Both state and federal law regulate the management of patient records and the information contained therein. Federal laws include the Health Insurance Portability and Accountability Act (HIPAA) and its amendments brought about by the Health Information Technology for Clinical Health (HITECH) Act of 2009. California laws include the Dental Practice Act as well as the Confidentiality of Medical Information Act (CMIA), which subject California health care providers who are not HIPAA covered entities to HIPAA-like requirements with respect to the privacy and security of patient information. Other state laws address patient access to health records, security breach notice requirements and use of health information for marketing purposes. Information and resources for complying with HIPAA and HITECH are available through The ADA Practical Guide to HIPAA Compliance: Privacy and Security.
The state Dental Practice Act has specific requirements on treatment entries in the patient chart:
The state further requires that if electronic record-keeping systems are only utilized in the dental office, the office must use an off site back-up storage system, an image mechanism that is able to copy signature documents and a mechanism to ensure that once a record is input, it is unalterable. The dentist must develop and implement policies and procedures to include safeguards for confidentiality and unauthorized access to electronically stored records, authentication by electronic signature keys and systems maintenance. The electronic health record system must automatically record and preserve any change or deletion of electronically stored health information and requires the record to include, among other things, the identity of the person who accessed and changed the information and the change that was made to the information. Original hard copies of patient records may be destroyed once the record has been electronically stored. The printout of the computerized version shall be considered the original.
Liability insurance companies and professional standards of practice dictate best practices to follow for determining what information should be kept in a patient record. The use of subjective, objective, assessment and plan (SOAP) notes is highly recommended.
The CDA-endorsed professional liability insurance company, The Dentists Insurance Company (TDIC), recommends complete records include:
The outside cover of a chart should display only the patient’s name and/or account number. A color-coded system is recommended if clinical staff think it necessary to have a method to alert them to a patient’s health status that will affect dental treatment. For example, a colored sticker on the outside front of the folder can prompt the dentist or hygienist to look more closely at a patient’s chart. Do not use any system in a way that may be construed as discriminatory to a class of patients.
A patient record includes X-rays, photographs and models, and can include any written or recorded information, even if it is nonclinical. HIPAA gives a patient the right to review or obtain a copy of his or her information maintained in a covered entity’s “designated record set.” The designated record set is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about an individual or that is an entity’s billing and payment records for that individual. The designated record set may include information generated by other health care providers that is maintained by the covered entity. Access to patient records (designated record set) may not be withheld because of an unpaid bill for health care services, nor may a health care provider require the requestor present at the facility. An access request from a patient or patient’s representative is not required by law to be in writing, but a health care provider may require it. If a verbal request for access is received, record the details of the request in the patient record.
Covered entities may deny an individual access in situations where access may cause harm to the individual or another. The individual has the right to have the denial reviewed by another health care provider for another opinion. Certain protected information related to mental and reproductive health and drug and alcohol treatment require specific authorization.
A patient or patient’s representative has the right to inspect the patient’s records. The inspection of the records should take place during business hours and within five (5) working days of receiving the request. It is advisable to have an office employee present in the room when the patient or patient’s representative inspects the record.
A patient or patient’s representative is entitled to receive a copy of the patient’s information as well as to direct the copy to another individual or entity. A dental practice must provide the copy within 15 calendar days of receiving the request for access. A sample form and detailed information on requirements to provide a patient with access to record can be found in the resource “Patient Request to Access Records (Records Release) Form and Q-and-A.” This is a summary of the information:
State law allows a health care provider the discretion to give a summary of the patient’s records to a patient requesting a copy of the record. However, a dental practice that is a HIPAA-covered entity may prepare a summary of the patient’s record only if the patient has approved the action in advance. Alternatively, if the patient record is large, the dentist can ask the patient to specify dates of records requested. The patient, however, may choose to have a copy of the entire record.
If the summary option is exercised, the summary of the record shall be made available to the patient within 10 working days from the date of the patient’s request. More time may be allowed to prepare the summary if the record is large, but the summary must be provided within 30 days of the request. The dentist may charge no more than a reasonable fee based on actual time and cost for the preparation of the summary. The patient must be informed of the charges in advance. If a summary is provided, the dentist may confer with the patient to determine why the patient wants the records. If the information required relates only to specific injuries, illnesses or episodes, the summary need only relate to those items.
If a patient requires a copy of a portion of his or her record to support an appeal regarding eligibility for a public benefit program, such as Denti-Cal, the copy shall be provided by the dental office at no charge.
The patient is entitled to no more than one copy free of charge, but may not be limited in the number of requests for copies.
A minor patient may not access his or her record unless (1) authorization from a parent or legal guardian has been obtained or (2) the minor is an emancipated minor. An emancipated minor is an individual under 18 years old and is either (a) married or divorced; (b) is on active duty with the U.S. armed forces; or (c) received a declaration of emancipation from the court.
Both HIPAA and state law provide patients the right to request amendments to their records. However, the laws differ in how a health care provider can respond to such a request. Ideally, a discussion with the patient regarding an amendment should be done prior to initiation of the amendment process. Once a written request for amendment is submitted, the dentist must respond.
California law simply allows a patient to add a statement to the record. A patient amendment can be no longer than 250 words for each item that is believed to be incomplete or inaccurate. The health care provider must include a patient amendment in the record. Except for an emancipated minor, a minor patient does not have the right to amend his or her record.
Under HIPAA, a patient submits a request to the covered entity to amend the record. The health care provider can require a written request be submitted and that the patient provide a reason for the amendment. The provider should respond within 60 days of receiving the request but may have another 30 days if an extension is requested in advance from the patient.
When the patient’s request is granted, notify the patient of the decision in writing. Make the amendment to the record without destroying previously entered information. Add notations regarding the date of the amendment and the rationale. Provide amended information to entities identified by the patient and others who the provider knows have legitimate need for the information.
A provider can deny a patient’s request only under these circumstances:
When the patient’s request is denied, notify the patient in writing of the decision. Include in the notification the reason for denial and an explanation of the patient’s right to submit a written statement regarding the provider’s denial. The patient also must be informed of other rights, including the right to file a complaint with the U.S. Department of Health and Human Services. For additional information, sample policies and forms refer to The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit.
Under both federal and state law, information may not be removed from a patient’s record under any circumstance. Corrections can be done using single-line strikeouts, and the date the correction was made should be noted. Do not use opaque correction fluid or tape. It should be clear that there is no attempt to hide information.
A dentist, who has been contracted by the estate or trust of a dentist who has died or become incapacitated, shall obtain a form signed by the deceased or incapacitated dentist’s patient, or the patient’s legal guardian, that releases the patient’s dental records to the contracting dentist or dentists prior to use of those records. (B&P 1625.4)
The authorization form to use or disclose patient information must meet state and HIPAA requirements. A sample form, “Consent Form for Use or Disclosure of Patient Health Information,” is available. Restricted and confidential health information with regard to pregnancy, HIV test results, sexually transmitted diseases, mental health and alcohol or drug abuse may not be provided to a requestor without specific consent from the patient.
A valid authorization form meets the requirements of California Civil Code section 56.11 and HIPAA. Elements of a valid authorization form include but are not limited to:
If, however, the patient is not the one requesting the information or records, whether the dental office can provide it depends on whom the requestor is and why the request was made. If deciding that a requestor can have information, you are then responsible for applying HIPAA’s “minimum necessary” rule. The HITECH amendments to HIPAA established that “minimum necessary” is a limited data set that is adequate to accomplish the intended purpose of the information. A limited data set is a subset of patient health information from which the majority of identifiers (e.g. name, street address, telephone number, biometric identifiers, etc.) have been removed. A limited data set may include a town or city and ZIP code, and dates associated with an individual such as a birth date.
HIPAA and California law allow a dental practice to provide patient information, without patient authorization, to other health care professionals as long as the purpose of the information is to coordinate patient treatment. This purpose is excluded from the minimum necessary rule.
Although the HIPAA Privacy Rule allows the use and transfer of patient information to relevant parties who need that information for health care operations, which includes practice sales, state law does not include the same provision. In the transfer, sale, merger or consolidation of a dental practice, it is therefore prudent for the selling dentist to obtain written patient authorization prior to allowing a potential buyer or partner to view charts. The absent provision in state law also means that a new practice owner should stay on the safe side of the state’s privacy laws and obtain written patient authorization before using a patient record. If a patient sets an appointment to be seen by the new owner, this is viewed as an implied authorization that allows the dentist to view the record before the patient presents. Patient authorization must be separate from the acknowledgement of the office’s Notice of Privacy Practices. The authorization form can be mailed to patients together with the selling dentist’s notification of transferring practice ownership.
In the transfer, sale, merger or consolidation of a dental practice, the new owner may agree to have custody of the patient record (the alternative is that the former owner retains the records). As the custodian of records, the owner is legally responsible for ensuring the contents are secure and, if the records are to be destroyed, ensuring the contents are unreadable.
Employers, in general, do not have the right to access the information except in workers’ compensation cases or when necessary to carry out their responsibilities for workplace medical surveillance under Cal-OSHA or similar federal or state laws. Employers who self-insure may have limited access to patient information necessary to determine payment. Employer-sponsored dental benefit plans also have limited access to patient information necessary to determine payment and to conduct quality assessment audits.
If an individual other than the patient is responsible for paying the patient’s bill, disclosure of patient information is allowed as long as the disclosures are limited to the minimum amount of information necessary to obtain payment. In making such disclosures, health care providers also must honor any reasonable request for confidential communication and any agreed to restrictions on the use or disclosure of the patient’s protected health information.
The dental office’s Notice of Privacy Practices can state that if a patient designates another person as responsible for payment, the office will disclose the minimum amount of personal health information necessary to obtain payment from that person. If the patient objects to that disclosure, the office should inform the patient that he or she would have to choose between allowing the office to disclose information in order to obtain payment or paying for the services himself or herself. If a patient has paid the full cost of an item or service out of pocket and requests that the personal health information regarding the item or service not be disclosed to a health plan for purposes of payment or health care operations, the dental office must honor the patient’s request.
Absent a court order, a parent generally has a right to access the health record of his or her minor child irrespective of whether the parent has custody or financial responsibility. A dental practice may refuse to give access to a parent if it determines that providing access may harm the patient. A parent does not have a right to access the health record of an emancipated minor. An emancipated minor is an individual under 18 years old and is either (a) married or divorced; (b) is on active duty with the U.S. armed forces or (c) received a declaration of emancipation from the court.
If a minor patient provides information to the dental practice with regard to his or her drug or alcohol abuse, pregnancy, sexual assault, infectious and communicable disease status, HIV/AIDS status, sexually transmitted disease or mental health, the practice may not release this information to a parent without the minor patient’s consent.
A dental practice may refuse to give access to a parent if it determines that providing access may harm the patient. The practice must comply with a court order that prohibits a parent from obtaining access to records. If a practice refuses a parent’s request for access to a child’s dental record, the reason should be documented.
A parent does not have a right to access the health record of an emancipated minor. An emancipated minor is an individual under 18 years old and is either (a) married or divorced; (b) is on active duty with the
U.S. armed forces or (c) received a declaration of emancipation from the court.
Unless the employment agreement prohibits it, a dentist who is a former associate in a dental practice may notify the patients he or she treated of a new practice location. The dentist may not further use the contact information to solicit the patients or to otherwise use patient health information from that dental practice without first obtaining written authorization from the patient.
The obligation of a licensed dental professional to disclose possible domestic abuse, criminal activity and other legal violations involving patients to appropriate agencies is not hindered in any way by HIPAA or California law.
A legally designated representative or beneficiary of a deceased patient may inspect or obtain a copy of the patient’s record. The representative or beneficiary also may grant third-party access to the record. The dental office should request verification of the requestor’s status as a deceased patient’s representative or beneficiary. Under HIPAA, a health care provider has discretion to release minimum necessary information to a family member or individual who is involved in the patient’s care or with payment for care, unless doing so is inconsistent with any known prior preferences of the patient.
These groups may have limited access to protected health information. Details can be found in The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit.
The Dental Board of California has the authority to inspect or copy patient records. Representatives of the state Department of Health Care Services, the state attorney general’s office and the U.S. Department of Health and Human Services have the authority to inspect or copy records of patients whose care is provided through the Denti-Cal/Medi-Cal program. Neither HIPAA nor CMIA limit the agencies’ access to records.
California law requires health care providers to provide information upon a coroner’s request to help identify the deceased, locate next of kin or investigate deaths that may involve public health concerns, organ or tissue donation, child or elder abuse, suicide, poisoning, accident, sudden infant death, suspicious deaths, unknown deaths or criminal deaths.
Sometimes law enforcement will request that a health care provider make available protected health information. Although it is prudent to insist upon a subpoena, HIPAA does allow a dentist, without patient authorization, to release protected health information to law enforcement under the following circumstances:
Before providing the requested information, verify the identity and credentials of the individual receiving it.
If a dental office receives a subpoena for a patient’s record, circumstances will dictate the way to respond.
If law enforcement serves the subpoena, consult your attorney immediately. Provide the officers with access to the record while informing them that you are contacting your attorney. Do not try to impede law enforcement’s access to records.
In many cases, receipt of a subpoena likely arises out of a civil lawsuit. Upon receipt of a subpoena in these cases, evaluate whether you can comply with the demand for records. Consider these questions:
The 20 days is specified because time is allowed for the court to hear motions to suppress the subpoena. If the subpoena is valid and you are not a party to the lawsuit, produce the records as requested, sign the affidavit and submit statement for costs incurred in responding to the subpoena.
Proof of service: The date of a valid proof of service must be at least 20 days if served in person (25 days if served by mail in California; 30 days if served in another state; 35 days if served in another country) before the date demanded for production of records and at least five days before the subpoena is served on the dentist or custodian of records.
If an attorney at law or his or her representative presents a written authorization signed by an adult patient or the patient’s legal representative, a parent or guardian of a minor or the heir or personal representative of a deceased patient, a dentist shall promptly make all of the patient’s records under their custody or control available for inspection and copying by the attorney or his or her representative. Copying of the records shall not be performed by the dental practice when the requesting attorney has employed a professional photocopier as his or her representative to obtain or review the records on his or her behalf.
If the records requested are maintained electronically and if the requesting party requests an electronic copy, the dental practice shall provide the records in the electronic form and format requested, if readily producible. If not readily producible, in a form and format agreed upon by the practice and requesting party.
A dental practice must accept a signed and completed authorization form for the disclosure of health information if both of the following conditions are satisfied:
Per Evidence Code section 1158, you may seek reimbursement from the individual who provided the written authorization for copying costs (10 cents per page for standard size documents or actual costs for reproductions of oversized documents or X-ray film), clerical costs (maximum rate of $4 per quarter-hour), actual postal costs and retrieval costs. If a copying service is used, you may charge no more than $15 plus the cost of the service.
The IRS, in the course of conducting an audit or other official business, may require a dentist to provide access to protected health information. The IRS has a document, Notice CC-2004-034 “Effect of the Health Insurance Portability and Accountability Act of 1996 Privacy Regulations, 45 CFR parts 160 and 164, on the Service’s Information Gathering Activities." If you receive a demand for protected health information from the IRS, share this IRS notice with your attorney and CPA who will help you determine the minimum necessary protected health information, if any, that can be provided to the agency.
HIPAA limits the use of protected health information for marketing activities on behalf of a covered entity or a third party. With some exceptions, the law also prohibits the sale of protected health information without individual authorization. California law prohibits solicitation of an individual’s health information for direct marketing purposes unless the solicitor informs the individual of the intended uses of the information and obtains the individual’s permission. Refer to the articles “Dental Practice Marketing and Advertising 101” and “HIPAA and California Health Information Privacy and Protection Laws Q&A.”
Patient health information may not be provided to a collection or credit agency without specific patient authorization. State law does not permit disclosure of patient health information without patient authorization for some healthcare operations that HIPAA does allow to occur without patient authorization. A collection agency may request a dental practice provide information on a patient’s treatment when the patient disputes the debt owed. A collection agency is required by law to respond to a debtor’s request for more information on a debt. If a dental practice uses a collection agency, the practice should, as part of the patient financial agreement, obtain a patient’s authorization to provide treatment information to collection and credit agencies. When providing information to a collection agency, the dental practice should be careful to provide only the minimum information needed to collect the debt.
State law defines the unauthorized access of patient health information as those uses not for the purpose of diagnosis or treatment, or as otherwise allowed by law. The allowed uses are included in California Civil Code Section 56.10. In summary, a patient’s information may be provided with certain limitations and without patient authorization only to:
A patient has the right to receive an accounting of disclosures of personal health information by healthcare providers who are HIPAA covered entities. It must be provided within 60 days of the request, although the patient may grant, upon request and given reason for delay, an extension of up to 30 days. No fee can be charged for the first disclosure accounting log in a 12-month period. If it is so stated in the dental office’s Notice of Privacy Practices, a reasonable fee can be charged for subsequent disclosure accounting logs requested for the same 12-month period. The subsequent disclosure accounting log can be provided after the fee is paid.
The contents of a disclosure accounting log should contain the following elements:
A patient’s right to an accounting may be suspended for one of two reasons – belief that the patient may be endangered (e.g., domestic violence situation) or upon request by law enforcement.
The HITECH Act expanded disclosure accounting rules to include HIPAA business associates. In addition, covered entities who maintain electronic health records (EHRs) are now required to provide an accounting of more types of disclosures than covered entities who do not use EHRs. However, the Department of Health and Human Services has not yet adopted regulations implementing this law so the specifics of the accounting log and the implementation date are unknown at this time.
Disclosure accounting logs, names and titles of individuals in the dental practice response for receiving and processing requests for disclosure accountings must be retained for six years. For sample forms and more information on accounting of disclosures, refer to The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit. Your office policies and procedures should describe how you would manage patient requests for accounting of disclosures.
A health care provider is required to notify patients when an actual or suspected breach of personal health and/or financial information has occurred. For information, refer to “Data Breach Notification Requirements.”
State law does not define the period for which a dentist must maintain patient records after the patient discontinues treatment with the dentist. Records of unemancipated minors shall be kept at least one year after the minor has reached the age of 18, and in any case, not less than seven years. It is best for you to contact your professional liability carrier for its recommendation. Ideally, all dental records, active and inactive, should be maintained indefinitely. Records must be kept for seven years after a dental practice ceases operations.
Maintain all parts of the record, including radiographs and models. If onsite storage of the inactive patients’ charts is not an option, store records offsite in a secured location. Another option is to store records electronically. A patient who has not returned for treatment within the last 24-36 months is inactive. Separate files of inactive adult patients from files of inactive minor patients, as of last treatment date.
Records should be shredded or disposed in a manner that makes personal information unreadable or indecipherable. Failure or negligence to destroy patient records in a manner that fails to preserve the confidentiality of personal information is a violation of state law. Persons injured because of a dentist’s abandonment of patient records may bring action in court against the licensee, or partnership or corporation if applicable.
If hiring a records disposal company, it is recommended to choose one that specializes in destroying records by burning or shredding. Radiographs should be separated from the paper files and, because of the silver content on the film, disposed through a silver recycler, hazardous waste vendor or household hazardous waste program that accepts small business hazardous waste. A log should be kept of which records are destroyed and when. The log will assist you in identifying which records have been destroyed and are available in the event they are requested later.
If you are selling or transferring your practice, be sure to address two things: (1) transfer responsibility and liability for proper storage and disposal of records to the new practice owner and (2) ensure your continued access to those records for an indefinite period for the purpose of responding to any litigation. The new owner may agree to have custody of the patient record (the alternative is that the former owner retains the records), but the new practice owner cannot use the information in the records until a patient has provided authorization. The custodian of the records is legally responsible for ensuring the contents are secure and, if the records are to be destroyed, ensuring the process renders the contents unreadable.