Instructions for the Dental Practice

A patient has a legal right to access their health record under HIPAA and state law. The 21^st Century Cures Act information blocking rule prohibits, with few exceptions, all healthcare providers, irrespective of their status as HIPAA-covered entities, from encumbering a patient’s access to their electronic health information. A patient or patient representative may use this form to request access to the record or to request a copy of the record to send to another person or entity. An oral, handwritten, faxed, or emailed request from the patient or patient representative may be honored. The dental practice may seek clarification from the requestor on the scope of the record to be duplicated. The dental practice may not require the requestor to use a form in order to access electronic patient health information. The dental practice must verify that the request is from the patient or patient representative.

Prior to having a patient or patient representative complete the Patient Request to Access Records form, be sure to:

1. Fill in the text fields highlighted in gray.
2. If requiring a written request for access to non-electronic patient health information, ensure the practice’s Notice of Privacy Practices states that requirement.
3. If charging a fee to duplicate records or to prepare a summary, create a separate document that lists the fees. Review the information below on allowable charges.
4. Review the Q&As to understand the dental practice’s obligations in complying with a patient’s request for access. The Q&As include compliance information for non-HIPAA-covered entities.

Time Allowed To Complete Request

The California timeline is shorter than the HIPAA timeline, so all dental practices must comply with the state timeline:

• Inspection: This must take place within five working days of receiving the request. A staff member shall be with the patient while the records are viewed, and the patient is allowed to be accompanied by only one other individual while viewing the records.
• Copy, paper, and electronic: Must be provided within 15 calendar days of receiving the request.
• Summary: Must be provided within 10 working days of receiving a written request. If records are voluminous and the office notifies the requestor that more time is needed, then the summary must be provided within 30 days of receiving the request.

Prohibitions

A dental practice may not require as a condition of providing access:

• Payment of an outstanding bill.
• The physical presence of the patient.
• That the patient uses a web portal.
• Any action that may cause an unreasonable delay in providing access.

HIPAA Compliance

HIPAA-covered entities must retain each written access request for six years. All health care providers should keep some record of a patient’s access to records. It can be kept in the patient record or with other patients’ requests for access. HIPAA-covered entities also are required to maintain a log of record-access requests and responses to those requests.

Questions and Answers

What does “right to access record” mean?

It means a health care provider must:

• Allow a patient to inspect their record.
• Provide a copy or summary of the record if requested by the patient.
• Transmit a copy of the record to a person or entity of the patient’s choosing. Requests for this type of access must be written.

Can a dental practice deny a patient access to their record?

A HIPAA-covered entity may deny an individual access in limited circumstances. If a request for access is denied, the practice must notify the requestor in writing. The individual has the right in some circumstances to have the denial reviewed by another health care provider for another opinion. Certain protected information related to mental and reproductive health and drug and alcohol treatment requires specific authorization from the patient. Refer to the dental practice’s HIPAA policies and procedures for more information on the limited circumstances for which a covered entity may deny access.

Examples of grounds for denying access:

• The health care provider believes access may cause harm to the patient or another individual.
• The information is not part of the designated record set.
• The request is for psychotherapy notes.
• The requestor is an inmate; an inmate may view his or her information but is not permitted a copy.
• The requested information is part of a research study still in progress.

Review “Information Blocking Rule Q&A” to learn about actions that are not considered information blocking when a patient wants access to their electronic health information.

Must the access request be in writing?

State law requires that health care providers comply with written requests for access, but does not expressly require only written requests. Although health care providers may require that a request be written and that its own form be used, they may not do so when the patient is requesting access to their electronic health information. The requirement to use a written access request must be noted in the covered entity’s Notice of Privacy Practices. A covered entity may offer electronic options for making the request (for example, a web portal or email) but it cannot require the use of those options. Any requirement to use a covered entity’s form may not create a barrier or unreasonably delay a patient from obtaining access.

What is considered to be the patient’s record?

HIPAA gives a patient the right to review or obtain a copy of their information maintained in a covered entity’s “designated record set.” The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about an individual or that is an entity’s billing and payment records for that individual. The designated record set may include information generated by other health care providers that are maintained by the covered entity.

The record includes images, impressions, and models if they have been used to make decisions about an individual’s treatment.

What may I charge?

The Department of Health and Human Services (HHS) clarified its regulations in guidance issued in March 2016. The guidance made clear that the fee for patient access may include only the cost of:

1. Labor to make the requested copy, whether in paper or electronic form.
2. Supplies such as paper or portable electronic media.
3. Postage when the patient requests that the copy or summary be mailed.
4. Preparation of an explanation or summary of the record if requested by the patient.

A covered entity may either calculate actual labor costs to fulfill a request or develop a fee schedule based on average labor costs to fulfill a request. 

The fee may not include costs associated with verification of the request, documentation, searching for and retrieving the record, maintaining systems, recouping capital for data access, storage or infrastructure, or anything not included in the above paragraph.

A covered entity may charge a flat fee for standard requests for electronic copies of electronic records, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and postage. This is an option for a covered entity that does not want to calculate or average labor costs to determine a fee for producing an electronic copy. A per-page fee may not be charged for records maintained electronically.

The fee for providing a summary must be agreed to by the patient in advance of producing the summary.

If a dental practice collects fees, it must inform patients in advance of fulfilling an access request. A dental practice should prepare a document listing the fees and provide it to the patient with the Patient Request To Access Records form.

Fee limits imposed by HIPAA do not apply to third parties that have a patient’s authorization to obtain a copy of patient records. Nor do the fee limits apply to written requests by the patient to forward a copy of their record to a third party. Attorney requests for records pursuant to California Evidence Code §1158 have fee limits.

If a patient requires a copy of a portion of his or her record to support an appeal regarding eligibility for a public benefit program, such as Medi-Cal, the copy shall be provided by the dental office at no charge. The patient is entitled to no more than one copy free of charge but may not be limited in the number of requests for copies.

Dental practices that are not HIPAA-covered entities must follow the state’s rules and may charge a patient no more than:

• Twenty-five cents per page for copying paper documents.
• Fifty cents per page from microfilm.
• Actual cost for duplicating X-rays, photos, models, impressions, etc.
• Actual postage cost.

In addition, such a dental practice may charge a fee based on reasonable clerical costs incurred in locating and making the records available for inspection.

What are acceptable methods of verifying that the access request is from a patient or patient’s representative?

All dental practices must take reasonable steps to verify the identity of the person making the request for access. There is no required method of verification. A patient may not be required to be present to make an access request. Methods of verifying identity include:

• Checking identification of individual making the request in person.
• The emailed request was sent from the same address listed in the patient’s record.
• Patient’s signature and information on a written request match that in the record.
• Legal documents.

What is a personal representative?

A personal representative is a person who, under the authority of state law, can make health care decisions for an individual or is a deceased individual’s legal representative. A personal representative also has the right to access a patient’s record. Examples of personal representatives are:

• A parent or legal guardian of a minor patient.
• Social workers act within the scope of their job with regard to a minor or dependent patient.
• Deceased patient’s beneficiary or executor of the estate.

What do I tell the patient who thinks their records (or X-rays) belong to them?

The information and images in a patient record are the work product of the dental practice. HIPAA and state law allows a patient to have access to the information in the record and require a patient’s authorization prior to a health care provider using or disclosing the information for purposes other than treatment, payment for treatment, and the provider’s business operations. The law does not recognize patient ownership of the information.

May a minor patient have access to their record?

A minor has no right to access their record unless they are (1) emancipated or (2) have a parent or guardian’s authorization. A parent has no right to access the records of an emancipated minor. An emancipated minor is an individual under 18 years old and is either (a) married or divorced; (b) is on active duty with the U.S. armed forces or (c) received a declaration of emancipation from the court.

The patient is requesting an electronic copy, but I keep paper records. Am I required to provide an electronic copy?

If the dental practice is a HIPAA-covered entity, the answer is yes. In its March 2016 guidance, HHS clarified several issues related to the form and format of copies. Generally speaking, a covered entity must comply with a patient’s request for a specific form and format unless it is not readily producible. Examples of form and format are:

• Paper
• Film
• Electronic/PDF
• Electronic/JPG
• Electronic/DICOM or .dcm

If the form and format requested by the patient are not readily producible by the covered entity, both parties should agree on an acceptable format.

A dental practice that is not a HIPAA-covered entity is not required to provide electronic copies if it maintains paper records.

We always use a secure method to send patient information electronically. A patient is requesting that we send their information to them via unencrypted email. What do we need to do to comply with the patient’s request?

A dental practice must (1) advise the patient of the risks of unsecure electronic transmission of information and (2) the patient must consent to the unsecure electronic transmission of information before the dental practice can send the information via unencrypted email. The language to do so is included in the sample form.

I want to transmit a patient’s information to a specialty dentist via unencrypted email — do I need to get the patient’s authorization to do so?

HIPAA allows a covered entity to share patient information with another covered entity without the patient’s authorization if the purpose of sharing the information is the patient’s treatment. HIPAA requires this information sharing to be done securely unless the patient has consented to the unsecure communications after the dental practice has advised the patient of the risks associated with unsecure electronic transmission.

This table, copied from the HHS guidance, describes the differences between a HIPAA authorization and a patient’s right of access.

HIPAA Authorization	Right of Access
Permits, but does not require, a covered entity to disclose personal health information (PHI) (except when authorization is combined with a legal order to provide information and then the covered entity must disclose the information).	Requires a covered entity to disclose PHI, except where an exception applies.
Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.	Must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI
No timeliness requirement for disclosing the PHI reasonable safeguards apply (e.g., PHI must be sent securely).	A covered entity must act on the request no later than 30 days (California requires a shorter timeline) after the request is received.
Reasonable safeguards apply (e.g., PHI must be sent securely).	Reasonable safeguards apply, including a requirement to end securely; however, individuals can request transmission by an unsecure medium.
No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration.	Fees are limited as provided in 45 CFR 164.524(c)(4).

The patient is requesting an electronic copy be sent to their new dentist via unencrypted email — may I do that?

If the dental practice is a HIPAA-covered entity, the answer is yes. HHS, in the March 2016 guidance, states the patient’s right to receive information via unsecured electronic communication extends to sending it to a third party at the patient’s request. HHS further states:

“… if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required. Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.”

The patient requests that I mail a copy to an individual. May I ask the patient to pick up the copy instead?

No, you may not. Such a request may be viewed as a barrier to the patient’s right to access the record.

A new patient has requested a copy of his records from his former dentist but the dentist is refusing to provide them. What can the patient do?

Suggest that the patient submits to the other practice a written request for records plus a copy of the CDA Oral Health Fact Sheet on Patient Records or, if it is not a California practice, the HHS March 2016 guideline (see Resources section below for the web links). If the other practice does not comply with the request, the patient can file a written complaint with the Dental Board and with the Department of Health and Human Services.

Who else may have a patient’s information and under what circumstances?

Review the article “Uses and Disclosures of Patient Information." Requests from others for patient information for purposes not permitted without patient authorization by HIPAA or the California Confidentiality of Medical Information Act (CMIA) (California Civil Code section 56 et seq.) must be submitted on a valid authorization form that meets CMIA and HIPAA requirements. Situations for which a dental practice may want to use the “Consent Form for Use and Disclosure” are:

• To obtain an adult child’s consent to share information as often as needed over a period of time with the parents who are the payers (refer to the table comparing authorization and right of access).
• To market products or services to a patient.
• To participate in research.

Resources

Individuals’ Right Under HIPAA to Access Their Health Information 45 CFR § 164.524, U.S. Department of Health and Human Services March 2016 –hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

Patient Access to Records, California Health & Safety Code section 123100 et seq. –leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=HSC&division=106.&title=&part=1.&chapter=1.&article=

California Confidentiality of Medical Information Act, California Civil Code section 56 et seq. –leginfo.legislature.ca.gov/faces/codes_displayexpandedbranch.xhtml?tocCode=CIV&division=1.&title=&part=2.6.&chapter=&article=  

CDA Oral Health Fact Sheet – Patient Records –cda.org/Portals/0/pdfs/fact_sheets/patient_records_english.pdf