Advanced search
Publication Cover
Journal of the California Dental Association Volume 51, 2023 - Issue 1
Submit an article Journal homepage
334
Views
0
CrossRef citations to date
0
Altmetric
Regulatory Compliance Guidance

Patient Records Access

CDA Practice Support
Article: 2221828 | Published online: 09 Jun 2023
This article is part of the following collections:
Hand Pain: A Dental School Survey and Other Topics

The ability to view or to obtain a copy of their health information is an indisputable patient right. This right is enshrined in both state law and federal Health Insurance Portability and Accountability Act (HIPAA). Dentists and their staff should take the time to understand their obligations in providing a patient with access to their records. A dental practice’s failure to provide requested records is one of the most frequent complaints to the Dental Board of California.Footnote1 Violations of this right have been an enforcement priority in recent years for the Department of Health and Human Services Office for Civil Rights (OCR). Between September 2019 through December 2022, OCR reached 42 settlement agreements or assessed civil money penalties with HIPAA covered entities over potential violations of patient access rights. Of those 42, five were dental practices. Dental practices paid amounts from $5,000 to $80,000 to settle their respective cases.Footnote2

OCR publishes case resolutions online. In its investigations, OCR found the dental practices failed to provide timely access and one dental practice charged a copying fee that was not reasonable, or cost based. In addition to paying an amount, the settlement agreements required dental practices to revise their policies and procedures to follow the law, to provide and document relevant training to staff and to be monitored for compliance for an established period.

Some of the justifications dental practices use for not providing a patient with access to their records are not permitted by law:

  • The patient account is not paid.

  • The patient received free X-rays in a promotion, refused treatment and is required to pay the cost of X-rays in order to obtain a copy.

  • The patient is required to be present at the practice to make the request. Although a dental practice is required to verify the identity of the individual making an access request, the verification method should not be so unreasonable as to delay access.

If patient information can be accessed through use of a healthcare provider’s web portal, the information blocking rule of the 21st Century Cures Act prohibits the provider from preventing a patient’s access to their information via the portal.Footnote3

HIPAA dictates that patients are entitled to access (view or obtain a copy) information in their “designated record set.” A designated record set includes information related to treatment and payment for that treatment. This includes all images and notes. It does not include psychotherapy notes, information compiled for legal proceedings, certain laboratory results and information held by certain research laboratories. Both state and federal laws permit a healthcare provider to deny an individual access if granting access could cause harm to the individual or another. Following is a combined summary of state requirementsFootnote4 and HIPAA.Footnote5

Time Frame for Providing Access

Although HIPAA currently requires covered entities to provide access within 30 days of receiving a request, California law requires healthcare providers to permit the viewing of records within five business days and to provide a copy within 15 calendar days. Dental practices must comply with the shorter time frame.

Written Access Request

Neither state or federal law require a patient to submit an access request in writing. A dental practice may require an individual submit access request in written form as long as the covered entity includes this requirement in their Notice of Privacy Practices and the requirement does not unreasonably delay patient’s access to their information.

Form and Format of the Copy

HIPAA and state law require a healthcare provider to provide a copy of the records in the form and format requested by the individual if it is readily producible in the specified form and format. If not readily producible, a copy should be provided in a readable hard copy form or in another form and format agreed to by both the individual and covered entity. Not knowing how to copy a certain type of digital image, such as a 3-D image, is not an acceptable reason for denying a patient a copy. The appropriate dental practice staff should know how to transfer or export those images to a format that a patient can view.

Fees for Access

A dental practice may charge a reasonable fee based upon the actual time and cost involved in preparing a copy. HIPAA does not permit charging for the time spent locating records. A practice may charge for material cost (for example, paper or a flash drive) and postage if the copy is mailed. An estimate of cost should be provided to the patient in advance of making the copy.

CDA has a resource to assist California dentists with compliance, Patient Request to Access Records (Records Release) Form and Q&A. An oral health fact sheet, Patient Records, instructs patients on their rights and is also available on the CDA website.

###

Notes

1. Presentation by Roy Bionien, acting chief, enforcement, Dental Board of California, at CDA Presents San Francisco, Sept. 9, 2022.

2. U.S. Department of Health and Human Services, Resolution Agreements, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html.

3. HealthIT.gov, Information Blocking, https://www.healthit.gov/topic/information-blocking

Download PDF

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.