The federal Health Insurance Portability and Accountability Act (HIPAA) establishes patient rights with regard to their protected health information (PHI). Patients must be informed of these rights through the distribution of the covered entity’s Notice of Privacy Practices. This article reviews these patient rights and the actions a dental office that is a covered entity can or must take.
Although a patient has a right to request that a covered entity limit its use or disclosure of patient information, the covered entity is not required to comply with the request — with one major exception. For example, a patient may request a dental office withhold from the patient’s dental benefit plan information on the patient’s treatment. However, if the dental plan is paying for the treatment and the plan requires the patient information for payment, then the dental office is not obliged to honor the patient’s request. Another example of a request to limit PHI disclosure is when a patient requests information be withheld from a spouse or other family member who typically has knowledge of the patient’s care. A covered entity may consider the reasonableness of such requests and should utilize knowledge of
its legal obligations and professional judgment when determining whether to honor a patient’s request to limit the use or disclosure of information. If a covered entity agrees to a request for limitation, then the covered entity must ensure procedures are in place to prevent use or disclosure of the information.
There is one request a covered entity must honor, and it comes with conditions. A covered entity must comply with a patient’s request to restrict the disclosure of PHI to a health plan if the disclosure is for the purposes of carrying out payment or health care operations (and is not for carrying out treatment or is required by law); and if the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full. The U.S. Department of Health and Human Services (HHS) has acknowledged that a covered entity may release the information to a plan in situations where a check bounces or if the information is necessary for the covered entity to be paid for follow-up care, as long as reasonable effort is made to resolve payment issues with the patient. “Request to Restrict Disclosure of Patient Health Information to a Dental Benefit or Health Care Plan" is a sample form with instructions that can be found on this website.
A patient may request a dental office that is a covered entity use an alternative means or location for receiving communications with PHI. If the dental office is able to comply with the request, then it should do so. Compliance with the patient request may be conditioned upon an explanation of how payment for treatment will be handled.
Examples of such requests are:
Both HIPAA and state law apply when providing a patient with access to his or her records. A dental office must comply with state requirements with regard to time allowed to comply with a patient’s request, which are more stringent than HIPAA — five working days to view the records and 15 days to provide a copy compared to 30 days allowed by HIPAA. A covered entity may charge the patient a fee based on costs incurred (labor, materials, postage) to provide the copy or summary and in no case more than 25 cents per page, or 50 cents per page for copies made from microfilm.
The covered entity must provide a patient with access to PHI in the form and format requested by the individual, if it is readily producible; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the patient. The covered entity also must comply with a patient’s request to provide PHI to another individual or entity. A covered entity may deny in limited circumstances a patient’s request to access records. For additional information, refer to Patient Request to Access Records (Records Release) Form and Q&As.
A patient has a right to know to whom a covered entity, or the covered entity’s business associate, has disclosed his or her PHI. The maximum disclosure accounting period is the six years immediately preceding the patient’s request for an accounting. A disclosure accounting should be provided within 60 days of receiving the patient’s request.
A “disclosure” for the purpose of providing an account of disclosures means the release, provision of, access to or divulging in any manner of PHI outside the dental office that are not for purposes of treatment, payment or health care operations. This may include permissible disclosures, such as:
This may also include impermissible disclosures, such as a misdirected fax or email, or giving a patient another patient’s information in error.
After providing an initial disclosure accounting to a patient, a covered entity may charge a patient a reasonable cost- based fee if he or she requests an additional accounting within a 12-month period.
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.