Skip to main content


Patient Rights Under HIPAA

June 26, 2019 5821

The federal Health Insurance Portability and Accountability Act (HIPAA) establishes patient rights with regard to their protected health information (PHI). Patients must be informed of these rights through the distribution of the covered entity’s Notice of Privacy Practices. This article reviews these patient rights and the actions a dental office that is a covered entity can or must take.

Request to Limit Uses and Disclosures of PHI

Although a patient has a right to request that a covered entity limit its use or disclosure of patient information, the covered entity is not required to comply with the request — with one major exception. For example, a patient may request a dental office withhold from the patient’s dental benefit plan information on the patient’s treatment. However, if the dental plan is paying for the treatment and the plan requires the patient information for payment, then the dental office is not obliged to honor the patient’s request. Another example of a request to limit PHI disclosure is when a patient requests information be withheld from a spouse or other family member who typically has knowledge of the patient’s care. A covered entity may consider the reasonableness of such requests and should utilize knowledge of

its legal obligations and professional judgment when determining whether to honor a patient’s request to limit the use or disclosure of information. If a covered entity agrees to a request for limitation, then the covered entity must ensure procedures are in place to prevent use or disclosure of the information.

There is one request a covered entity must honor, and it comes with conditions. A covered entity must comply with a patient’s request to restrict the disclosure of PHI to a health plan if the disclosure is for the purposes of carrying out payment or health care operations (and is not for carrying out treatment or is required by law); and if the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full. The U.S. Department of Health and Human Services (HHS) has acknowledged that a covered entity may release the information to a plan in situations where a check bounces or if the information is necessary for the covered entity to be paid for follow-up care, as long as reasonable effort is made to resolve payment issues with the patient. “Request to Restrict Disclosure of Patient Health Information to a Dental Benefit or Health Care Plan" is a sample form with instructions that can be found on this website.

Request for Alternate Method of Communication

A patient may request a dental office that is a covered entity use an alternative means or location for receiving communications with PHI. If the dental office is able to comply with the request, then it should do so. Compliance with the patient request may be conditioned upon an explanation of how payment for treatment will be handled.

Examples of such requests are:

  • That appointment reminders be sent in a closed envelope rather than a post card.
  • That bills be sent to a different address.
  • That no messages be left at patient’s place of employment.
  • That unencrypted email be used to send PHI to the patient (the dental office is obliged to notify the patient of the risks of unsecured email and to obtain patient’s acknowledgement of the risk and agreement to use unsecured email).

Access to Records

Both HIPAA and state law apply when providing a patient with access to his or her records. A dental office must comply with state requirements with regard to time allowed to comply with a patient’s request, which are more stringent than HIPAA — five working days to view the records and 15 days to provide a copy compared to 30 days allowed by HIPAA. A covered entity may charge the patient a fee based on costs incurred (labor, materials, postage) to provide the copy or summary and in no case more than 25 cents per page, or 50 cents per page for copies made from microfilm.

The covered entity must provide a patient with access to PHI in the form and format requested by the individual, if it is readily producible; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the patient. The covered entity also must comply with a patient’s request to provide PHI to another individual or entity. A covered entity may deny in limited circumstances a patient’s request to access records. For additional information, refer to Patient Request to Access Records (Records Release) Form and Q&As.

Disclosure Accounting

A patient has a right to know to whom a covered entity, or the covered entity’s business associate, has disclosed his or her PHI. The maximum disclosure accounting period is the six years immediately preceding the patient’s request for an accounting. A disclosure accounting should be provided within 60 days of receiving the patient’s request.

A “disclosure” for the purpose of providing an account of disclosures means the release, provision of, access to or divulging in any manner of PHI outside the dental office that are not for purposes of treatment, payment or health care operations. This may include permissible disclosures, such as:

  • To social service agencies for victims of abuse, neglect or domestic violence.
  • For health oversight activities, audits, inspections and reviews.
  • For judicial or government administrative proceedings.
  • For law enforcement purposes.
  • To avert a serious threat to health or safety.

This may also include impermissible disclosures, such as a misdirected fax or email, or giving a patient another patient’s information in error.

After providing an initial disclosure accounting to a patient, a covered entity may charge a patient a reasonable cost- based fee if he or she requests an additional accounting within a 12-month period.

Other Rights

  • Request to amend record —Dental office procedures to amend a patient’s record on the patient’s request must follow both state and HIPAA rules. Refer to “Patient Records: Requirements and Best Practices.” 
  • Response to a complaint —If a patient makes a complaint or inquiry regarding the covered entity’s privacy practices, the covered entity must respond. The complaint/inquiry and copy of the response must be retained for six years.
  • Authorize use of PHI for marketing purposes or sale of PHI —A patient has the right to authorize the use of his or her PHI in a dental practice’s marketing activities or in the sale of PHI. Both state and HIPAA rules apply. For more information, refer to “Dental Practice Marketing and Advertising 101.” 
  • No threats or intimidation —A patient may not be intimidated or threatened for exercising his or her rights under HIPAA.
  • Notice of Privacy Practices —The notice must be provided to a patient at the first encounter, and posted at the covered entity’s facility and on the web site if the covered entity has a website. The notice must contain certain elements. The covered entity must make a good faith effort to obtain a signed acknowledgement of receipt from each patient. For additional information, refer to “Sample Notice of Privacy Practices.”
Comments are only visible to subscribers.