Skip to main content
Menu

Resources

Patient Request to Access Records (Records Release) Form and Q&A

June 26, 2019 3769

Instructions for the Dental Practice

A patient has a legal right to access his or her health record under HIPAA and state law. A patient or patient representative may use this form to request access to the record or to request a copy of the record for another person or entity. An oral, handwritten, faxed or emailed request from the patient or patient representative may be honored, although the dental practice may require the use of its form or seek clarification from the requestor on the scope of the record to be duplicated. The dental practice must verify that the request is from the patient or patient representative.

Prior to having a patient or patient representative complete the Patient Request to Access Records form, be sure to:

  1. Fill in the text fields highlighted in gray.
  2. If requiring a written request for access, ensure the practice’s Notice of Privacy Practices states that requirement.
  3. If charging a fee to duplicate records or to prepare a summary, create a separate document that lists the fees. Review the information below on allowable charges.
  4. Review the Q&As to understand the dental practice’s obligations in complying with a patient’s request for access. The Q&As include compliance information for non-HIPAA covered entities.

Time Allowed To Complete Request

The California timeline is shorter than the HIPAA timeline, so all dental practices must comply with the state timeline:

  • Inspection: Must take place within five working days of receiving request. A staff member shall be with the patient while the records are viewed, and the patient is allowed to be accompanied by only one other individual while viewing the records.
  • Copy, paper and electronic: Must be provided within 15 calendar days of receiving request.
  • Summary: Must be provided within 10 working days of receiving written request. If records are voluminous and the office notifies the requestor that more time is needed, then the summary must be provided within 30 days of receiving request.

Prohibitions

A dental practice may not require as a condition of providing access:

  • Payment of an outstanding bill.
  • The physical presence of the patient.
  • That the patient uses a web portal.
  • Any action that may cause an unreasonable delay in providing access.

HIPAA Compliance

HIPAA-covered entities must retain each access request for six years. It can be kept in the patient record or with other patients’ requests for access. HIPAA-covered entities also are required to maintain a log of record-access requests and responses to those requests.

Questions and Answers

What does “right to access record” mean?

It means a health care provider must:

  • Allow a patient to inspect his or her record.
  • Provide a copy or summary of the record if requested by the patient.
  • Transmit a copy of the record to a person or entity of the patient’s choosing. Requests for this type of access must be written.

Can a dental practice deny a patient access to his or her record?

A HIPAA-covered entity may deny an individual access in limited circumstances. If a request for access is denied, the practice must notify the requestor in writing. The individual has the right in some circumstances to have the denial reviewed by another health care provider for another opinion. Certain protected information related to mental and reproductive health and drug and alcohol treatment require specific authorization from the patient. Refer to the dental practice’s HIPAA policies and procedures for more information on the limited circumstances for which a covered entity may deny access.

Examples of grounds for denying access:

  • The covered entity believes access may cause harm to the individual or another person.
  • The information is not part of the designated record set.
  • The request is for psychotherapy notes.
  • The requestor is an inmate; an inmate may view his or her information but is not permitted a copy.
  • The requested information is part of a research study still in progress.

Must the access request be in writing?

State law requires that health care providers comply with written requests for access, but does not expressly require only written requests. A HIPAA-covered entity may require that a request be written and that its own form be used. The requirement to use a written access request must be noted in the covered entity’s Notice of Privacy Practices. A covered entity may offer electronic options for making the request (for example, a web portal or email) but it cannot require the use of those options. Any requirement to use a covered entity’s form may not create a barrier or unreasonably delay a patient from obtaining access.

What is considered to be the patient’s record?

HIPAA gives a patient the right to review or obtain a copy of his or her information maintained in a covered entity’s “designated record set.” The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about an individual or that is an entity’s billing and payment records for that individual. The designated record set may include information generated by other health care providers that is maintained by the covered entity.

The record includes images, impressions and models if they have been used to make decisions about an individual’s treatment.

What may I charge?

The Department of Health and Human Services (HHS) clarified its regulations in a guidance issued March 2016. The guidance made clear that the fee for access may include only the cost of:

  1. Labor to make the requested copy, whether in paper or electronic form.
  2. Supplies such as paper or portable electronic media.
  3. Postage when the patient requests that the copy or summary be mailed.
  4. Preparation of an explanation or summary of the record if requested by the patient.

A covered entity may either calculate actual labor costs to fulfill a request or develop a fee schedule based on average labor costs to fulfill a request. 

The fee may not include costs associated with verification of the request, documentation, searching for and retrieving the record, maintaining systems, recouping capital for data access, storage or infrastructure, or anything not included in the above paragraph. A per-page fee may not be charged for records maintained electronically. If a dental practice collects fees, it should prepare a document listing the fees and provide it to the patient with the Patient Request To Access Records form.

A covered entity may charge a flat fee for standard requests for electronic copies of electronic records, provided the fee does not exceed $6.50, inclusive of all labor, supplies and postage.

The fee for providing a summary must be agreed to by the patient in advance.

If a patient requires a copy of a portion of his or her record to support an appeal regarding eligibility for a public benefit program, such as Denti-Cal, the copy shall be provided by the dental office at no charge. The patient is entitled to no more than one copy free of charge, but may not be limited in the number of requests for copies.

Dental practices that are not HIPAA-covered entities must follow the state’s rules and may charge no more than:

  • Twenty-five cents per page for copying paper documents.
  • Fifty cents per page from microfilm.
  • Actual cost for duplicating X-rays, photos, models, impressions, etc.
  • Actual postage cost.

In addition, such a dental practice may charge a fee based on reasonable clerical costs incurred in locating and making the records available for inspection.

What are acceptable methods of verifying that the access request is from a patient or patient’s representative?

All dental practices must take reasonable steps to verify the identity of the person making the request for access. There is not a required method of verification. A patient may not be required to be present to make an access request. Methods of verifying identity include:

  • Checking identification of individual making the request in person.
  • Emailed request was sent from the same address as the one collected from the patient at first appointment.
  • Signature and information on a written request matches that in the record.
  • Legal documents.

What is a personal representative?

A personal representative is a person who, under the authority of state law, can make health care decisions for an individual or is a deceased individual’s legal representative. A personal representative also has the right to access a patient’s record. Examples of personal representatives are:

  • Parent or legal guardian of a minor patient.
  • Social worker acting within the scope of his or her job with regard to a minor or dependent patient.
  • Deceased patient’s beneficiary or executor of the estate.

What do I tell the patient who thinks his records (or X-rays) belong to him?

The information and images in a patient record are the work product of the dental practice. HIPAA and state law allow a patient to have access to the information in the record and require a patient’s authorization prior to a health care provider using or disclosing the information for purposes other than treatment, payment for treatment and the provider’s business operations. The law does not recognize patient ownership of the information.

May a minor patient have access to his or her record?

A minor has no right to access their record unless they are (1) emancipated or (2) have a parent or guardian’s authorization. A parent has no right to access the records of an emancipated minor. An emancipated minor is an individual under 18 years old and is either (a) married or divorced; (b) is on active duty with the U.S. armed forces or (c) received a declaration of emancipation from the court.

The patient is requesting an electronic copy, but I keep paper records. Am I required to provide an electronic copy?

If the dental practice is a HIPAA-covered entity, the answer is yes. In its March 2016 guidance, HHS clarified several issues related to the form and format of copies. Generally speaking, a covered entity must comply with a patient’s request for a specific form and format unless it is not readily producible. Examples of form and format are:

  • Paper
  • Film
  • Electronic/PDF
  • Electronic/JPG
  • Electronic/DICOM or .dcm

If the form and format requested by the patient is not readily producible by the covered entity, both parties should agree on an acceptable format.

A dental practice that is not a HIPAA-covered entity is not required to provide electronic copies.

We always use a secure method to send patient information electronically. A patient is requesting that we send his information to him via unencrypted email. What do we need to do to comply with the patient’s request?

A dental practice must (1) advise the patient of the risks of unsecure electronic transmission of information and (2) the patient must consent to the unsecure electronic transmission of information before the dental practice can send the information via unencrypted email. Language to do so is included on the sample form.

I want to transmit a patient’s information to a specialty dentist via unencrypted email — do I need to get the patient’s authorization to do so?

HIPAA allows a covered entity to share patient information with another covered entity without the patient’s authorization if the purpose of sharing the information is the patient’s treatment. HIPAA requires this information sharing be done securely, unless the patient has consented to the unsecure communications after the dental practice has advised the patient of the risks associated with unsecure electronic transmission. The patient would need to make a request to access records and direct you to send the information to the specialist via unencrypted email.

This table, copied from the HHS guidance, describes the differences between a HIPAA authorization and a patient’s right of access.

HIPAA Authorization Right of Access
Permits, but does not require, a covered entity to disclose personal health information (PHI) (except when authorization is combined with a legal order to provide information and then the covered entity must disclose the information). Requires a covered entity to disclose PHI, except where an exception applies.
Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization. Must be in writing, signed by the individual and clearly identify the designated person and where to send the PHI
No timeliness requirement for disclosing the PHI reasonable safeguards apply (e.g., PHI must be sent securely). Covered entity must act on request no later than 30 days (California requires shorter timeline) after the request is received.
Reasonable safeguards apply (e.g., PHI must be sent securely). Reasonable safeguards apply, including a requirement to end securely; however, individual can request transmission by unsecure medium.
No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration. Fees limited as provided in 45 CFR 164.524(c)(4).

The patient is requesting an electronic copy be sent to her new dentist via unencrypted email — may I do that?

If the dental practice is a HIPAA-covered entity, the answer is yes. HHS, in the March 2016 guidance, states the patient’s right to receive information via unsecured electronic communication extends to sending it to a third party at the patient’s request. HHS further states:

“… if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.”

The patient requests that I mail the copy to an individual. May I ask the patient to pick up the copy instead?

No, you may not. Such a request may be viewed as a barrier to the patient’s right to access the record.

A new patient has requested a copy of his records from his former dentist but the dentist is refusing to provide them. What can the patient do?

Suggest that the patient submit to the other practice a written request for records plus a copy of the CDA Oral Health Fact Sheet on Patient Records or, if it is not a California practice, the HHS March 2016 guideline (see Resources section below for the web links). If the other practice does not comply with the request, the patient can file a written complaint with the Dental Board and with the Department of Health and Human Services.

Who else may have a patient’s information and under what circumstances?

Review the article “Uses and Disclosures of Patient Information." Requests from others for patient information for purposes not permitted without patient authorization by HIPAA or California Confidentiality of Medical Information Act (CMIA) (California Civil Code section 56 et seq.) must be submitted on a valid authorization form that meets CMIA and HIPAA requirements. Situations for which a dental practice may want to use the “Consent Form for Use and Disclosure” are:

  • To obtain an adult child’s consent to share information as often as needed over a period of time with the parents who are the payers (refer to the table comparing authorization and right of access).
  • To market products or services to a patient.
  • To participate in research.