Both state and federal law regulate the management of patient records and the information contained therein. Federal laws include the Health Insurance Portability and Accountability Act (HIPAA), its amendments brought about by the Health Information Technology for Clinical Health (HITECH) Act of 2009 and the 21st Century Cures Act information blocking rule. California laws include the Dental Practice Act as well as the Confidentiality of Medical Information Act (CMIA), which subject California health care providers who are not HIPAA-covered entities to HIPAA-like requirements with respect to the privacy and security of patient information. Other state laws address patient access to health records, security breach notification requirements, and the use of health information for marketing purposes. Information and resources for complying with HIPAA and HITECH are available through this website and The ADA Practical Guide to HIPAA Compliance.
The state Dental Practice Act has specific requirements on treatment entries in the patient chart:
The state further requires that if only electronic record-keeping systems are utilized in the dental office, the office must use an off-site backup storage system, an imaging machine that is able to copy signature documents, and a mechanism to ensure that a record is unalterable once it is entered in the system. The dentist must develop and implement policies and procedures to include safeguards for confidentiality and unauthorized access to electronically stored records, authentication by electronic signature keys, and systems maintenance. The electronic health record system must automatically record and preserve any change or deletion of electronically-stored health information and include, among other things, the identity of the person who accessed and changed the information and details of the change that was made to the information. Original hard copies of patient records may be destroyed once the record has been electronically stored. The printout of the computerized version shall be considered the original.
Liability insurance companies and professional standards of practice dictate best practices to follow for determining what information should be kept in a patient record. The use of subjective, objective, assessment and plan (SOAP) notes is highly recommended.
The CDA-endorsed professional liability insurance company, The Dentists Insurance Company (TDIC), recommends that complete records include:
If using paper charts, the outside cover of a chart should display only the patient's name and/or account number. A color-coded system is recommended if clinical staff think it necessary to have a method to alert them to a patient's health status that will affect dental treatment. For example, a colored sticker on the outside front of the folder can prompt the dentist or hygienist to look more closely at a patient's chart. Do not use any system in a way that may be construed as discriminatory to a class of patients.
“Patient Request to Access Records (Records Release) Form and Q&A” is found elsewhere on this website. The sample form can be adapted by a dental practice. The Q&A reviews the rules on:
HIPAA provides patients with the right to restrict the provision of treatment information to a health or dental plan under certain conditions. For information see “Patient Request to Restrict Disclosure of Patient Health Information to a Dental Benefit or Health Care Plan” on this website.
Both HIPAA and state law provide patients the right to request amendments to their records. However, the laws differ in how a health care provider can respond to such a request. Ideally, a discussion with the patient regarding an amendment should be done prior to the initiation of the amendment process. Once a written request for amendment is submitted, the dentist must respond.
California law simply allows a patient to add a statement to the record. A patient amendment can be no longer than 250 words for each item that is believed to be incomplete or inaccurate. The health care provider must include a patient amendment in the record. Except for an emancipated minor, a minor patient does not have the right to amend their record.
Under HIPAA, a patient submits a request to the covered entity to amend the record. The health care provider can require a written request be submitted and that the patient provide a reason for the amendment. The provider should respond within 60 days of receiving the request but may have another 30 days if an extension is requested in advance from the patient.
When the patient's request is granted, the patient should be notified in writing. Make the amendment to the record without destroying previously entered information. Add notations regarding the date of the amendment and the rationale. Provide amended information to entities identified by the patient and others that the provider knows to have a legitimate need for the information.
A provider can deny a patient's request only under these circumstances:
When the patient's request is denied, the patient should be notified of the decision in writing. Include in the notification the reason for denial and an explanation of the patient's right to submit a written statement regarding the provider's denial. The patient also must be informed of other rights, including the right to file a complaint with the U.S. Department of Health and Human Services.
Under both federal and state law, information may not be removed from a patient's record under any circumstance. Corrections can be done using single-line strikeouts with the date of the correction noted. Do not use opaque correction fluid or tape. It should be clear that there was no attempt to hide information.
A dentist who has been contracted by the estate or trust of a dentist who has died or become incapacitated shall obtain a form signed by the deceased or incapacitated dentist's patient, or the patient's legal guardian, that releases the patient's dental records to the contracting dentist or dentists prior to use of those records. (B&P 1625.4)
Although the HIPAA Privacy Rule allows the use and transfer of patient information to relevant parties that need the information for health care operations, such as a practice sale or merger, state law does not include the same provision. In the transfer, sale, merger, or consolidation of a dental practice, the practice owner should obtain written patient authorization prior to allowing a potential new owner or partner to view patient information or else produce de-identified information for their review. The absent provision in state law also means that a new practice owner should stay on the safe side of the state’s privacy laws and obtain written patient authorization before using a patient record. If a patient sets an appointment to be seen by the new owner, this is viewed as an implied authorization that allows the dentist to view the record before the patient presents. Patient authorization to view records must be separate from the acknowledgment of the office’s Notice of Privacy Practices. The authorization form can be mailed to patients together with the selling dentist’s notification of transferring practice ownership.
In the transfer, sale, merger, or consolidation of a dental practice, the new owner may agree to have custody of some or all of the patient records (the alternative is that the former owner retains these records). The original owner of the practice should be sure to address two things. First, the responsibility and liability for proper storage and disposal of records should be transferred to the new practice owner. This can be accomplished with the use of a HIPAA business associate agreement. Second, ensure continued access to those records for an indefinite period for the purpose of responding to any litigation. The original owner is entitled to access only the information generated when they were the practice owner. As the custodian of records, the new owner is legally responsible for ensuring the contents are secure and, if the records are to be destroyed, ensuring the contents are unreadable.
For additional information on practice transitions and electronic health record systems, see “Practice Transitions: Patient Records Best Practices” on this website.
“Uses and Disclosures of Patient Health Information” is a resource found elsewhere on this website. The article summarizes the permissible uses and disclosures of PHI under both federal and state laws and identifies scenarios where patient consent is required. A separate resource, “Consent Form for Use or Disclosure of Patient Health Information,” is a sample form that can be used to obtain a patient’s consent for uses or disclosures that require their consent.
Unless prohibited by the employment agreement, a dentist who is a former associate in a dental practice may notify their patients of a new practice location. The dentist may not further use the contact information to solicit the patients or otherwise use patient health information from that dental practice without first obtaining written authorization from the patient.
Patients seen by an associate dentist are considered patients of the practice that employs the associate dentist unless an agreement between the practice and the associate states otherwise. An associate dentist has no right access to patient information after leaving the practice.
The obligation of a licensed dental professional to disclose to appropriate agencies possible domestic abuse, criminal activity, and other legal violations involving patients is not hindered in any way by HIPAA or California law.
If an attorney at law or their representative presents a written authorization signed by an adult patient or the patient's legal representative, a parent or guardian of a minor, or the heir or personal representative of a deceased patient, a dentist shall promptly make all of the patient's records under their custody or control available for inspection and copying by the attorney or their representative. Copying of the records shall not be performed by the dental practice when the requesting attorney has employed a professional photocopier as their representative to obtain or review the records on their behalf.
If the records requested are maintained electronically and if the requesting party requests an electronic copy, the dental practice shall provide the records in the electronic form and format requested, if readily producible. If not readily producible, the records shall be provided in a form and format agreed upon by the practice and requesting party
A dental practice must accept a signed and completed authorization form for the disclosure of health information if both of the following conditions are satisfied:
Per Evidence Code section 1158, you may seek reimbursement from the individual who provided the written authorization for copying costs (10 cents per page for standard size documents or actual costs for reproductions of oversized documents or X-ray film), clerical costs (maximum rate of $4 per quarter-hour), actual postal costs and retrieval costs. If a copying service is used, you may charge no more than $15 plus the cost of the service.
HIPAA limits the use of protected health information for marketing activities on behalf of a covered entity or a third party. With some exceptions, the law also prohibits the sale of protected health information without individual authorization. California law prohibits the solicitation of an individual's health information for direct marketing purposes unless the solicitor informs the individual of the intended uses of the information and obtains the individual's permission. Refer to the articles "Dental Practice Marketing and Advertising 101” and "HIPAA and California Health Information Privacy and Protection Laws Q&A”
A patient has the right to receive an accounting of disclosures of personal health information by health care providers that are HIPAA-covered entities. The accounting must be provided within 60 days of the request, although the patient may grant, upon request and given reason for the delay, an extension of up to 30 days. No fee can be charged for the first disclosure accounting log in a 12-month period. If so stated in the dental office's Notice of Privacy Practices, a reasonable fee can be charged for subsequent disclosure of accounting logs requested for the same 12-month period. The subsequent disclosure accounting log can be provided after the fee is paid. Not required to be included in the accounting log are disclosures for treatment, payment, or health care operations and disclosures authorized by the patient.
A patient's right to accounting may be suspended for one of two reasons: belief that the patient may be endangered (e.g., a domestic violence situation) or upon request by law enforcement.
The HITECH Act expanded disclosure accounting rules to include HIPAA business associates. In addition, covered entities that maintain electronic health records (EHRs) are now required to provide an accounting of more types of disclosures than covered entities that do not use EHRs. However, the Department of Health and Human Services has not yet adopted regulations implementing this law, so the specifics of the accounting log and the implementation date are unknown at this time.
Disclosure accounting logs, names, and titles of individuals in the dental practice response for receiving and processing requests for disclosure accountings must be retained for six years. For more information on accounting of disclosures, refer to the website of the U.S. Health and Human Services. Your office policies and procedures should describe how you manage patient requests for an accounting of disclosures.
A health care provider is required to notify patients when an actual or suspected breach of personal health and/or financial information has occurred. For information, refer to "Data Breach Notification Requirements.”
State law does not define the period for which a dentist must maintain patient records after the patient discontinues treatment with the dentist. Records of unemancipated minors shall be kept at least one year after the minor has reached the age of 18, and in any case, not less than seven years. It is best for you to contact your professional liability carrier for its recommendation. Ideally, all dental records, active and inactive, should be maintained indefinitely. Records must be kept for seven years after a dental practice ceases operation.
Maintain all parts of the record, including radiographs and models. If onsite storage of the inactive patients' charts is not an option, store records offsite in a secured location. Another option is to store records electronically. A patient who has not returned for treatment within the last 24-36 months is inactive. Separate files of inactive adult patients from files of inactive minor patients, as of the last treatment date.
Records should be shredded or disposed of in a manner that makes personal information unreadable or indecipherable. The practice should have a written policy and procedure for the disposal of patient information, as required by HIPAA. Failure or negligence to destroy patient records in a manner that fails to preserve the confidentiality of personal information is a violation of the law. Persons injured because of a dentist's abandonment of patient records may bring an action in court against the licensee or partnership or corporation if applicable.
If hiring a records disposal company, it is recommended to choose one that specializes in destroying records by burning or shredding. Radiographs should be separated from the paper files and, because of the silver content on the film, disposed of through a silver recycler, hazardous waste vendor, or household hazardous waste program that accepts small business hazardous waste. A log should be kept of which records are destroyed and when. The log will assist you in identifying which records have been destroyed and are available in the event they are requested later.
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.