Both federal and state laws protect patient health information (PHI) in part by establishing rules for its use and disclosure. This article reviews those rules. The HIPAA Privacy Rule defines and limits the situations in which a covered entity may use or disclose PHI. California law further limits the situations in which a covered entity may use or disclose PHI and practically makes HIPAA rules for the use and disclosure of PHI applicable to all health care providers whether or not the provider is a covered entity.

Required Disclosures. The Privacy Rule requires that a covered entity provide PHI in specific instances: to an individual or their personal representative when the individual requests (1) access to their information (release of records) or (2) accounting of disclosures and to the U.S. Department of Health and Human Services when it is conducting an investigation, review, or enforcement action.

Permissible Disclosures. The Privacy Rule permits PHI to be used or disclosed without patient authorization for activities that fall under treatment, payment, or health care operations (TPO). The circumstances that constitute TPO are discussed further in this article. Use or disclosure of PHI without patient authorization for public benefit and interest activities, such as domestic violence reporting, disaster relief, research, or legal proceedings, may be done only under specific circumstances. For example, “limited data set” is patient information that has been stripped of identifiers and, without patient authorization, may be used by or disclosed to a recipient who has entered into a data-use agreement with the source of the limited data set. Limited data sets are used in research and in public health surveillance.

Disclosures to Family and Friends. Using their professional judgment, a health care provider who has obtained informal consent from the patient may disclose information to a patient’s family or others or allow the family to pick up prescriptions or make appointments. “Informal consent” is typically verbal, such as the patient's response to “May we speak to anyone at your home about your dental treatment?” Asking for informal consent allows a patient to object to the use or disclosure of information. The dental practice's Notice of Privacy Practice will include examples of when the practice will rely on informal consent.

Absent a court order, a parent generally has a right to access the health record of their minor child irrespective of whether the parent has custody or financial responsibility. A dental practice may refuse to disclose information to a parent if it determines that providing access may harm the patient. If a minor patient provides information to the dental practice with regard to their drug or alcohol abuse, pregnancy, sexual assault, infectious and communicable disease status, HIV/AIDS status, sexually transmitted disease, or mental health, the practice may not release this information to a parent without the minor patient's consent. A parent does not have a right to access the health record of an emancipated minor. An emancipated minor is an individual under age18 who (a) is married or divorced, (b) is on active duty with the U.S. armed forces, or (c) received a declaration of emancipation from the court. If a parent continues to pay for the care of an adult child, a consent form signed by the patient will authorize the dental practice to provide treatment information to the parent.

A legally designated representative or beneficiary of a deceased patient may inspect or obtain a copy of the patient's record. The representative or beneficiary also may grant third-party access to the record. The dental office should request verification of the requestor's status as a deceased patient's representative or beneficiary.

Refer to “Patient Request to Access Records (Records Release) Form and Q&As.”

Incidental Uses and Disclosures. Incidental uses and disclosures of information occur during a permitted use or disclosure and cannot be reasonably prevented. Incidental disclosures are allowable as long as a health care provider has implemented appropriate safeguards and applies the “minimum necessary” rule. For example, calling the patient's name in the waiting room is allowed as long as the purpose of the announcement is not disclosed. Having patients sign in, mailing postcard reminders, and leaving voicemail messages are examples of incidental disclosures that are allowed as long as the information disclosed is the minimum necessary to complete the purpose of the disclosure and appropriate safeguards are in place. The minimum necessary rule also must be applied to uses and disclosures of PHI within the facility of a health care provider.

When Patient Authorization Is Required. Written patient authorization is required for any use or disclosure that is not permitted without authorization or that is not required by HIPAA or state law. State law is more restrictive than federal law, and it applies to all health care providers. State law allows the use or disclosure of PHI with certain limitations and without patient authorization only to:

• Other health care providers for treatment of the patient.
• Third-party payers that collect payment for the patient's care.
• Certain entities for review in liability, arbitration, peer review, quality assurance, quality assessment or medical necessity cases.
• Appropriate accrediting and licensing entities in specific circumstances.
• County coroners and public health departments for official purposes.
• Appropriate entities for bona fide educational or research purposes.
• Courts upon court order, law enforcement with search warrants or other government entities with orders pursuant to their respective legal authority.
• Others as allowed or required by law.

It is prudent to obtain patient authorization to use or disclose PHI for purposes not listed above. In addition, HIPAA requires patient authorization for the following:

• Uses or disclosures that are not required or permitted by HIPAA.
• Use or disclosure of psychotherapy notes, with some exceptions.
• Marketing purposes, except for face-to-face communication and promotional gifts of nominal value.
• Sale of patient information, with exceptions described in §164.502(a)(5)(2). The sale of patient records that are not part of a practice sale, merger, transfer, or consolidation requires patient authorization.

A valid authorization form must meet the requirements of the California Civil Code section 56.11 and HIPAA. The required elements of a valid authorization form are:

• Must be handwritten by the patient or in a typeface no smaller than 14 point.
• Must include a description of the information.
• Must include the intended use or purpose of the information.
• Must include a statement that authorization may be revoked at any time.
• Must include an expiration date for the authorization.
• May not be combined with any other form.
• May not combine multiple uses of the information into one authorization form, with few exceptions.
• May not place conditions on the authorization, with few exceptions.

If, however, the patient is not the one requesting the information or records, whether the dental office can provide it depends on whom the requestor is and why the request was made. If deciding that a requestor can have the information, the health care provider is then responsible for applying HIPAA's “minimum necessary” rule. “Minimum necessary” is a limited set of PHI that is adequate to accomplish the intended purpose of the request for use or disclosure.

A dental practice should be careful not to disclose any patient information on social media sites or online review platforms. Two dental practices to date have been penalized several thousand dollars for impermissibly disclosing patient information on online review platforms.

Refer to “Consent Form for Use or Disclosure of Patient Health Information,” “Sample Patient Testimonial Authorization Form“ and “Sample Patient Photograph Authorization Form

Treatment, Payment, and Health Care Operations (TPO)

“Treatment” includes the provision or management of health care, consultation or coordination with other health care providers regarding care, and referrals of a patient to another provider.

Patients seen by an associate dentist are considered patients of the practice that employs the associate dentist unless an agreement between the practice and the associate states otherwise. An associate dentist has no right of access to patient information after leaving the practice. A dentist who is a former associate in a dental practice may notify patients they treated of their new practice location unless they are prohibited to do so by an employment agreement. The dentist may not further use the contact information to solicit the patients or otherwise use PHI from that dental practice without first obtaining written authorization from the patient.

“Payment” activities are those that are necessary for a health care provider to be paid or reimbursed (or for a health plan to fulfill coverage responsibilities, provide benefits and obtain premiums). Such activities include, but are not limited to, determining benefit eligibility or coverage, billing, and utilization review.

If an individual other than the patient is responsible for paying the patient's bill, disclosure of patient information is allowed as long as the disclosures are limited to the minimum amount of information necessary to obtain payment. In making such disclosures, a health care provider also must honor any reasonable request for confidential communication and any agreed-to restrictions on the use or disclosure of the patient's protected health information. The dental office's Notice of Privacy Practices can state that if a patient designates another person as responsible for payment, the office will disclose the minimum amount of personal health information necessary to obtain payment from that person. If the patient objects to that disclosure, the office should inform the patient that they would have to choose between allowing the office to disclose information in order to obtain payment or paying for the services themselves. If a patient has paid the full cost of an item or service out of pocket and requests that the personal health information regarding the item or service not be disclosed to a health plan for purposes of payment or health care operations, the dental office must honor the patient's request.

In general, employers do not have the right to access their employees’ information except in workers' compensation cases or when necessary to carry out their responsibilities for workplace medical surveillance under Cal/OSHA or similar federal or state laws. Employers who self-insure may have limited access to patient information necessary to determine payment. Employer-sponsored dental benefit plans also have limited access to patient information necessary to determine payment and to conduct quality assessment audits.

“Health care operations” are certain limited administrative, legal, financial, and quality improvement activities necessary to support treatment and payment functions.

Examples include:

• Credentialing, certification, accreditation and licensing.
• Quality assessment/improvement.
• Peer review and professional liability.
• Business management, administration  and planning.

In this category of activities, dental practices must be cautious about using and disclosing PHI. In many cases, a dental practice must get assurances that PHI will not be further disclosed by a recipient. Dentists also should know that health care operations do not include marketing or the sale of patient information. HIPAA limits the use of protected health information for marketing activities on behalf of a covered entity or a third party. With some exceptions, the law also prohibits the sale of protected health information without individual authorization. California law prohibits the solicitation of an individual's health information (including contact information) for direct marketing purposes unless the solicitor informs the individual of the intended uses of the information and obtains the individual's permission. Communication of news or other information that does not sell or market a service or product is not considered marketing communication unless the communication is subsidized by a third party. The rules for using PHI in dental practice marketing are described in the article “Dental Practice Marketing and Advertising 101.” California law further limits the use or disclosure of PHI in the two situations described below.

Sale or Transfer of a Practice. Although the HIPAA Privacy Rule allows the use and transfer of patient information to relevant parties that need that information for health care operations, including practice sales, state law does not include the same provision. In the transfer, sale, merger or consolidation of a dental practice, it is therefore prudent for the selling dentist to obtain written authorization from patients prior to allowing a potential buyer or partner to view charts, or else the selling dentist can provide de-identified data important for a potential buyer or partner to assess. The absent provision in state law also means that following the purchase of a dental practice, the new owner should stay on the safe side of the state's privacy laws and obtain written authorization from patients before using their records. If a patient makes an appointment to be seen by the new owner, this is viewed as an implied authorization for the dentist to view the record. Patient authorization must be separate from the acknowledgment of the office's Notice of Privacy Practices. The records release form can be mailed to patients together with the selling dentist's notification of transferring practice ownership. In the transfer, sale, merger, or consolidation of a dental practice, the new owner may agree to take custody of the patient records (the alternative is that the former owner retains the records). As the custodian of records, the owner is legally responsible for ensuring that the contents are secure and if records are to be destroyed, ensuring that the contents are unreadable.

Collection Agencies. HIPAA allows disclosure of PHI to a debt collection agency with a proper business associate agreement in place to recover outstanding debts for treatment. However, California's Supreme Court has ruled that a health care provider may not send the entirety of a patient's records to a collection agency without the patient's authorization. A collection agency is required by law to respond to a debtor's request for more information on a debt, but if patient authorization for disclosure of PHI is not obtained, the dental practice may only release the minimum necessary information to collect payment. This includes the debt that was incurred for dental treatment, the patient's contact and identification information, the dates the patient was seen and billed, any payments that were received and the amount paid to date.

Uses or Disclosures for Public Benefit or Interest

HIPAA and state law permit the use or disclosure of PHI without a patient's authorization to third parties that benefit the public or perform in the public's interest, but only in specific circumstances. Other circumstances involving the same third parties may require a patient's authorization to use PHI. Below are the third parties and the circumstances under which patient authorization is or is not required to use or disclose PHI.

Court Orders and Administrative Orders. A dental practice must disclose PHI pursuant to a legally executed subpoena issued by a state or federal court, board, commission or administrative agency, for example, the Dental Board of California and Medi-Cal. Subpoenas and search warrants presented by law enforcement do not require patient authorization for the production of PHI. If presented with a civil suit subpoena, a dental practice may disclose the information if the subpoena is issued by a California or federal court and is accompanied by either the patient's authorization or documentation that the patient has been informed of the subpoena. A dental practice should contact legal counsel if questions arise about a subpoena. An administrative order issued by a state or federal board, commission, or agency is typically accompanied by a patient's authorization for the release of information.

Subpoenas. If a dental office receives a subpoena for a patient's record, circumstances will dictate the way to respond. If law enforcement serves the subpoena, consult your attorney immediately. Provide the officers with access to the record while informing them that you are contacting your attorney. Do not try to impede law enforcement's access to records.

In many cases, receipt of a subpoena likely arises out of a civil lawsuit. Upon receipt of a subpoena in these cases, evaluate whether you can comply with the demand for records. Consider these questions:

• Do you have the requested records? If not, provide a statement that you do not have the records.
• Is the issued subpoena part of a civil action in California? Out-of-state subpoenas are not enforceable in California, except for subpoenas issued in federal cases. Subpoenas issued as part of state administrative hearings or court proceedings have patient notification requirements. Consult with your attorney for more information.
• Are you a party to the lawsuit? If yes, contact your professional liability carrier.
• Is the subpoena valid? A subpoena is valid if:
  • It is personally served on you or someone authorized by you to receive a subpoena.
  • It is issued by the clerk of the court or attorney handling the lawsuit.
  • It is addressed to you or someone qualified to certify the requested records.
  • It contains a date specified for production of records that is at least 20 days after the subpoena was issued and at least 15 days after it was served on you and at least 20 days after notice of the subpoena was received.
  • It specifies each item or category of items to be produced.
  • It must be accompanied by a valid “proof of service” or a patient's written authorization. Neither is required if the patient is subpoenaing their own records.

The 20 days is specified because time is allowed for the court to hear motions to suppress the subpoena. If the subpoena is valid and you are not a party to the lawsuit, produce the records as requested, sign the affidavit, and submit a statement for costs incurred in responding to the subpoena.

Proof of service. The date of a valid proof of service must be at least 20 days if served in person (25 days if served by mail in California; 30 days if served in another state; 35 days if served in another country) before the date demanded for the production of records and at least five days before the subpoena is served on the dentist or custodian of records.

Requests From Attorneys for Records Pursuant to Evidence Code §1158. If an attorney at law or their representative presents a written authorization signed by an adult patient or the patient's legal representative, a parent or guardian of a minor or the heir or the personal representative of a deceased patient, a dentist shall promptly make all of the patient's records under their custody or control available for inspection and copying by the attorney or their representative. Copying of the records shall not be performed by the dental practice when the requesting attorney has employed a professional photocopier as their representative to obtain or review the records on their behalf.

If the records requested are maintained electronically and if the requesting party requests an electronic copy, the dental practice shall provide the records in the electronic form and format requested, if readily producible. If the electronic form and format are not readily producible, the dental practice and the requesting party should agree on an alternate form and format.

A dental practice must accept a signed and completed authorization form for the disclosure of health information if both of the following conditions are satisfied:

1. The practice determines that the form is valid.
2. The form is printed in a typeface no smaller than 14-point font and is substantially the form on the last page of this article.

Per Evidence Code section 1158, you may seek reimbursement from the individual who provided the written authorization for copying costs (10 cents per page for standard-sized documents or actual costs for reproductions of oversized documents or X-ray film), clerical costs (maximum rate of $4 per quarter-hour), actual postal costs and retrieval costs. If a copying service is used, you may charge no more than $15 plus the cost of the service.

Law Enforcement Without a Subpoena. Sometimes law enforcement will request a patient's information from a dental practice. Although it is prudent to insist upon a subpoena, HIPAA permits a dentist, without patient authorization, to release protected health information to law enforcement under the following circumstances:

• To report injuries resulting from criminal acts or deadly weapons.
• To respond to court orders, search warrants, court-issued subpoenas, or regulatory agency orders.
• To respond to requests for information to identify or locate suspects, fugitives, witnesses, or missing persons.
• To respond to requests for information about a crime victim.
• To alert law enforcement of a suspicious death.
• To provide evidence of criminal conduct.

Before providing the requested information, verify the identity and credentials of the individual receiving it.

Mandated Reporting. The obligation of a licensed dental professional to disclose possible domestic abuse, violence, neglect, criminal activity, and other legal violations involving patients to appropriate agencies is not hindered in any way by HIPAA or California law. Patient authorization is not necessary.

Coroner. California law requires and HIPAA permits health care providers to release information upon a coroner's request to help identify the deceased, locate next of kin or investigate deaths that may involve public health concerns, organ or tissue donation, child or elder abuse, suicide, poisoning, accident, sudden infant death, suspicious deaths, unknown deaths of criminal deaths. Authorization by the patient or a patient's representative is not required.

Social Services Agencies. If a minor patient is in the temporary custody of a social service agency or probation department or is a ward of the court, a dental practice may release to those entities PHI necessary for coordinating health care services and treatment for the patient.

Public Health Agencies. Incidences of communicable diseases, such as TB and measles, must be reported to a local public health agency. The report does not require patient authorization. Dental practices may provide, without patient authorization, patient information to local, state, and federal health agencies for the purpose of preventing or controlling disease, public health investigations, and public health surveillance. Dental practices also may report adverse events involving drugs or devices to the FDA MedWatch program.

Serious Threat to Health or Safety. A dentist may disclose minimum necessary PHI when they believe such disclosure will prevent a serious or imminent threat to a person or persons. Such disclosures may be made without patient authorization to an entity that can prevent or lessen the threat.

IRS. The IRS in the course of conducting an audit or other official business may require a dentist to provide access to protected health information. If you receive a demand for protected health information from the IRS, share IRS Notice CC-2004-034 “Effect of the Health Insurance Portability and Accountability Act of 1996 Privacy Regulations, 45 CFR parts 160 and 164, on the Service's Information Gathering Activities“ with your attorney and CPA. They will help you determine the minimum necessary protected health information if any, that can be provided to the agency.

Research. Before allowing PHI to be used without patient authorization for research, a dental practice is obligated to ensure the researcher has provided the practice with certain assurances required by HIPAA. A dental practice also may use or disclose for research purposes and without patient authorization a limited data set of PHI. A limited data set does not include 16 specified identifiers.

Miscellaneous. PHI may be disclosed without patient authorization as authorized by workers' compensation laws and Cal/OSHA.

Patient's Right To Know About Disclosures

A patient has the right to receive an accounting of disclosures of personal health information by health care providers that are HIPAA-covered entities. The disclosures must be provided within 60 days of the request, although the patient may grant, upon request and given reason for the delay, an extension of up to 30 days. No fee can be charged for the first disclosure accounting log in a 12-month period. If so stated in the dental office's Notice of Privacy Practices, a reasonable fee can be charged for subsequent disclosure of accounting logs requested for the same 12-month period. The subsequent disclosure accounting log can be provided after the fee is paid. Disclosures for treatment, payment, or health care operations and disclosures authorized by the patient are not required to be included in the accounting log.

The contents of a disclosure accounting log should contain the following elements:

• Disclosure date.
• Name and contact information of entity receiving information.
• Description of information disclosed.
• Purpose of disclosure or copy of the request.
• If there are multiple disclosures to the same entity of the same type of information, the frequency of disclosures during the accounting period and the date of the last disclosure.

A patient's right to accounting may be suspended for one of two reasons: Belief that the patient may be endangered (e.g., domestic violence situation) or upon request by law enforcement.

The HITECH Act expanded disclosure accounting rules to include HIPAA business associates. In addition, covered entities that maintain electronic health records (EHRs) are now required to provide an accounting of more types of disclosures than covered entities that do not use EHRs. However, the U.S. Department of Health and Human Services has not yet adopted regulations implementing this law, so the specifics of the accounting log and the implementation date are unknown at this time.

Disclosure accounting logs with names and titles of individuals in the dental practice who are responsible for receiving and processing requests for disclosure accountings must be retained for six years. For more information on accounting of disclosures, refer to the website of the U.S. Department of Health and Human Services. Your office policies and procedures should describe how you would manage patient requests for an accounting of disclosures.