To Fix Dental IT In Pennsylvania?
Get a clear read on your network, imaging, backups, and HIPAA safeguards from engineers who work on dental practices and nothing else.
Schedule Your Free IT Assessment
