HIPAA Resources

Practice Management Software Migration


Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

“We recently made the decision to change our practice management software. Our practice had been using the previous platform for about 10 years. We’ve completed the migration process and we’re now 100% on the new software. Are there any HIPAA requirements that apply to the old software that we need to be aware of?”

Thank you for your question and congratulations on the successful migration. Those have the potential to be a real headache! Let’s take a look at the HIPAA law to see how it applies to your situation.


We typically focus on privacy and security when talking about HIPAA, but in addition to the rules that address how to keep data confidential, HIPAA also sets standards for ensuring the availability and integrity of PHI. Let’s quickly define these terms. Confidentiality is ensuring that people who should not have access to data cannot get access to it. Availability is ensuring the people who should have access to data can get access when they need it. Integrity means the data is accurate and complete. Let’s view a migration of practice data from one practice management software to another through the lens of these three requirements.


To ensure nobody can gain unauthorized access to your PHI, make sure you:

  1. Properly dispose of or securely store any old hardware or data backups associated with the old software (45 CFR 164.310(d)(2)),
  2. Remove or disable any old remote access tools used by the previous vendor for support (45 CFR 164.308(a)(4)(ii)(C)).
  3. Check with your old software vendor to ensure they do not have any patient data stored on their systems and if they do, request they securely dispose of it (45 CFR164.504(e)(2)(ii)(J)).

Integrity is ensuring the data in your new system is the same as the data in the old system. In other words, you want to make sure the migration succeeded. There is always a risk of data corruption during a migration, so it requires careful planning and attention to detail to ensure that patient health information is transferred safely and accurately.  Make sure this planning, and the migration itself, are adequately documented to prove you ensured the data was transferred correctly. If you had the new software vendor or an IT provider migrate the data, ask them for a report on the migration and ensure there were no errors reported.


Availability in this scenario largely comes down to data retention. You need to ensure that after your migration you can still provide access to patient data for the necessary amount of time. States require medical records be retained for between five to ten years, and HIPAA requires you to retain records regarding your HIPAA compliance for six years. You'll also need to ensure that you have access to patient records previously managed by the old software, even if you're not actively using it anymore.

Finally, let's have a word about documentation. In the world of HIPAA compliance, thorough documentation is your best friend. Keep records of the migration process, any agreements or contracts with the old software provider, and steps taken to ensure the proper handling and disposal of PHI related data. These records will be very important if you find out that something went awry down the line.


In conclusion, while your new practice management software is your focus now, don't forget about the remnants of the past. HIPAA compliance remains a top priority, even when transitioning to new systems. Stay vigilant, stay organized, and continue to protect your patients' PHI with the utmost care. Your dedication to security and privacy will serve your practice and patients well in the long run.

Here's to a seamless and compliant future with your new software!

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.

This article is available for members of our online HIPAA community for dentists.

Explore and learn FREE for 60 days!
No credit card required.

Join Now!
Todd Baker

Todd Baker, JD, CIPP

HIPAA & Privacy Attorney

Todd Baker is a uniquely qualified attorney with extensive experience regarding the intersection of HIPAA and technology. Todd earned his undergraduate degree in business at Boise State University and completed his law degree at the University of Virginia School of Law.

Content Tags

HIPAA education, compliance, and accountability created specifically for dental practices.

If you haven’t made HIPAA a priority yet, start today. Give us a little bit of your time and we’ll teach you about the HIPAA Law, why it exists, and how ‐if done right ‐you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.